Solutions for Portable Security

Since user authentication is the front line of security, the stronger it is the better. In this article I want to discuss multi-factor authentication and why it is stronger than just a single factor. Proving your identity involves using one or more of three possible factors:

• Knowledge (passwords, PINs, etc.)
• Possession (driver’s license, token, corporate badge, etc.)
• Being (biometric: face, finger, voice, retina, etc.)

You will likely come across conflicting opinions of whether one factor is better than another. For example some people might consider passwords better than biometrics while others will argue the opposite. But who is correct? Is there one factor that is better than all of the others?

The answer is that it really depends on what criteria you are using to measure the authentication mechanism against, and there are many dimensions to consider. For example you could compare biometrics and passwords with respect to accuracy, convenience, ability to share, presence of a live person, usability, susceptibility to replay attacks, and so on. Your choice of what is important will determine which single factor is better than another. Worse still, there can be variations even within a particular factor type. The following diagram illustrates this point.

In the plot above I have chosen convenience and accuracy as measures. You can see immediately that a complex password, say “%SPc_87snwi$”, is more accurate (harder to guess) than a simple password, like “Hello” but you pay the price in convenience. Similar trade-offs occur in biometric technologies. A retina scan is considered to be more accurate than voice recognition but you have to shine a light at the back of your eyeball to provide a sample which is quite a bit more invasive than speaking into a microphone. A DNA sample (using enough markers) is in theory orders of magnitude more accurate but you might have to wait a few days for the results, which I consider a huge inconvenience when logging into your workstation.

With only two measures; accuracy and convenience, there are valid arguments for favoring either factor over the other. Imagine the difficulty in deciding which mechanism is better when you consider a dozen of more different threats.

One thing to realize is that there are advantages and disadvantages among each factor of authentication. No single factor of authentication is perfect. What is interesting is that biometrics and passwords have some very complimentary properties. That is, a weakness in one factor can actually be a strength of the other. This is what makes multi-factor authentication so compelling for security because the effect of combining them creates something much stronger than either factor on its own could possibly attain.

To illustrate this I have chosen a handful of security threats and highlighted the weaknesses and strengths of biometric, password and both combined. A red brick indicates that the method is vulnerable to the corresponding threat and a green brick means it is not.

I have deliberately selected software-based password authentication and a hardware-based (fingerprint) biometric as my two factors in order to more acutely demonstrate their complementary nature with respect to the list of threats. You can see that when they are combined, the resulting two-factor authentication is resistant to all of the listed threats.

If strong authentication is critically important to you I highly recommend multi-factor authentication because it is without a doubt, the best authentication security you can get.

Given the recent news about a serious password security flaw (see http://www.syss.de/index.php?id=veroeffentlichungen&no_cache=1&L=1) found with some encrypted USB drives I thought it would be a good time to say a few things about authentication.

Let’s start with the very basics.  User authentication is the front line of security.  If authentication is weak, it doesn’t matter how strong your encryption is, or how impenetrable the hardware is that protects the encryption key.  If there is no authentication, there may as well be no encryption at all.  Authentication is the “key to the key” so to speak.

Since the authentication process itself manipulates sensitive information, such as passwords and biometric templates, it only makes sense that it occur in a trustworthy environment.  Even strong, multi-factor authentication becomes weakened and even defeated if the user’s credential information is compromised.  Your managed corporate desktop should be a trustworthy environment.  This is why entering a password to login to your domain normally isn’t a problem.  However the situation is drastically different for a secure flash drive.  Being a portable device, it can be exposed to many untrustworthy environments where malicious software may be capturing keystrokes or passwords in memory. 

The best place for the authentication to occur in such a device is within the hardware.  Of course the more secure the hardware the better.  Some people are suggesting that the FIPS certification is meaningless given that the recent security flaw is associated with FIPS validated devices.   There is nothing wrong with the FIPS process but it must be understood that it only deals with what happens inside the cryptographic boundary and there is much more to consider when looking at overall security (see this blog entry for some more insight http://www.mxisecurity.com/blog/cto/2008/07/14/fips-validated-is-more-than-a-check-box/).

At MXI Security we strive to deliver the best authentication technology in the industry.  Our portable devices are capable of password, biometric, and multi-authentication, all within the secure hardware environment of the device.  You can take these devices anywhere but you will still need to be aware that key loggers can still be a threat as password entry is done from a keyboard.  It’s good practice to change your password to mitigate the efficacy of such attacks (we provide password rules to let you enforce such things as regular changes and password reuse).

Since biometric authentication is done completely on the device it is immune even from key loggers.  For those that want the strongest authentication possible, biometric and password authentication can be combined (2-factor) so that even a compromised password isn’t enough to break in.

If you are interested I have other blogs entries on authentication (see http://www.mxisecurity.com/blog/cto/2008/07/10/is-it-two-factor-or-three-factor-authentication/ and http://www.mxisecurity.com/blog/cto/2008/06/03/beware-of-biometric-images/).

Internet technology is fantastic, but I carry a certain level of anxiety which makes my web surfing less enjoyable.  The root cause of this anxiety is the fear that my personal information will be compromised.  The thought of my digital credentials being in the hands of an attacker is really quite disturbing.  Personally, I try to minimize my “web presence” so in a way I feel that this paranoia is actually healthy as it helps me maintain this goal.   However when I tally up all of the web logins I have, I realize that my presence is not as minimal as I’d thought.  What’s worse is that I don’t think I can remember all of the sites I’ve signed up to.

Have you ever wondered what kind of damage an attacker could do if they have your web credentials?  Here are some questions to consider if you care to measure your exposure.  How many web site logins do you have?  How strong are your passwords?  How many times do you reuse the same password for different sites?  Do you ever use the same password that you use as your login at work?  How many sites do you have accounts on that you can no longer remember?  Do you find yourself storing lists of user IDs and passwords so you can keep track of them?

We are taught by security professionals (and maybe common sense) that your passwords should be different for each web site, they should be complex, and you shouldn’t store them or write them down.  Obviously this isn’t practical and the problem has been recognized by the industry which has responded with new web identity paradigms such as OpenID, and InfoCard (a.k.a. CardSpace in Microsoft). 

These initiatives may take years to become widely adopted so what can we do in the meantime?  IE and Firefox offer one solution via password managers that they build into the browser.  They will remember your login credentials and automatically fill them into forms as required.   I don’t use these because I don’t trust having password vaults sitting on my machine where they are easily accessible and are ripe targets for attack (see http://www.securityfocus.com/infocus/1882 for a nice survey of password manager risks).

I have a wish.  Instead of passwords I’d like to use certificates to authenticate to all of these web sites that use self-managed credentials (i.e. the ones that let me pick my own user ID and password).  I’m not suggesting that we force everyone to use a certificate.  But if you have one, why not give you the choice?  My reasons are the following:

1) Security
2) Convenience
3) It should be easy to enable…

You’re probably thinking that I’ve gone off the deep end, especially on that last point, but hear me out.  From an identity theft perspective you can’t beat certificate authentication since there is nothing exchanged in an authentication transaction for an attacker to steal.  So right away we’ve eliminated the password problem.

I happen to carry a portable PKI token around with me all the time.  It’s built into my Stealth MXP Portable Security device.  I can easily go to VeriSign, and for a small fee, obtain a digital ID (a PKI certificate) that I can install on my device and use within IE or a portable version of Firefox which happens to be installed on my device.  The whole setup is very convenient for me (I also use a finger swipe biometric instead of a password to unlock my device) but the real bonus is the security.  My private key is generated in FIPS validated hardware, it cannot be exported, and it is protected with strong authentication.  Absolutely no one is going to be able to access this private key without my willing participation.  So I have everything I need to make my web transactions secure and convenient.

This brings us to the third point.  My argument here is that the plumbing to make this grand scheme all happen is already in place and is just waiting to be turned on.  Certificates for client side SSL authentication are supported in all major browsers and enabling client side SSL authentication in the majority of deployed web servers (Apache and Microsoft) is as easy as a setting a check box.  I know that this perspective seems a bit naïve but we are talking about unmanaged credentials. This means that service providers don’t need to change very much.  They only need to associate your digital ID that you present (and prove that you own the private key) with your account and trust the authority that issued you the certificate.  I don’t see much of a difference from their current sign up process where you create your own ID and password.  Yes, I’m ignoring details like revocation lists and exceptions (how to handle my lost device, etc) but you get the idea.

If this were in place then I’d be very happy.  I could focus my worries instead on choosing a certificate authority that had a good identity proofing process to ensure that imposters cannot apply for digital IDs in my name.  I’d also be careful not to register to a Phishing site that might want to gather other personal information.

Sadly, this wish will probably never happen.  In the meantime, I don’t want to be a sitting duck while I wait for the next web Identity Metasystem to become adopted.  I’m willing to compromise.  Instead, I’ll wish for a portable password manager that uses my MXP device to carry and secure (and possibly generate) my web passwords.  At the very least, it gives me the equivalent of two-factor authentication (ownership of the device and authentication to it), portability, and it provides strong protection for my sensitive login information.  It’s a compromise but I’m confident that this wish can happen and I’m looking forward to reducing my web anxiety.

Some people may be confused when scanning MXI Security product literature. Sometimes we say that with Stealth MXP you get two-factor authentication and other times we say three-factor authentication. It is the same device so what is going on?

As a reminder, authentication consists of proving your identity using one or more of the following:

* Something you know (passwords, PINs, etc.)
* Something you own (driver’s license, token, corporate badge, etc.)
* Something you are (biometric: face, finger, voice, retina, etc.)

With Stealth MXP you have on-board, a biometric and/or a password to unlock the device depending on the policy your administrator has set. For this discussion let’s assume that the policy is set to require a password and a biometric. That is definitely two-factor authentication. But isn’t the device itself considered a factor? After all, I own it and that would make three factors, right?

The answer is it depends. If you are just accessing the files on the private drive then you are using two-factor authentication. However if you are using a piece of data on the device (such as a private key) to login to a system then that would be three-factor authentication. Authentication is about proving to another entity that you have a particular identity. If the device isn’t involved in this process, then it is not a factor.

Ownership is a tricky concept in authentication. In the digital world it can be somewhat abstract and mean owning a piece of data such as cryptographic key, rather than something physical. This is how some solutions claim that a “software” token is two-factor authentication. In this case one factor (a password) is used to unlock the “token” before the correct result can be presented to an authentication server. Since the result depends on a computation based on the cryptographic key, you have ownership of this key being a factor. Of course storing this key in a hardware protected device is much better than storing the key in a file that is software protected.

On the other hand, pure hardware is not necessarily a strong factor of authentication. Consider the Startup Key option with Vista BitLocker drive encryption. Here the user must insert a USB flash drive containing the Startup key in order for the computer to boot. The problem is that anyone who finds (or steals) your laptop along with your USB Startup key immediately has access to decrypt your disk. Technically speaking this is authentication via ownership but it is very weak. Unfortunately BitLocker doesn’t allow password entry for USB flash drives. Your best bet for the Startup key option is to use a device like the Stealth MXP, where the key is protected by hardware with biometric authentication. By the way that happens to be two-factor authentication.

There are many examples of three-factor authentication that can be achieved with Stealth MXP today; logging into Citrix with RSA SecurID, “smart card” login to Microsoft Windows, SSL client side authentication to web sites. In all these scenarios, there is a digital credential (an RSA SecurID token seed, or an RSA private key) owned by the user, securely stored in MXP hardware and protected with biometric and password access. Hope this makes things a little clearer.