WHITE PAPER | AUGUST 2014
Preventing Security Breaches
by Eliminating the Need to
Transmit and Store Passwords
2 | WHITE PAPER: PREVENTING SECURITY BREACHES
Table of Contents
ca.com
3
3
3
Preventing Security Breaches by Eliminating the
Need to Store Passwords
4
Additional Resources
6
Conclusion
6
3 | WHITE PAPER: PREVENTING SECURITY BREACHES
ca.com
Don’t Become the Next Headline
It seems like every day we see in the news that another breach has occurred. In fact, the New York
Times recently reported on a security breach that involved over a billion online account passwords.
Why does this keep happening? One reason is that many websites continue to use simple passwords
for authentication and choose to store them as hashes. Another reason is that identity theft and
fraud is a big business.
According to a Ponemon Study , U.S. organizations experienced the highest total average cost at more
than $5.4 million for a data breach. Part of the reason for this is that—according to this study—the
United States companies had data breaches that resulted in the greatest number of exposed and
compromised records. This is a real money cost, but the cost to your brand and customer confidence
can have an even bigger impact on your business.
Make the “Breachable” Unbreachable
What would happen if hackers got hold of the database of credentials, but discovered that it didn’t
contain any passwords that were hashed or encrypted? Implementing CA Advanced Authentication can
help solve the problem of compromised passwords. The strong authentication credentials help prevent
security breaches by eliminating the password hash file, thus making the “breachable” unbreachable.
Why Passwords Are Susceptible to Attacks
One attack point for a security breach is the stored repository of passwords, for example, the
password hash file. Common practice is to protect passwords using hash algorithms. But the
databases where they are stored are still the subject of many successful hacks, using “brute force”
to reveal the passwords. Many brute-force attacks exist today that can decode these files in realistic
times. The continued use of simple passwords for authentication, stored hashes (often adding “salt”
for extra protection), makes these attacks possible.
Hashing turns a bit of data, like your password, into another bit of data that looks random or
unrecognizable. For example, the password “MiloPug,” when hashed, might become
“xh^21hdgXEOUD76@%@d” Hashing is one-way. It’s easy to create the hash from the original text
but impossible to start with the hash and get back to the original text. While there’s no algorithm to
reverse a good hash function, they can be attacked using brute-force techniques. Given current
advanced hacking techniques, this is not so hard to accomplish.
4 | WHITE PAPER: PREVENTING SECURITY BREACHES
ca.com
Preventing Security Breaches by Eliminating the
Need to Store Passwords
The concept is simple. Many systems today authenticate by comparing the hash of the user’s entered
password to the hash value that they have stored on their server. CA Technologies takes a different
approach and does not store the password anywhere, not even as a hash. Using patented
“cryptographic camouflage” (U.S. Patent 6,170,058), CA Advanced Authentication uses the password
to protect or “lock” a secret key. The protected key is sent to the browser or application from the
server, where it is unlocked using the password. The unlocked key then is used to sign a random
challenge, with the resulting signature sent back to the server. The password and unlocked key only
appear briefly in memory at the browser.
Camouflage technology ensures that the protected key, if obtained by an attacker, cannot be
unlocked. Because the password is only stored permanently in the user’s mind, there is no password
file for the attacker to steal. The password is used during the credential creation and the
authentication process, but is never stored anywhere. It is not stored in a repository. It is not stored
on the client. It is not stored anywhere that hackers could target.
How CA Advanced Authentication Works
As part of the enrollment process, the end user is asked to select a PIN or password when they set up
the CA Auth ID. Each end user is assigned a key pair, consisting of a private key and a public key.
Using patented cryptographic camouflage technology from CA, the private key is camouflaged based
on the user’s PIN or password. Camouflage is a way of protecting data, based on standard encryption
algorithms that prevent brute-force attacks. The effect of this process is that decryption, even using
an incorrect password, will always produce a result that, while looking correct to the attacker, will not
produce a valid signature. This is detected by the server when the signature is returned.
In the case of a simple six-digit password (using letters, numbers and ten special characters), a
brute-force attack on a camouflaged key will produce 726 = 139,314,069,504 plausible keys. Only
one of these will generate a valid signature, and the attacker has nothing to indicate which one it
is—they all look equally valid. The attacker has no recourse but to try the keys individually by sending
signatures to the server—that is, by trying to authenticate. After a few failures the server will detect
the attack.
5 | WHITE PAPER: PREVENTING SECURITY BREACHES
ca.com
This diagram shows how CA Advanced Authentication uses a password but doesn’t pass it to the
server or need to validate it against a password repository.
The Technology that Enables the Solution
The CA Auth ID credential is available to anyone who asks for it by username—even bad guys. The
bad guys can’t use it because they can’t brute force the key, so it does them no good. The ID is
provided by the server at login time, so it can work from any device, anywhere. It works on any
device with a browser that has JavaScript® and can work with any mobile app developed using our
software development toolkit (SDK).
The user sees no changes to the existing enrollment process, “forgot your password” (FYP) steps or other
password flows. Any existing risk and secondary authentication processes are preserved. Login flows and
the familiar login sequence (single page or double page) remain unchanged. Users can be migrated
“behind the scenes” from their current credentials to these “look alike, yet protected” credentials.
While the CA AuthID can also be used for meeting two-factor authentication compliance requirements,
this implementation uses the proven credential to eliminate the organization’s need to create,
manage and secure a password database. In doing so, it removes the most attractive attack vector
for hackers: large, credential repositories that are vulnerable to brute force.
6 | WHITE PAPER: PREVENTING SECURITY BREACHES
ca.com
Benefits of CA Advanced Authentication include:
• Immunizes against server-side hash file attacks
• Protects from man-in-the-middle attacks that occur when passwords are transmitted
• Keeps the familiar username/password login process
• Reduces the need for password complexity and storage
• Works with a variety of risk-based solutions
• Works on any browser or device. No client footprint required. Simple SDK for mobile apps.
Conclusion
The CA Advanced Authentication suite of products can help keep an organization’s name out of
the headlines for a security breach. This solution, which can be easily integrated into existing
applications, helps eliminate the weak point that many systems possess—the password hash file.
CA Advanced Authentication provides a “password-like” credential that doesn’t store passwords on
the server, so there are no passwords for an attacker to steal for a security breach.
Additional Resources:
• ”Be Smarter Than a Hacker” webcast (http://bit.ly/1s38Ygj)
• The eduCAte Channel for CA Advanced Authentication (http://bit.ly/1xErzQh)
7 | WHITE PAPER: PREVENTING SECURITY BREACHES
Connect with CA Technologies at ca.com
CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables
them to seize the opportunities of the application economy. Software is at the heart of every business,
in every industry. From planning to development to management and security, CA is working with
companies worldwide to change the way we live, transact and communicate – across mobile, private
and public cloud, distributed and mainframe environments. Learn more at ca.com.
1 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2013
© CA 2014. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your
informational purposes only, and does not form any type of warranty. CS200-200-86850_0814