Solutions for Portable Security

Since user authentication is the front line of security, the stronger it is the better. In this article I want to discuss multi-factor authentication and why it is stronger than just a single factor. Proving your identity involves using one or more of three possible factors:

• Knowledge (passwords, PINs, etc.)
• Possession (driver’s license, token, corporate badge, etc.)
• Being (biometric: face, finger, voice, retina, etc.)

You will likely come across conflicting opinions of whether one factor is better than another. For example some people might consider passwords better than biometrics while others will argue the opposite. But who is correct? Is there one factor that is better than all of the others?

The answer is that it really depends on what criteria you are using to measure the authentication mechanism against, and there are many dimensions to consider. For example you could compare biometrics and passwords with respect to accuracy, convenience, ability to share, presence of a live person, usability, susceptibility to replay attacks, and so on. Your choice of what is important will determine which single factor is better than another. Worse still, there can be variations even within a particular factor type. The following diagram illustrates this point.

In the plot above I have chosen convenience and accuracy as measures. You can see immediately that a complex password, say “%SPc_87snwi$”, is more accurate (harder to guess) than a simple password, like “Hello” but you pay the price in convenience. Similar trade-offs occur in biometric technologies. A retina scan is considered to be more accurate than voice recognition but you have to shine a light at the back of your eyeball to provide a sample which is quite a bit more invasive than speaking into a microphone. A DNA sample (using enough markers) is in theory orders of magnitude more accurate but you might have to wait a few days for the results, which I consider a huge inconvenience when logging into your workstation.

With only two measures; accuracy and convenience, there are valid arguments for favoring either factor over the other. Imagine the difficulty in deciding which mechanism is better when you consider a dozen of more different threats.

One thing to realize is that there are advantages and disadvantages among each factor of authentication. No single factor of authentication is perfect. What is interesting is that biometrics and passwords have some very complimentary properties. That is, a weakness in one factor can actually be a strength of the other. This is what makes multi-factor authentication so compelling for security because the effect of combining them creates something much stronger than either factor on its own could possibly attain.

To illustrate this I have chosen a handful of security threats and highlighted the weaknesses and strengths of biometric, password and both combined. A red brick indicates that the method is vulnerable to the corresponding threat and a green brick means it is not.

I have deliberately selected software-based password authentication and a hardware-based (fingerprint) biometric as my two factors in order to more acutely demonstrate their complementary nature with respect to the list of threats. You can see that when they are combined, the resulting two-factor authentication is resistant to all of the listed threats.

If strong authentication is critically important to you I highly recommend multi-factor authentication because it is without a doubt, the best authentication security you can get.

Given the recent news about a serious password security flaw (see http://www.syss.de/index.php?id=veroeffentlichungen&no_cache=1&L=1) found with some encrypted USB drives I thought it would be a good time to say a few things about authentication.

Let’s start with the very basics.  User authentication is the front line of security.  If authentication is weak, it doesn’t matter how strong your encryption is, or how impenetrable the hardware is that protects the encryption key.  If there is no authentication, there may as well be no encryption at all.  Authentication is the “key to the key” so to speak.

Since the authentication process itself manipulates sensitive information, such as passwords and biometric templates, it only makes sense that it occur in a trustworthy environment.  Even strong, multi-factor authentication becomes weakened and even defeated if the user’s credential information is compromised.  Your managed corporate desktop should be a trustworthy environment.  This is why entering a password to login to your domain normally isn’t a problem.  However the situation is drastically different for a secure flash drive.  Being a portable device, it can be exposed to many untrustworthy environments where malicious software may be capturing keystrokes or passwords in memory. 

The best place for the authentication to occur in such a device is within the hardware.  Of course the more secure the hardware the better.  Some people are suggesting that the FIPS certification is meaningless given that the recent security flaw is associated with FIPS validated devices.   There is nothing wrong with the FIPS process but it must be understood that it only deals with what happens inside the cryptographic boundary and there is much more to consider when looking at overall security (see this blog entry for some more insight http://www.mxisecurity.com/blog/cto/2008/07/14/fips-validated-is-more-than-a-check-box/).

At MXI Security we strive to deliver the best authentication technology in the industry.  Our portable devices are capable of password, biometric, and multi-authentication, all within the secure hardware environment of the device.  You can take these devices anywhere but you will still need to be aware that key loggers can still be a threat as password entry is done from a keyboard.  It’s good practice to change your password to mitigate the efficacy of such attacks (we provide password rules to let you enforce such things as regular changes and password reuse).

Since biometric authentication is done completely on the device it is immune even from key loggers.  For those that want the strongest authentication possible, biometric and password authentication can be combined (2-factor) so that even a compromised password isn’t enough to break in.

If you are interested I have other blogs entries on authentication (see http://www.mxisecurity.com/blog/cto/2008/07/10/is-it-two-factor-or-three-factor-authentication/ and http://www.mxisecurity.com/blog/cto/2008/06/03/beware-of-biometric-images/).

Internet technology is fantastic, but I carry a certain level of anxiety which makes my web surfing less enjoyable.  The root cause of this anxiety is the fear that my personal information will be compromised.  The thought of my digital credentials being in the hands of an attacker is really quite disturbing.  Personally, I try to minimize my “web presence” so in a way I feel that this paranoia is actually healthy as it helps me maintain this goal.   However when I tally up all of the web logins I have, I realize that my presence is not as minimal as I’d thought.  What’s worse is that I don’t think I can remember all of the sites I’ve signed up to.

Have you ever wondered what kind of damage an attacker could do if they have your web credentials?  Here are some questions to consider if you care to measure your exposure.  How many web site logins do you have?  How strong are your passwords?  How many times do you reuse the same password for different sites?  Do you ever use the same password that you use as your login at work?  How many sites do you have accounts on that you can no longer remember?  Do you find yourself storing lists of user IDs and passwords so you can keep track of them?

We are taught by security professionals (and maybe common sense) that your passwords should be different for each web site, they should be complex, and you shouldn’t store them or write them down.  Obviously this isn’t practical and the problem has been recognized by the industry which has responded with new web identity paradigms such as OpenID, and InfoCard (a.k.a. CardSpace in Microsoft). 

These initiatives may take years to become widely adopted so what can we do in the meantime?  IE and Firefox offer one solution via password managers that they build into the browser.  They will remember your login credentials and automatically fill them into forms as required.   I don’t use these because I don’t trust having password vaults sitting on my machine where they are easily accessible and are ripe targets for attack (see http://www.securityfocus.com/infocus/1882 for a nice survey of password manager risks).

I have a wish.  Instead of passwords I’d like to use certificates to authenticate to all of these web sites that use self-managed credentials (i.e. the ones that let me pick my own user ID and password).  I’m not suggesting that we force everyone to use a certificate.  But if you have one, why not give you the choice?  My reasons are the following:

1) Security
2) Convenience
3) It should be easy to enable…

You’re probably thinking that I’ve gone off the deep end, especially on that last point, but hear me out.  From an identity theft perspective you can’t beat certificate authentication since there is nothing exchanged in an authentication transaction for an attacker to steal.  So right away we’ve eliminated the password problem.

I happen to carry a portable PKI token around with me all the time.  It’s built into my Stealth MXP Portable Security device.  I can easily go to VeriSign, and for a small fee, obtain a digital ID (a PKI certificate) that I can install on my device and use within IE or a portable version of Firefox which happens to be installed on my device.  The whole setup is very convenient for me (I also use a finger swipe biometric instead of a password to unlock my device) but the real bonus is the security.  My private key is generated in FIPS validated hardware, it cannot be exported, and it is protected with strong authentication.  Absolutely no one is going to be able to access this private key without my willing participation.  So I have everything I need to make my web transactions secure and convenient.

This brings us to the third point.  My argument here is that the plumbing to make this grand scheme all happen is already in place and is just waiting to be turned on.  Certificates for client side SSL authentication are supported in all major browsers and enabling client side SSL authentication in the majority of deployed web servers (Apache and Microsoft) is as easy as a setting a check box.  I know that this perspective seems a bit naïve but we are talking about unmanaged credentials. This means that service providers don’t need to change very much.  They only need to associate your digital ID that you present (and prove that you own the private key) with your account and trust the authority that issued you the certificate.  I don’t see much of a difference from their current sign up process where you create your own ID and password.  Yes, I’m ignoring details like revocation lists and exceptions (how to handle my lost device, etc) but you get the idea.

If this were in place then I’d be very happy.  I could focus my worries instead on choosing a certificate authority that had a good identity proofing process to ensure that imposters cannot apply for digital IDs in my name.  I’d also be careful not to register to a Phishing site that might want to gather other personal information.

Sadly, this wish will probably never happen.  In the meantime, I don’t want to be a sitting duck while I wait for the next web Identity Metasystem to become adopted.  I’m willing to compromise.  Instead, I’ll wish for a portable password manager that uses my MXP device to carry and secure (and possibly generate) my web passwords.  At the very least, it gives me the equivalent of two-factor authentication (ownership of the device and authentication to it), portability, and it provides strong protection for my sensitive login information.  It’s a compromise but I’m confident that this wish can happen and I’m looking forward to reducing my web anxiety.

Unless you are a mathematician or a cryptologist, a technical description of how an encryption algorithm works can make your eyes glaze over.  So I thought I would do something that is both mildly educational and a little bit entertaining (see the challenge at the end of this blog entry).

I wrote a little crypto application that encrypts and decrypts graphical images.  The encryption algorithm (call it algorithm X) is “home-grown” and was designed to be visually appealing rather than secure.  I will use it to illustrate some weaknesses in its encryption and to highlight a couple of essential properties of a good crypto algorithm.

Algorithm X is a simple permutation of pixels in the image.  Each iteration or frame will permute the pixels a bit more.  The permutation rule is designed so that the pixels appear to move and collide with each other like billiard balls, which is what makes it visually appealing.  After many rounds the image becomes more scrambled and at some point you could say it is “encrypted”.  Simply running the rule in reverse decrypts the image.  The following shows the input and resulting images produced by running algorithm X and AES.

Figure 1: Input Image

Figure 2: Encrypted with Algorithm X

Figure 3: Encrypted with AES

With algorithm X you can still see some of the original information.  For example, you may notice that the color information has not changed and that the pixels are merely scrambled.  You can also still see some clustering of pixels around where the flag and FIPS logo were originally.  This is because the permutations are very local and it takes many “rounds” (frames) for the pixels to become dissipated.  AES does a much better job at diffusing the information very quickly and using the entire range of colors uniformly so there is no discernable pattern relating to the input.  In fact randomness of the output of an algorithm was one of the criteria used by NIST when selecting the AES algorithm.

That being said I could conceivably modify algorithm X to produce similar looking images to the AES version but that is no indication of security.  Looks are only skin deep and the real security of an algorithm is also determined by other factors such as the soundness of the mathematical implementation, and its resistance to cryptanalysis.  Even so, public algorithms also spend years of being in the public domain where they should survive the test of time.

But once again, Algorithm X was designed to be entertaining not secure, which brings us to the fun part of the discussion.  If you download the application (download link) you can try the encryption and decryption of the sample above.

Challenge:
In the Visual Crypto application there is a secret image that has been password protected.  To decrypt the message you will need the correct password.  Using the clues below you can construct the password (Tip: search our recent press releases and device literature on our web site for answers).

Clues:
1. The password is thirteen characters (all upper case)
2. The name of the security evaluation for the UK Government that the Stealth M550 is undergoing: (4)
3. Acronyms of the U.S. Government smart cards that can be used as authentication factors for MXI Security devices: (3 + 3)
4. Family of devices that combine secure storage, strong authentication, digital identity services, and management functions?  (3)

Have you heard the phrase “PC on a stick”?  Or maybe one of these: “desktop virtualization”, “boot from USB”, “application bubbles”, “portable desktop”.  What do they mean?  These phrases encapsulate some exciting developments happening with portable storage.  The last phrase, “portable desktop”, describes it the best for me and it pretty well means what it says.  It’s the ability to carry your computing environment around with you without carrying the machine.

The idea is that you no longer need “your” laptop to be productive when you are away from the office.  You just need “a” machine as long as it has an accessible USB port for you to plug your device into.  Either by rebooting the machine or running within a virtual machine, or an abstracted operating system, you have access to your full corporate desktop and operating environment “running from the stick”.  To be clear the OS does not actually run within the stick but uses the CPU of the host machine.  The trick is that nothing gets (or should get) installed on the host and ideally, no trace of the portable desktop remains once the device is removed.  In effect the machine becomes a monitor, keyboard and mouse while your USB device becomes the “C” drive. 

The concept of portable computing has been around for some time.  There’s been remote computing where you need to connect to a server to access your desktop, and we’ve had portable applications which may give you some productivity but needs to run within a non-trusted OS.  The large memory capacities that are now available in flash drive form factors are making it feasible to carry full blown operating systems such as Windows on a stick.

I can imagine a utopian world of portable desktops where there are public machines sprinkled around airports and coffee shops like wireless access points.  People could use them with their own computing environments that they carry on flash drives – no need to carry a laptop anymore.  Perhaps this may never happen but in the corporate environment the scenario could be very real.  The IT department would manage desktops on USB sticks instead of managing the machines.  Not only that, but employees could also work from home using their own computers. 

With the right portable desktop implementation even that uncontrolled, malware infected machine that the kids use to play video games could be used and the IT department wouldn’t care.  It is easiest to understand how this is possible by looking at a “boot from USB” portable desktop as an example.  When you reboot the machine from USB you take full control since the hard disk of the host machine isn’t even used.  Provided the portable desktops are fully managed, the organization still has full control over the employee’s computing environment.

If you are seriously contemplating deploying portable desktops here is a list of essential security requirements to look for in a solution:

• The USB devices are fully managed
• No trace of information is left on the host.
• No data can leak from the portable desktop to the host machine.
• No malicious code residing on the host machine can access the portable desktop
• The desktop is fully encrypted (or at least the sensitive parts)
• Strong user authentication is required to access the encrypted desktop
• The desktop is not accessible unless it is actually running. 

That last point is worth an interesting final note.  It implies that you should not be able to see or manipulate the desktop data just by plugging the USB device into a machine (even after authenticating to the device).  Otherwise you would have an exposure to corporate data leaking from the desktop or malicious code infecting the desktop in an uncontrolled environment.  Think of it behaving like an internal hard disk of a PC when it is turned off.  This is contrary to a flash drive’s normal operation, which is to allow data to be transferred on and off.  It looks like a flash drive, but it’s not acting like one…