May 26, 2003 - - Volume 2, Number 5

Four Techniques Of Authentication
by Mark Altenbernd

You may have seen the cartoon several years ago – I don’t remember exactly where I saw it, but most likely it was in The New Yorker – that featured two dogs. One was sitting on the floor in typical dog-like fashion, looking up at his friend, who was seated in a swivel desk chair before a computer, his paw on the mouse. This second dog looks down at his friend on the floor and says, “On the Internet, nobody knows you’re a dog.”

Indeed. Nobody knows who anybody is because the Internet was designed as an anonymous and stateless environment. People arrive at your Web site, say “Please show me this page,” and expect that you will comply. And you probably will comply, as long as the page they request contains information that you want everyone to know: what your products and services are, how long you’ve been in business, who your clients are, how to get in touch with you, and so on.

But what if the anonymous visitor asks for sensitive information, such as his account balance or medical history? He identifies himself – “I am Ferrell Katz!” – and asks for all his personal information. How do you know it’s really Ferrell Katz? How do you know it’s not just a dog? What should you do?

Well, what you should do is authenticate the visitor, make him prove he’s really Ferrell Katz. How should you do that? There are several ways to effect authentication, and in this article we will look at 4 of them.

Note that none of them is the ultimate solution to all authentication problems. Each situation is unique and requires a bit of analysis to determine which is best and most appropriate under current circumstances.

The Factors Of Authentication
When you seek to authenticate your user, you want to prove that he is for real, the authentic Ferrelll Katz. The way to do that is to associate with him, or perhaps get from him, something that is unique to him, that only he could be, or know, or have.

There are three different kinds of things that can help determine the authenticity of a visitor. These things are widely know as “factors”, and they are generally described as “something you are”, “something you know”, and “something you have”.

Something You Are
This factor comprises the field of biometrics, the measures of life. When you meet someone, you are pretty good at recognizing them or recognizing that you do not recognize them. You use a variety of biometric techniques to make the recognition: facial features, height and weight, eye color, hair color and style, vocal timbres and patterns, body language and subtle facial mannerisms, and so on.

Biometric techniques also are used within automated systems to authenticate users. Chief among these are fingerprint analysis, retinal scans, and voice recognition. While biometrics offers great promise for unambiguous authentication, it is not widely used at present, and we will consider it no further.

Something You Know
Authentication systems that rely on something you know are really password systems. The password is something secret that you and the system know and that you are able to produce on demand.

As part of its security doctrine, Microsoft says, “…authentication is commonly performed through the use of logon passwords.” You should be familiar enough with password authentication because you probably use it everyday. When you try to get your e-mail, for example, you are presented with two input boxes in which you enter a username and password. Typically the username is some mangled form of your name – “fkatz”, perhaps – or your e-mail address – fkatz@ggpark.rec. When you type it in, it appears on the screen in plain text, easily readable. The password, on the other hand, usually appears in concealed form as a string of asterisks so that anyone looking over your shoulder is unable to read the password and thereby compromise the system.

When you press the Enter key, your username and password are sent back to an authentication server, which checks the credentials you have submitted in a registration database. If the database contains precisely the username/password combination that you have submitted, the authentication server is satisfied. It considers you to be authentic, and it authorizes you to do what you are trying to do, e.g. read your e-mail.

Note that the Microsoft doctrine says only that logon passwords are the most commonly used form of authentication. But it does not say that it is the only form nor even that it is the preferred form. Something-you-know systems are popular because they are quick and easy to deploy and impose no additional hardware or software requirements on either the user or the machine he is using – as contrasted with something-you-have systems, described in a moment. But in general something-you-know systems are inherently weak, and in actual implementation tend to be not just weak, but extremely weak.

The major drawback to something-you-know systems is that they assume that whatever that something is, it is something known to you alone. If the visitor offers the correct password, then that visitor must be you. But passwords are easily compromised, for they can be stolen or even guessed. And the counterpoise to the ease and low cost of deployment of password systems is their extremely high long-term cost of maintenance and administration. In fact of all the generally used authentication systems, password systems are among the most expensive over their lifetimes.

Something You Have
In a perfect world, cars would not have key locks. The world is perfect, there are no car thieves and therefore no need to go to the expense and inconvenience of protecting your car. (Perhaps at this point we should dispense with the hopelessly naïve word “car”, which presumes in just 3 short letters to capture the manifold complexity of the social and technological phenomenon of the contemporary American automobile. Let us substitute the more comprehensive and evocative phrase “personal transportation solution”. Though potentially cumbersome in everyday use, we can shorten it to PTS, a convenient 3 letters in length.) There would be a simple starter button in the dashboard – get in the car, push the button, off you go.

But in this imperfect world, cars must be protected. They must be locked to keep bad people out. And so that you can unlock your car, you must carry – and protect – a key.

Your car key is something you have. It is something you have that no one else has or can easily get. You use it to unlock your car so that you may get it in and use it. You use your key to authenticate yourself to your car.

There are something-you-have authentication systems for computer systems, as well. They use one of several kinds of external physical keys in much the same way (although they are generally referred to as “tokens” in order to avoid confusion with another prominent authentication system known as Public Key Infrastructures. In PKIs, the keys are mathematical rather than physical in nature.)

Something-you-have keys come in several standard configurations. One such configuration involves a small device not terribly dissimilar to those electronic car keys now in such prominent use. They plug into a special receptacle that is built into or attached to a computer. Another common incarnation of tokens is the SmartCard, about the size and shape of a standard credit card but with an embedded microprocessor that can interact with both the computer and the user.

Token-based systems require both additional hardware and software components on both the user’s computer and, usually, on the host system. But because of their built-in intelligence, these systems usually have the ability to perform dynamic authentication, mediating challenge-and-response dialogs between the host system and the user. This kind of authentication is more complex and expensive to install but can offer cost savings over the system’s lifetime. More importantly, they offer the possibility of much stronger and robust authentication, including multi-factor systems (read on).

Multi-Factor Systems
Experience strongly demonstrates that multi-factor authentication systems offer the best, most robust form of authentication that is reasonably available. Such systems combine several types of authentication into a single package. And you probably have been using one type of multi-factor system for years without fully realizing it.

Consider your ATM card that you use to withdraw cash from your bank. The card combines something you have – the card itself – with something you know – the PIN that you must enter into the ATM machine after it has read the card. Losing the card, or having it stolen, may be inconvenient to you, but it’s not likely to be helpful to a thief, unless he also has been able to steal your PIN. Getting both the card and the PIN is not impossible, but it is very much more difficult than getting either alone.

In real world practice, token-based something-you-have systems are almost always combined with something-you-know systems to support the dynamic generation of one-time passwords. The resulting multi-factor systems are extremely robust and represent the state of the authentication art. Those systems, as well as the Public Key Infrastructures, are the subjects of future articles.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We can help
At Altenbernd Consulting we have an array of Security Management Services that are designed to help you cope with the overwhelming complexity of security on the Internet. We can evaluate your current security practices and recommend improvements. If you are using a password-based authentication system and plan to continue to do so, we can help you ensure that it is as strong and resistant as a password system can be. And we can be a single-point outsource for all of your network security needs. Call us at (800 557-7634. Or visit our Web site to learn more about how we can help you: http://www.Altenbernd.Com.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

© 2003 Altenbernd Consulting, LLC. All Rights Reserved.