Solutions for Portable Security

Have you ever forgotten a password for some service that you’ve signed up for and then needed to click on the “forgot my password” link? After providing some identifying information and perhaps answering some challenges, you’ll have your password reset.

I’ve seen the password reset operation (that last step) happen a few different ways:

· You’ll be asked to type in a new password and confirmation
· You’ll be sent a new password from the service
· The service will send you your forgotten password – *OUCH*

Why does the last method hurt? Well, first of all it means that the service actually has a database of user passwords stored somewhere. A breach of that database will reveal your password to adversaries. But that’s OK because it’s only the password to the service so the damage will be limited… right?

You know as well as I do that this isn’t the case and the government is now painfully aware of it. The recent Gawker hack has compiled a collection of federal, state and local government email addresses and passwords for future attacks. The hackers know that many people use the same password for many different services as they were quoted (grammar intact) saying to their community – “These people more than likely use the same pass everywhere. Try to gain access to the @email STMP using the email/pass combination also google their email address to find other accounts on the inernet [sic] they may have and try their password with said accounts.” (see http://fcw.com/articles/2010/12/13/gawker-hack-may-put-government-workers-at-risk.aspx?s=fcwdaily_141210)

Even without being hacked, it is very disturbing to know that some service providers actually have access to your password and therefore also have your password to many other services. You might want to check the fine print on your online banking agreement and ask yourself whether they’d consider that you’ve “safeguarded” your banking password by giving it to someone else. Essentially that is what you are doing when such a service stores it in a database regardless of how carefully you protect it.

The practice of maintaining databases of user passwords is not limited to the security-ignorant web service provider. Shamefully, there are security device vendors out there that are doing the very same thing for their device recovery service. There is nothing special about a password to a USB device that makes it any less likely to be used for other things.

There is an easy test to figure out if your deployment of security devices has a password database on the back end. Just request a password reset and see what happens. If in the end you get your “forgotten” password sent to you, then the answer is clear. Your best course of action in this case is to change the password wherever it is used for other services and don’t use your device password for anything else that you really need protected.

For more related thoughts see my other post on web logins (http://www.mxisecurity.com/blog/cto/2009/10/21/how-about-opt-in-certificate-web-logins/)

Strong Private Keys and Cybercrime

In a previous blog “How about Opt-In Certificate Web Logins”, I made some passing remarks about key generation in hardware. I want to talk about this a bit more because it is really gaining relevance as identity theft and transaction fraud are becoming more rampant, especially in the online financial space.

First of all, what is key generation and why do we need it? Cryptography depends on keys and keys need to come from somewhere. Key generation is the process of creating keys and usually involves using random number generators, noise sources and algorithms that mash it all up into big number that is as arbitrary and unpredictable as you can get. It’s like picking a card out of an astronomically huge deck of shuffled cards. Secure cryptography depends on these keys being kept secret, not guessable, and physically safe.

For lack of a better term I’m using “strong private keys” to encapsulate the following:

· Generated in hardware using an internal entropy source
· Protected by hardware
· Protected by strong user authentication
· Non-exportable

The properties apply when you generate keys in a device from MXI Security. The implications of such a generated key are the following:

· No one can guess the key
· No one can physically access the key
· No one can use the key except you (the device owner)
· No copy of the key exists anywhere else except in the device

This makes it an ideal key to use for identity verification and legally binding transactions but it’s also a double edged sword. On the one hand it really protects your identity (no one else can prove that they own the private key for the identity certificate) and on the other hand you have to be very careful how you use it (you can’t deny that it was you who used the key). The latter concept is often called “non-repudiation” in legal circles.

There are two things to watch out for. First, if an adversary is able to impersonate you and obtain a certificate (say from your bank) in your name then you are in trouble. Second, even if you are the legitimate owner of the key, an adversary might make you sign something you didn’t mean to (for example by modifying the software on your system to display one document but signing another).

Strong private keys are only half of the solution against cybercrime. To avoid them from being used against you, the vetting process for applying for a digital identity should be extremely rigorous and robust against fraud and the environment where the keys are being used has to be trustworthy.

Since user authentication is the front line of security, the stronger it is the better. In this article I want to discuss multi-factor authentication and why it is stronger than just a single factor. Proving your identity involves using one or more of three possible factors:

• Knowledge (passwords, PINs, etc.)
• Possession (driver’s license, token, corporate badge, etc.)
• Being (biometric: face, finger, voice, retina, etc.)

You will likely come across conflicting opinions of whether one factor is better than another. For example some people might consider passwords better than biometrics while others will argue the opposite. But who is correct? Is there one factor that is better than all of the others?

The answer is that it really depends on what criteria you are using to measure the authentication mechanism against, and there are many dimensions to consider. For example you could compare biometrics and passwords with respect to accuracy, convenience, ability to share, presence of a live person, usability, susceptibility to replay attacks, and so on. Your choice of what is important will determine which single factor is better than another. Worse still, there can be variations even within a particular factor type. The following diagram illustrates this point.

In the plot above I have chosen convenience and accuracy as measures. You can see immediately that a complex password, say “%SPc_87snwi$”, is more accurate (harder to guess) than a simple password, like “Hello” but you pay the price in convenience. Similar trade-offs occur in biometric technologies. A retina scan is considered to be more accurate than voice recognition but you have to shine a light at the back of your eyeball to provide a sample which is quite a bit more invasive than speaking into a microphone. A DNA sample (using enough markers) is in theory orders of magnitude more accurate but you might have to wait a few days for the results, which I consider a huge inconvenience when logging into your workstation.

With only two measures; accuracy and convenience, there are valid arguments for favoring either factor over the other. Imagine the difficulty in deciding which mechanism is better when you consider a dozen of more different threats.

One thing to realize is that there are advantages and disadvantages among each factor of authentication. No single factor of authentication is perfect. What is interesting is that biometrics and passwords have some very complimentary properties. That is, a weakness in one factor can actually be a strength of the other. This is what makes multi-factor authentication so compelling for security because the effect of combining them creates something much stronger than either factor on its own could possibly attain.

To illustrate this I have chosen a handful of security threats and highlighted the weaknesses and strengths of biometric, password and both combined. A red brick indicates that the method is vulnerable to the corresponding threat and a green brick means it is not.

I have deliberately selected software-based password authentication and a hardware-based (fingerprint) biometric as my two factors in order to more acutely demonstrate their complementary nature with respect to the list of threats. You can see that when they are combined, the resulting two-factor authentication is resistant to all of the listed threats.

If strong authentication is critically important to you I highly recommend multi-factor authentication because it is without a doubt, the best authentication security you can get.

Given the recent news about a serious password security flaw (see http://www.syss.de/index.php?id=veroeffentlichungen&no_cache=1&L=1) found with some encrypted USB drives I thought it would be a good time to say a few things about authentication.

Let’s start with the very basics.  User authentication is the front line of security.  If authentication is weak, it doesn’t matter how strong your encryption is, or how impenetrable the hardware is that protects the encryption key.  If there is no authentication, there may as well be no encryption at all.  Authentication is the “key to the key” so to speak.

Since the authentication process itself manipulates sensitive information, such as passwords and biometric templates, it only makes sense that it occur in a trustworthy environment.  Even strong, multi-factor authentication becomes weakened and even defeated if the user’s credential information is compromised.  Your managed corporate desktop should be a trustworthy environment.  This is why entering a password to login to your domain normally isn’t a problem.  However the situation is drastically different for a secure flash drive.  Being a portable device, it can be exposed to many untrustworthy environments where malicious software may be capturing keystrokes or passwords in memory. 

The best place for the authentication to occur in such a device is within the hardware.  Of course the more secure the hardware the better.  Some people are suggesting that the FIPS certification is meaningless given that the recent security flaw is associated with FIPS validated devices.   There is nothing wrong with the FIPS process but it must be understood that it only deals with what happens inside the cryptographic boundary and there is much more to consider when looking at overall security (see this blog entry for some more insight http://www.mxisecurity.com/blog/cto/2008/07/14/fips-validated-is-more-than-a-check-box/).

At MXI Security we strive to deliver the best authentication technology in the industry.  Our portable devices are capable of password, biometric, and multi-authentication, all within the secure hardware environment of the device.  You can take these devices anywhere but you will still need to be aware that key loggers can still be a threat as password entry is done from a keyboard.  It’s good practice to change your password to mitigate the efficacy of such attacks (we provide password rules to let you enforce such things as regular changes and password reuse).

Since biometric authentication is done completely on the device it is immune even from key loggers.  For those that want the strongest authentication possible, biometric and password authentication can be combined (2-factor) so that even a compromised password isn’t enough to break in.

If you are interested I have other blogs entries on authentication (see http://www.mxisecurity.com/blog/cto/2008/07/10/is-it-two-factor-or-three-factor-authentication/ and http://www.mxisecurity.com/blog/cto/2008/06/03/beware-of-biometric-images/).

Internet technology is fantastic, but I carry a certain level of anxiety which makes my web surfing less enjoyable.  The root cause of this anxiety is the fear that my personal information will be compromised.  The thought of my digital credentials being in the hands of an attacker is really quite disturbing.  Personally, I try to minimize my “web presence” so in a way I feel that this paranoia is actually healthy as it helps me maintain this goal.   However when I tally up all of the web logins I have, I realize that my presence is not as minimal as I’d thought.  What’s worse is that I don’t think I can remember all of the sites I’ve signed up to.

Have you ever wondered what kind of damage an attacker could do if they have your web credentials?  Here are some questions to consider if you care to measure your exposure.  How many web site logins do you have?  How strong are your passwords?  How many times do you reuse the same password for different sites?  Do you ever use the same password that you use as your login at work?  How many sites do you have accounts on that you can no longer remember?  Do you find yourself storing lists of user IDs and passwords so you can keep track of them?

We are taught by security professionals (and maybe common sense) that your passwords should be different for each web site, they should be complex, and you shouldn’t store them or write them down.  Obviously this isn’t practical and the problem has been recognized by the industry which has responded with new web identity paradigms such as OpenID, and InfoCard (a.k.a. CardSpace in Microsoft). 

These initiatives may take years to become widely adopted so what can we do in the meantime?  IE and Firefox offer one solution via password managers that they build into the browser.  They will remember your login credentials and automatically fill them into forms as required.   I don’t use these because I don’t trust having password vaults sitting on my machine where they are easily accessible and are ripe targets for attack (see http://www.securityfocus.com/infocus/1882 for a nice survey of password manager risks).

I have a wish.  Instead of passwords I’d like to use certificates to authenticate to all of these web sites that use self-managed credentials (i.e. the ones that let me pick my own user ID and password).  I’m not suggesting that we force everyone to use a certificate.  But if you have one, why not give you the choice?  My reasons are the following:

1) Security
2) Convenience
3) It should be easy to enable…

You’re probably thinking that I’ve gone off the deep end, especially on that last point, but hear me out.  From an identity theft perspective you can’t beat certificate authentication since there is nothing exchanged in an authentication transaction for an attacker to steal.  So right away we’ve eliminated the password problem.

I happen to carry a portable PKI token around with me all the time.  It’s built into my Stealth MXP Portable Security device.  I can easily go to VeriSign, and for a small fee, obtain a digital ID (a PKI certificate) that I can install on my device and use within IE or a portable version of Firefox which happens to be installed on my device.  The whole setup is very convenient for me (I also use a finger swipe biometric instead of a password to unlock my device) but the real bonus is the security.  My private key is generated in FIPS validated hardware, it cannot be exported, and it is protected with strong authentication.  Absolutely no one is going to be able to access this private key without my willing participation.  So I have everything I need to make my web transactions secure and convenient.

This brings us to the third point.  My argument here is that the plumbing to make this grand scheme all happen is already in place and is just waiting to be turned on.  Certificates for client side SSL authentication are supported in all major browsers and enabling client side SSL authentication in the majority of deployed web servers (Apache and Microsoft) is as easy as a setting a check box.  I know that this perspective seems a bit naïve but we are talking about unmanaged credentials. This means that service providers don’t need to change very much.  They only need to associate your digital ID that you present (and prove that you own the private key) with your account and trust the authority that issued you the certificate.  I don’t see much of a difference from their current sign up process where you create your own ID and password.  Yes, I’m ignoring details like revocation lists and exceptions (how to handle my lost device, etc) but you get the idea.

If this were in place then I’d be very happy.  I could focus my worries instead on choosing a certificate authority that had a good identity proofing process to ensure that imposters cannot apply for digital IDs in my name.  I’d also be careful not to register to a Phishing site that might want to gather other personal information.

Sadly, this wish will probably never happen.  In the meantime, I don’t want to be a sitting duck while I wait for the next web Identity Metasystem to become adopted.  I’m willing to compromise.  Instead, I’ll wish for a portable password manager that uses my MXP device to carry and secure (and possibly generate) my web passwords.  At the very least, it gives me the equivalent of two-factor authentication (ownership of the device and authentication to it), portability, and it provides strong protection for my sensitive login information.  It’s a compromise but I’m confident that this wish can happen and I’m looking forward to reducing my web anxiety.

Some people may be confused when scanning MXI Security product literature. Sometimes we say that with Stealth MXP you get two-factor authentication and other times we say three-factor authentication. It is the same device so what is going on?

As a reminder, authentication consists of proving your identity using one or more of the following:

* Something you know (passwords, PINs, etc.)
* Something you own (driver’s license, token, corporate badge, etc.)
* Something you are (biometric: face, finger, voice, retina, etc.)

With Stealth MXP you have on-board, a biometric and/or a password to unlock the device depending on the policy your administrator has set. For this discussion let’s assume that the policy is set to require a password and a biometric. That is definitely two-factor authentication. But isn’t the device itself considered a factor? After all, I own it and that would make three factors, right?

The answer is it depends. If you are just accessing the files on the private drive then you are using two-factor authentication. However if you are using a piece of data on the device (such as a private key) to login to a system then that would be three-factor authentication. Authentication is about proving to another entity that you have a particular identity. If the device isn’t involved in this process, then it is not a factor.

Ownership is a tricky concept in authentication. In the digital world it can be somewhat abstract and mean owning a piece of data such as cryptographic key, rather than something physical. This is how some solutions claim that a “software” token is two-factor authentication. In this case one factor (a password) is used to unlock the “token” before the correct result can be presented to an authentication server. Since the result depends on a computation based on the cryptographic key, you have ownership of this key being a factor. Of course storing this key in a hardware protected device is much better than storing the key in a file that is software protected.

On the other hand, pure hardware is not necessarily a strong factor of authentication. Consider the Startup Key option with Vista BitLocker drive encryption. Here the user must insert a USB flash drive containing the Startup key in order for the computer to boot. The problem is that anyone who finds (or steals) your laptop along with your USB Startup key immediately has access to decrypt your disk. Technically speaking this is authentication via ownership but it is very weak. Unfortunately BitLocker doesn’t allow password entry for USB flash drives. Your best bet for the Startup key option is to use a device like the Stealth MXP, where the key is protected by hardware with biometric authentication. By the way that happens to be two-factor authentication.

There are many examples of three-factor authentication that can be achieved with Stealth MXP today; logging into Citrix with RSA SecurID, “smart card” login to Microsoft Windows, SSL client side authentication to web sites. In all these scenarios, there is a digital credential (an RSA SecurID token seed, or an RSA private key) owned by the user, securely stored in MXP hardware and protected with biometric and password access. Hope this makes things a little clearer.