This post set the foundation concepts for strong authentication methods for their perspective implementation through the conversion of YubiRadius, a VMware appliance based on Free Radius end implementing OTP validation, into Xen Open source Hypervisor.
Do we need strong authentication?
Bottom Line Up Front , YES
Rationale behind (the why)
Our passwords are the way computer systems use to assess our identity (the so called Authentication bit of the AAA paradigm) so if we loose control of our passwords we loose control of our persona. Somebody elses can impersonate us and act, in the IT realm, with the privileges we have. No need to tell you this is no good. Identity theft is a reality in the real world (and apparently it is easier in US rather than in Europe), in the Cyberspace is even easier.
The best identification systems are based on three factors:
Something you know is in your brain and cannot be physically lost. This is for example the PIN number of your ATM card. It is for example the username (a non secret part of your access credentials) and a password (the secret).
It goes without saying that writing down the PIN number of your ATM in a piece of paper in the wallet or the password under the keyboard, defeats the part related to not being able to lose the secret.
Obviously I am not taking into consideration extraction of the information by means of torture or interrogation under drugs, if those are the methods to consider, you are looking in the wrong place for your security ….
Something you have allows you to identify yourself to a policeman (your drivers license) or to a machine (your ATM card). This piece of ID is worthless (or maybe counterproductive) if not in the database: the policeman checking your Driver’s License might not be very happy (and you less than so) if the number is not in the Department of Transportation database. The ATM machine will probably hold your fake ATM card. Having such bit allows you mantain control on accesses (without ATM card you cannot operate on the ATM machine) but the problem is with cloning: if you allow the card to be copied (swiping the card is enough to copy an ATM card) you have lost the unicity of your ID and somebody elses can impersonate you and clean your account (if he knows your PIN). So now the card manifacturer are implementing chips in the cards using a crypto function or a challenge response type of alghoritm to avoid easy card duplication.
This is the something you are part of the authentication. Your retina image, you fingerprints someday maybe something else like your (live) DNA or brainwaves who knows….
One Time Password
One time password are the equivalent of something you have when you have to use it across the network. The device used to generate the onetime password, is actually your item. There are different ways in which these tokens work. There are some using a crypto function that generates the keys based on a clock that has to be synched between authentication server and the token, some that based on a challenge string, sent by the server, would generate an authentication token others that would generate an ordered sequence and using a key would invalidate all the preceding one.
Also the tokens vary in the way they present the key: some would display it on a display, some would interface by Radio Frequency with proximity readers and some would emulate a keyboard and input the key directly into the input fields.
The use of multiple system is recommended and at least 2 should be the norm for any critical system.
Wait a minute! How do you access your PayPal account? Well, not critical you might say you: just use it for sending money….. But you get the hang of it.
So in recent times we start seeing fingerprint readers on laptops and you can enable them to grant access only to the registered user authenticating with username and password plus the right fingerprint (you did enable it, right?)
Increased security goes along with reduced usability or more complex procedures: the system has to be simple enough to overcome the resistance of the userbase to the implementation.
We are so used to have to input username and password that we do it authomatically when requested, and failure to access the protected resource is easily blamed on server problem. But, what if the form we filled was a physhing scam? Or what in the cybercafe we had been using a not so scrupolous owner installed a keylogger (nice piece of software that copies all keystrokes to a file) on its machines? Or even better in a nice wifi area somebody copies all traffic on air to decipher and analyze for interesting and valuable bits like passwords?
Using simply username and password we are vulnerable to replaying those passwords captured on the network. Using OTP the password becomes invalid at the same time in which is used for access. This means that it is worthless for accessing the protected request.
Using username and password in addition to a OTP authentication effectively implements a Multi-Factor Authentication system. To get into your resource now you have to steal the key know to what user is associated and also know the password of the user.
The so designed system is secure (with user education: keep the password in their minds …) so secure that is used by banks and financial institutions and big organization to secure access to their IT infrastructures. Since security is paramount for these organizations, the IT budget behind controlling access is respectable. But what if a Small Office Home Office wants to implement this kind of security in contolling accesses?
Good News: While Banks and other institutions use expensive, proprietary hardware and software, running on dedicated servers
there are solutions to use multiple factors in your authentication scheme and spend as little as nothing per user and something in the form of a usage fee on the servers, or maybe nothing on the servers and as little as $25 per user?
A couple of months ago I had been looking for such a solution to protect access to my home network, which is shared on the Internet with SSL and IPSEC VPN. I found a very good and strong solution an I will share with you, in a post series, how I implemented this kind of security solution to include access server configuration and network design.
Hope to read from you …. fedback and suggestions welcome