Enterprise IT Identity & Access Management : 1. Technology

Authentication Protocols and Standards

Yale Li — Fri, 02 Jun 2006 00:00:00 GMT

Some of most popular authentication protocols and standards are:

· KERBEROS v5:

Kerberos is an open standard for distributed systems authentication (RFC 1510). It relies on shared secret (or password) authentication by users to an authentication server called a Key Distribution Center (KDC). The KDC grants users access to applications, optional delegation of access from an application service to another service, and optional inter-domain trusts between groups of KDCs. In Windows servers and clients running Microsoft Windows 2000 Server or later, the Kerberos version 5 authentication protocol is the basis of authentication to Active Directory. It has an extension (PKINIT) to support smart card logon. It is also integrated into SMB, HTTP, and RPC, as well as the client and server applications that use these protocols.

· NTLM:

Windows NT Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows NT operating system and on stand-alone systems. NTLM stands for Windows NT LAN Manager, a name chosen to distinguish this more advanced challenge/response-based protocol from its weaker predecessor LAN Manager (LM). NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

· X.509:

The X.500 directory standards published by the ITU contain a subsection, X.509, which sets out recommendations for an authentication services framework. X.509, in its third revision, defines both a detailed syntax for certificates and an operational protocol specifying how a certificate is used for authentication. X.509 based authentication (such as Smart Card Logon and SSL/TLS Client Certificate) requires either an internal PKI Infrastructure or an external certificate service.

· Transport Layer Security 1.0/Secure Sockets Layer 3.0:

SSL 3.0 and TLS 1.0 are closely related protocols. SSL 3.0 is a proprietary Netscape Communications protocol, while TLS 1.0 is the Internet Engineering Task Force (IETF) standard. TLS, or RFC 2246, operates at the transport layer of the protocol stack. It’s invoked automatically whenever a user’s workstation connects to a server that requires secure communications. TLS/SSL uses a handshaking procedure to authenticate the server and (optionally) the client through X.509 certificates, to negotiate the algorithms for the session, and to exchange session keys for encryption and message digests.

· EAP-TLS

EAP-TLS uses a TLS handshake as the basis for authentication. TLS authenticates peers by exchanging digital certificates. In EAP-TLS, certificates are used to provide authentication in both directions. The server presents a certificate to the client, and, after validating the server's certificate, the client presents a client certificate. Naturally, the certificate may be protected on the client by a passphrase, PIN, or stored on a smart card, depending on the implementation. One flaw in EAP-TLS protocol noted by many observers is that the identity exchange proceeds in the clear before exchange of certificates, so a passive attack could easily observe user names.

· TTLS and PEAP

The structure of TTLS and PEAP are quite similar. Both are two-stage protocols that establish security in stage one and then exchange authentication in stage two. Stage one of both protocols establishes a TLS tunnel and authenticates the authentication server to the client with a certificate. (TTLS and PEAP still use certificates to authenticate the wireless network to the user, but only a few certificates will be required, so it is much more manageable.) Once that secure channel has been established, client authentication credentials are exchanged in the second stage.

TTLS uses the TLS channel/tunnel to exchange "attribute-value pairs" (AVPs), much like RADIUS. (In fact, the AVP encoding format is very similar to RADIUS.) The general encoding of information allows a TTLS server to validate AVPs against any type of authentication mechanism. TTLS implementations today support all methods defined by EAP, as well as several older methods (CHAP, PAP, MS-CHAP and MS-CHAPv2). TTLS can easily be extended to work with new protocols by defining new attributes to support new protocols.

PEAP uses the TLS channel to protect a second EAP exchange. Authentication must be performed using a protocol that is defined for use with EAP. In practice, the restriction to EAP methods is not a severe drawback because any "important" authentication protocol would be defined for use with EAP in short order so that PEAP could use it. A far greater concern is client software support. PEAP is backed by Microsoft, and clients are beginning to become available for recent professional versions of Windows (XP now, with Windows 2000 support coming shortly). Suppliers of PEAP clients for other operating systems have yet to materialize, which may restrict PEAP to being used only in pure Microsoft networks.

· Remote Access Dial-in User Services:

RADIUS, or RFC 2138, encrypts user ID/password information or challenge/response token information over the network. While initially created to support remote or network access servers, RADIUS has evolved to provide a standard mechanism by which Internet service providers (ISPs) relay authentication requests back to corporate customers.

· Security Assertion Markup Language (SAML):

When combined with XML-based remote procedure calls (RPCs) such as the Simple Object Access Protocol (SOAP), SAML serves as a distributed authentication protocol between authentication and other security services. As such, SAML allows loosely coupled security domains with heterogeneous systems and authentication methods to federate authentication. Liberty Alliance specifications leverage SAML as the underlying protocol while providing extensions such as account linking and global logout.

· Web Service Security (WSS):

Web Services Security (WSS) specifies ways to encode authentication and other security tokens in Simple Object Access Protocol (SOAP) message headers. Web Services Security Language (WS-Security) outlines encoding mechanisms for user IDs/passwords, X.509 certificates, Kerberos tickets, and SAML assertions.

· eXtensible rights Markup Language (XrML):

XrML is an XML-based usage grammar for specifying rights and conditions to control the access to digital content and services. Using XrML, anyone owning or distributing digital resources (such as content, services, or software applications) can identify the parties allowed to use those resources, the rights available to those parties, and the terms and conditions under which those rights may be exercised. These four elements are the Core of the language and determine the full context of the rights that are specified. In other words, it is not sufficient to just specify that the right to view certain content has been granted, but also who can view it and under what conditions.

· Simple Authentication and Security Layer:

SASL, or Request for Comment (RFC 2222), is a generalized negotiation mechanism and authentication abstraction layer for any connection-based protocol, including Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol 4 (IMAP4), and Lightweight Directory Access Protocol version 3 (LDAPv3).

· Secure Shell:

SSH, now at version 2.0, is a secure protocol and set of tools for secure, remote user authentication and access to servers. SSH can be used to secure any network-based traffic by setting it up as a ”pipe” (i.e., binding it to a certain port at both ends). This makes it useful for functions such as running X-Windows across the Internet. SSH runs on most UNIX systems, Windows servers, and client platforms, and there are open source SSH solutions for these environments. The SSH protocol consists of three major components: the Transport Layer Protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy; the User Authentication Protocol authenticates the client to the server; and the Connection Protocol multiplexes the encrypted tunnel into several logical channels.

· BAPI:

The Biometric Application Programming Interface (BAPI) defines a standard software protocol and application programming interface (API) for communication between software applications and biometric devices. BAPI is designed to bring standards and compatibility to the biometric hardware and software markets. In 2000, Microsoft acquired BAPI technology from I/O Software with the intention to integrate the technology into the upcoming versions of Windows. As a direct result of Microsoft's integration, BAPI will be positioned to provide a seamless and consistent plug-and-play experience to Windows, and the vast majority of PC users. Triggered by Microsoft's commitment to the integration of biometrics, a quickly growing number of biometric vendors have adopted the BAPI standard. Microsoft my extend Kerberos in Blackcomb to support domain Biometrics logon (Longhorn local Biometrics logon has been but).

Many other authentication methods are B2C focused and will not be explained here (such as IIS Basic, Digest, Form Based, Passport and InfoCard etc.)

Physical Access Control Technology

Yale Li — Tue, 28 Mar 2006 06:00:00 GMT

A typical physical access control system is made up of following components:

- ID Credential

- Door Reader

- Door Lock

- Control Panel

- Access Control Server

- Software

- Database

The access control process begins when a user presents the credential (such as employee badge) to the door reader. The reader extracts data from the badge, processes it, and sends it to the control panel. The control panel first validates the reader and then accepts the data transmitted by the reader. What happens next depends on whether the system is centralized or distributed. In a centralized system, the control panel transmits the data to the access control server. The access control server compares the data received from the card with information about the user that is stored in a database. Access control software determines the user’s access privileges and authorization, the time, date and door entered, and any other information that a company may require to ensure security. When access is authorized, the server sends a signal to the control panel to unlock the door. In a distributed system, the control panel allows or denies entry. The access control server periodically provides control panels with data that enable the control panel software to determine whether a user is authorized for access. The control panel then performs the access control server functions described above and makes the decision to allow or deny entry.

The communications protocol between the reader and panel include TCP/IP, RS-485, and RS-232.

The industry trend is to integrate logical and physical access control and use a single badge. Interoperability is important to merge the two technologies. The badges are designed as a hybrid (two chips on same card) or dual interface (one chip supporting two technologies) for this purpose.

User Authentication Mechanism (Method)

Yale Li — Mon, 27 Mar 2006 07:00:00 GMT

User authentication mechanism can use one of above factors or combine multiple factors to form strong authentication. The following are major user authentication mechanisms (methods):

· Badge and identity card: Identification badges are usually used for physical access authentication, either by a security system automatically or by a security guard manually. They commonly include bar codes, magnetic strips, or RFID tags. These typically contain fixed information that can be used as tokens. Badges and cards are relatively easy to forge and duplicate, but mechanisms such as holographic impressions or plastic laminate coverings, size and shape variations, unique colorings, micro-printing, and unique materials make forgery more difficult.

· Password: Passwords remain the dominant identification and authentication method. They require a user or application to enter a character string, which is then submitted over the network and matched against a passwords database or file maintained by an authenticating program. This is one factor authentication.

· Smart Card: The term “smart cards” describes cryptographic devices capable of generating digital signatures that prove possession of a private key or credential. These devices take a number of different physical forms. Most smart cards are similar in size and material to credit cards, with the addition of small, dime-size memory chips or microprocessors. ISO 7816, PC/SC, EMV, GSM are the main standards for smart card. Cards that comply with these standards are intelligent, read/write devices capable of storing different kinds of data and operating at different ranges. Standards-based smart cards can authenticate a person's identity, determine the appropriate level of access, and admit the cardholder to a facility, all from data stored on the card. These cards can include additional authentication factors (such as biometric templates or PINs) and other card technologies, including a contactless/RFID, to satisfy the requirements of legacy applications or applications for which a different technology is more appropriate. A smart card reader is required hardware to read and write to the smart card. Usually, users enter a PIN to access the private key protected by the smart card. The combination of smart card and PIN is commonly known as two factor authentication.

· Contactless/Wireless Smart Card: This is a variation of the aforementioned smart card technology. It does not need reader insertion, and is primarily used for physical access. There are three primary contactless technologies considered for physical access control applications: 125 kHz, ISO 14443, and ISO 15693 technologies. For future applications, IEEE 802.15.4/ZigBee is also considered.

125 kHz read-only technology is used by the majority of today's RFID access control systems and is based on de facto industry standards vs. international standards. Contactless smart card technology is based on the Mifare (14443A equivalent), ISO 14443B and ISO 15693 standards.

ZigBee is a new wireless technology better than Bluetooth in terms of system requirements and cost. It opens a door for wireless smartcards. The planned Microsoft SPOT SmartBadge will use ZigBee.

A card containing two chips, contact smart card and contactless smart card/RFID tag, is defined as a hybrid card. A card with a single chip supporting both contact and contactless smartcard interfaces is called a dual-interface card.

Contactless Technology Comparison

Technology	Frequency	Max Range	On card power	Dual Interface support	Hybrid ID Card support
125kHz	126kHz	1 meter	no	No	Yes
ISO 14443	13.56mHz	10 cm	no	Yes	Yes
ISO 15693	13.56mHz	1 meter	no	No	Yes
ZigBee	868/915mHz 2.4gHz	5m – 500m configurable	yes	Unknown	Unknown

The combination of contactless smartcard and PIN is considered as two factor authentication.

· USB Token: USB Tokens are another variation of a contact smart card. The technology combines both smart card and smart card reader in the same unit. Users insert the USB token (usually in key fob format) into an available USB port and smart card reader hardware is no longer required (only the reader driver software is required). The combination of USB Token and PIN is considered as two factor authentication.

· TPM: Trusted Platform Modules (TPM) are isolated chips that reside on the computer’s motherboard and use digital signatures to verify that the operating system and other components of the software environment have not been compromised. IDC Worldwide PC 3Q03 Forecast Update 2003-2007 (#30607) estimates that 30 million TPM chips will have shipped for PC desktop and notebook computers in 2005, and over three times that number in 2007. This forecast indicates that over 55% of all PCs and Notebook computers will be TPM-capable by the end of 2007. TPM is capable of both user and device (PC, PDA, Cell Phone) authentication, and is a good replacement for smartcard and reader. Microsoft Hypervisor in Longhorn/Vista will use TPM to simulate smart cards. The combination of TPM and PIN is considered as two factor authentication.

· OTP Device: One Time Password (OTP) is a hardware device/token, typically with liquid crystal display panel devices that display number sequences (such as RSA Security’s SecurID). These sequences create one-time passwords with PINs or challenge users to calculate passwords using numeric keypads, such as those on ActivCard One. The one time password is time synchronized with backend authentication system. The combination of OTP device and Password (or PIN) is considered as two factor authentication.

· Biometrics

Biometric authentication compares a digital sample of some physical characteristic of a user against a stored sample in a database record or file. Common methods include retinal, palm, or fingerprint scans, as well as voice authentication. After years of development, these systems are becoming more reliable, yielding lower FAR and FRR. Prices are also falling, making biometrics increasingly practical. Biometric solutions are seeing particular success in physical facilities authentication and government applications such as border security and law enforcement. Biometric authentication itself is one factor authentication. It can only be considered as two factor authentication if Biometrics is combined with a PIN (or another factor).

· Behavior/Cogmetrics/Cognitive

This is usually based on something one can do. Behavior authentication tests user usage dynamics and other behaviors and it is an offshoot of biometric techniques that develop profiles based upon normal user actions or use patterns. Cogmetrics or cognitive authentication tests user’s visual memory for objects (such as familiar faces) trained during user setup. This is one factor authentication when used without a PIN.

· Software Tokens and Client Side PKI

Software tokens operate like hardware tokens, except that a software program installed on a user’s workstation or other computing device (e.g., PDA or Pocket PC) provides a token generator or the challenge/response system. Client-side Public Key Infrastructure (PKI) systems also operate like smart cards, except that special workstation or other device-resident software protects the private keys. This is one factor authentication without PIN.

Other mechanisms employed are usually more variations on the above, such as knowledge based authentication and mobile phone/PDA tokens.

Ways to Compromise Password

Yale Li — Sat, 25 Mar 2006 03:00:00 GMT

Passwords are vulnerable by virtue of the following attacks:

Password Cracking Tools - A variety of software tools, such as L0Phtcrack and NT Crack, automate the guessing of passwords through brute force and with extensive dictionaries of frequently used passwords.

Network Monitoring - This technique, also known as ”sniffing,” allows monitoring (without detection) the contents for any message that streams by and flagging messages based on keywords, such as “login” or “password.”

Brute Force Dialing (or War Dialing) - Programs like ToneLoc automate the process of locating modem telephone lines; then the hacker attempts sign-on with various password alternatives.

Abuse of Administrative Tools. Many tools that have been designed to control and improve networks can be misused for destructive purposes.

Social Engineering. In contrast to the high-tech tools available to uncover passwords, some intruders use non-technical approaches to steal passwords.

Keystroke monitoring - This technique monitor and record user’s keystrokes remotely when user types in password at public kiosks.

User Authentication Factors

Yale Li — Fri, 24 Mar 2006 08:00:00 GMT

There are four authentication factors:

Something one knows:

The concept here is that if the user knows a pre-determined secret, he or she must be the right person. The common type of secret is a password or a PIN, though other schemes like images and patterns are being explored. The conventional wisdom is that since it is a secret, no additional information about the likelihood of true identity is necessary or available. Security professionals usually disagree: for example, a system’s confidence in the provided password could certainly depend upon the location of its source - the likelihood of an imposter providing your password from your office is much lower than the likelihood of them providing it over the network.

Something one has:

The concept here is that if a user has a pre-configured item, she or she must be the right person. Samples of this may be a smart card, ID badge, key or time variant authentication code generator. The conventional wisdom is that anyone who has the token should have full access and that no other information is needed. Again, we disagree. As with the password example, location of the token and time since session use can both affect the confidence a system should have in the corresponding authentication. More radical out-of-band information, such as the owner’s expected location based on scheduled appointments, could also provide insight.

Something one is:

The concept here is that the system compares measured features of the user to pre-recorded values, allowing access if there is a match. Commonly, physical features (retinal patterns, fingerprints, voice characteristics, facial geometry, DNA sequences, etc) are the focus of such schemes. Identifying features are boiled down to numerical values called “biometrics” for comparison purposes. Biometric values are inherently varied, both because of changes in the feature itself and because of changes in the measurement environment. For example, facial biometrics can vary during a day due to acne appearance, facial hair growth, facial expressions, and ambient light variations. More drastic changes result when switching between eyeglasses and contact lenses or upon breaking one’s nose. Similar sets of issues exist for other physical features. Therefore, the decision approach used is to define a “closeness of match” metric and to set some cut-off value — above the cut-off value, the system accepts the identity, and below it, not. When setting the cut-off value, an administrator makes a trade-off between the likelihood of FAR (False Acceptance Rate) and FRR (False Rejection Rate).

Something one can do:

The concept here is that the system compares measured user activity or pattern to pre-recorded “cog metrics” or “cognitive” values, allowing access if there is a match. The activity or pattern can be normal activity periods, IP address of access point, pattern of application usage, signature writing, key-press timing, commands one uses, one’s footfall, one’s attire, one’s familiar faces etc. This factor may be considered as a subset of (or overlapped with) “something one is” or “something one knows” in certain scenarios.