Authentication Systems
advertisement
2011 The Practicality of Changing Default Authentication Mechanisms: Applied in a Workstation Environment Evaluation of the feasibility in having cheap and secure authentication systems to replace passwords as the new de facto standard. Shawn Williams REA 820 April 5, 2011 Table of Contents Introduction .................................................................................................................................... 5 Purpose ........................................................................................................................................... 6 Systems covered ............................................................................................................................. 6 Personal Motivation........................................................................................................................ 6 Where Did the Data Come From?................................................................................................... 8 What Kind of Information would be used for this Study? .............................................................. 8 Why do security systems in general, fail?....................................................................................... 8 Why should we stop using password based authentications for ................................................... 9 productivity environments?............................................................................................................ 9 Other popular beliefs I’ve have come across include; .............................................................. 11 Criteria of Evaluation .................................................................................................................... 12 Authentication Systems ................................................................................................................ 15 Chapter 1: Graphical Passwords .................................................................................................. 16 Introduction .............................................................................................................................. 16 How does the Technology Work? ............................................................................................. 17 Passfaces ................................................................................................................................... 18 Other Highlights ........................................................................................................................ 19 Pros (Passfaces)......................................................................................................................... 20 Cons (Passface) ......................................................................................................................... 21 Ranking based on criteria ......................................................................................................... 21 Click-Based Graphical Password authentication ...................................................................... 23 Pros(Clickpoints) ....................................................................................................................... 24 Cons(Clickpoints)....................................................................................................................... 25 Future Outlook and Conclusion of Graphical Passwords ......................................................... 26 Chapter 2: Biometrics .................................................................................................................. 27 Introduction .............................................................................................................................. 27 How does the Technology Work? ............................................................................................. 28 Necessary Components ............................................................................................................ 28 Finger Print Recognition ........................................................................................................... 29 How Finger Print Scanners Work? ........................................................................................ 30 Three Types of Finger Print Biometrics: Optical, Capacitance, & Ultrasonic ....................... 30 Pro (Optical) .......................................................................................................................... 30 2|Page Cons (Optical) ........................................................................................................................ 30 Pros (Capacitance) ................................................................................................................ 32 Cons (Capacitance)................................................................................................................ 32 Pros (Ultra Sonic) .................................................................................................................. 33 Con (Ultra Sonic) ................................................................................................................... 33 Ranking based on criteria ..................................................................................................... 33 Face Recognition ....................................................................................................................... 35 Introduction .......................................................................................................................... 35 How It Works?....................................................................................................................... 35 Pros (Face Recognition) ........................................................................................................ 36 Cons (Face Recognition)........................................................................................................ 36 Ranking Based on Criteria ..................................................................................................... 37 Personal Experience with Using this Technology ................................................................. 38 Retina Scan................................................................................................................................ 39 Introduction .......................................................................................................................... 39 How Does It Work? ............................................................................................................... 39 Pros (Retina).......................................................................................................................... 40 Cons (Retina) ......................................................................................................................... 41 Ranking Based on Criteria ..................................................................................................... 41 Typing Rhythm .......................................................................................................................... 42 Introduction .......................................................................................................................... 42 How Does it Work ................................................................................................................. 43 Pros (Typing Rhythm) ............................................................................................................ 43 Cons (Typing Rhythm) ........................................................................................................... 44 Ranking Based on Criteria ..................................................................................................... 44 Future Outlook and Conclusion For Biometrics ........................................................................ 45 Chapter 3: Token Based Authentication ...................................................................................... 46 Introduction .............................................................................................................................. 46 How does the Technology Work? ............................................................................................. 46 Hardware Token Breakdown .................................................................................................... 47 Disconnected Tokens ............................................................................................................ 47 Pros (Disconnected Tokens).................................................................................................. 48 Cons (Disconnected Tokens) ................................................................................................. 49 3|Page Ranking Based on Criteria ..................................................................................................... 49 Connected Tokens................................................................................................................. 52 Pros (Connected Tokens) ...................................................................................................... 53 Cons (Connected Tokens) ..................................................................................................... 53 Ranking Based on Criteria ..................................................................................................... 54 Contactless Tokens ............................................................................................................... 57 Pros (Contactless Tokens) ..................................................................................................... 57 Cons (Contactless Token) ...................................................................................................... 57 Ranking Based on Criteria ..................................................................................................... 58 Typical Life Cycle of a Token ..................................................................................................... 59 Various Vendors and Types of Token Based Solutions ............................................................. 60 Future Outlook and Conclusion For Token Based Security .................................................. 60 Interpreting the Results ................................................................................................................ 61 Conclusion ..................................................................................................................................... 62 Glossary ......................................................................................................................................... 62 Work Cited .................................................................................................................................... 65 4|Page Introduction Password based authentication is without a doubt one of the oldest forms of authentication. Within the IT Sector, we are often reminded of all the flaws that are associated with the username and password, and although many good suggestions have been made to introduce strong infrastructure polices that enforces strong security, because they are designed from the prospective of the designer, and because they don’t normally have the users’ needs in mind, these tactics are usually subverted by end users trying to get better usability out of these systems. For this reason, it is often very difficult to find a balance between usability and security, and combined with the fact that most users simply do not understand how password cracking works, I believe that with all the alternative authentication solutions out there, it is 5|Page finally come time to scrap password use in workstation environments and move on to more current technologies. [20][21] Purpose In this study, we will begin to explore various authentication systems and see if it is possible for any one of them to be deemed good enough to be able to replace the current password mechanisms used in most systems today, thus paving the path for becoming the new de facto standard for both home and industry wide authentication. Systems covered Biometrics (finger print, iris, face recognition) Rhythm\gait based passwords Graphical based passwords Hardware Tokens Personal Motivation As a student of IT security, we are always being told by our instructors the adherent flaws of password authentication. The attack vectors range anywhere from the sophisticated stealthy deployment of key loggers, to the low tech and popular shoulder snooping. Yet despite that, and because of the relative simplicity of this form of authentication, in terms of its deployment, it is still widely used as the default standard for authentication. Personally, I’ve always wondered why password authentication was still the default standard despite the fact 6|Page that there were many new and more secure systems emerging and because of this, I wanted to find out on whether or not it is even practical to replace password authentication with that of something better. My first approach towards the goal of finding the perfect authentication system was one that would involve choosing a random system based on initial assumptions and evaluating it on the bases of its strengths over password security. In the earlier phases, I was under the assumption that any form of authentication would be superior to password authentication and as such, I decided to take up ‘graphical passwords’ after hearing about them for a first time in a lecture. The system seemed interesting at first because it was new to me, and as such, I started researching it. However, in the end, as I learned more of its strengths and weakness, I found that the weakness exceeded the strengths, and while it may have been possible to fix the systems with carefully placed modification, the catering that it seemed to required would have been too much trouble, and thus deemed this particular system impractical to use in a real world scenario because of the fact that the average user would not or could not make the necessary modification to make it work. [14] After that finding some, suggested to look into biometrics as a possible solution, but having experienced flaws of this form of authentication first hand, (since my XPS M1330 has a built in fingerprint reader) I decided to abandon the idea of arbitrarily choosing one good authentication system and modding it to meet the demands necessary to making it work as a successor to password authentication, to the more realistic approach of analyzing the many systems and drawing up a conclusion based on its current setup with little modification. 7|Page Where Did the Data Come From? Data presented here was collected entirely from secondary sources helped me in determining the feasibility of a particular system. Problems addressed were being taken into consideration. In addition, some of the relevant information was taken from various security related books. The scaling system, that will be introduced later, though entirely a work of my own creation was influenced by a combination of the overall consensus of my reading, as well my own knowledge. What Kind of Information would be used for this Study? Mostly information regarding the various systems, their pros and cons in addition to information related to their cost in deployment. This paper will revolve around the search for an effective authentication system to replace string based passwords, so anything that can be used to prove one form of authentication over another was of use. Why do security systems in general, fail? When it comes to security, there are more than one mental model that comes into play they include; a) Design model--the security model from the designers’ perspective and how it should interact with the user and the system. It is the belief on how the system should work in a perfect world. b) User’s mental model--the model in which how the user of the system believes the security system to work, based on assumptions. The model differs from user to user, some and some users have grossly inaccurate assumptions. 8|Page c) system model--the actual way the system works. The main reason why security systems fail is because users and designers view security completely differently. The policy designer usually has only security in mind and thus is solely concerned with security and disregards usability. The end user lacks knowledge or has completely wrong idea on how security systems work and how hackers exploit weakness in the system, so in tern they ignore security or attempt to bypass the policies in place in order to get access to resources faster. [1][2][33] Why should we stop using password based authentications for productivity environments? There was various support and opposition against password based authentication that has prompted me to look at the possibility for change as well as more than one school of thought in terms of where authentication security is going. Some negative aspects of password based security that seemed to be common amongst other password related papers included these; 1. There is a problem in finding balance between usability and security. [20][3] a) People use the same passwords everywhere [20] b) People use common dictionary words and password that are too simple [20] c) Enforcing strong password policies may force users to write them down [20] 2. Passwords can easily be told to others. 3. Passwords are easy to copy. 4. There are many widely available tool of decrypting stored password information. 9|Page 5. Passwords can be captured easily during input time. 6. There are weaknesses in password reset mechanisms that hackers may be able to exploit. 7. Passwords are the weakest link into any system 8. The same passwords are constantly being reused for different systems. [21] There were also a few articles that tried to predict where authentication would be going in the future. Since for my purpose, I want to find a single solution (best case scenario) for a replacement for password authentication, I will likely need to first evaluate these individual groups that have been identified. For example, one article expresses a belief that future authentication systems will move from so called ‘knowledge based’ (e.g. password based authentication) authentication to ‘memory based’ authentication (e.g. graphical passwords). The rationale behind this was that the major weakness to knowledge based authentication like passwords was that users were simply incapable of retaining over 5 different passwords and thus fixed this problem by either, writing it down, disclosing it to others, or using the same password universally across systems. As such, the authors felt the solution would be to find or develop systems that promoted users ability to memorize. At the same time the new system had to be strong enough to prevent attackers from using brute force, educated guessing or other means of by-passing security. The study then proceeded in the evaluation of the memorably of three systems; 1. Picture Recognition Technologies (AKA graphical passwords) 2. Pseudo-word recognition (same as graphical passwords except user is presented a series of pseudo words e.g. ' kould' from various selection screens. 10 | P a g e 3. Artificial grammar learning (a system that requires user to memories a pattern or string of characters. e.g. JKGWYY In the end of the study, recognition technology was proven easier for users to remember and was declared the ideal solution. [3] In another similar study, the same kind of argument concerning memorability was brought up, but this time, placed it in the context of finding a memory-based system to replace PIN numbers at ATM machines. Since workstations at work have a similar degree of data sensitivity when it come to protecting data, it makes sense to think that what can be applied to ATM’s can also be applied to workstation pc’s. In this particular study, similar memory tests were conducted over a period of one month in which users using three different kinds of memory based authentication systems (and one using traditional PIN numbers) were required to memorize five passwords. Once again, graphical passwords proved superior in terms of password retention by users of the group who were given a graphical password to memorize. [4] However, though the arguments for memory based password seemed strong, in another article, it was challenged by 2 other papers that brought up the notion that ‘if the user can easily memorize graphical passwords, so could the shoulder surfer’. [5][6] Other popular beliefs I’ve have come across include; Authentication is better handled behind the scenes and should be nearly automated since user interaction is a greatest weakness to the system. [8] Multi-factor authentication, VS single-sign on [7] [8] My approach to finding the answers to this problem is to continue to find articles pro, and 11 | P a g e against any given technology or generalized belief and then analyze each solution based on my own criteria based on some things I found to be common sense, as well as idea’s I’ve picked up from various readings. The criteria I will be using is the one given below. Each technology will likely be given a rating out of 10 based on observation and what I find. What is the Outcome and how will this Research Benefit Others? If I am able to find and isolate a technology that is good enough to replace passwords, business owners would no longer have to run the risk of deploying risky technology they are unfamiliar with. Even if several items tie, at least by evaluating the strengths and weaknesses of each technology (as presented in the research) business owner’s can find a system that best fits their needs. I’m not sure yet but I may actually do this kind of analysis myself. Criteria of Evaluation In order to determine rather or not a particular authentication method would be deemed a worthy candidate towards succeeding passwords as the standard authenticating agent, it is first necessary to developed an ideal criteria to ranking each technology, and after undergoing much research, the following categories have been identified and established, based on key attributes that could be considered most desirable among workstation users and IT staff alike when selecting a new system. These categories include; 1. Number of security holes 2. Cost 3. Ease of Use 12 | P a g e 4. Increase in Security 5. Scalability 6. Practicality of implementation and modding 7. Access and availability (how easy is it to obtain) From the 7 categories above, the various systems will then be ranked out of 10 accordingly for a total of 70 points. The following chart below further explains and describes set features that would grant various systems a more generalized ranking of what would be considered, a low score, a medium score and a high score. In the end, only systems with and overall score of 53 or higher across all categories will be considered for being a likely candidate for selection. Number of Security Holes Exploitable Score High 0-3 Medium 4-7 Low 8-10 Cost Score High 0-3 13 | P a g e Number of security holes exceed the threshold of what could be considered acceptable and the authentication system has more holes then password based security. Number of Security holes only marginally improve over number of exploitable password related holes. Very few exploitable holes and massive improvement over password security High maintenance installation costs and Medium 4-7 Low 8-10 Ease of use Score Low 0-3 Medium 4-7 High 8-10 Practicality Score Low 0-3 Medium 4-7 High 8-10 14 | P a g e Cost of fully installing and maintaining system is either high in maintenance fees or high in installation but not both. Cost of fully installing and maintaining system is minimal. System is so complicating that most users will attempt to bypass it in order to speed up work production. System has a medium level of complexity that can be tolerated by most users. Daily usage of security mechanism is easy to use by most users with business level computer skills. The system is complex to troubleshoot if broken and difficult to mod and requires major changes to in fracture to use. System has a medium level of setup complexity and can be workable with effort. Small change to existing in fracture may be required. System is flexible, easy to install with current technologies and quick to set up. No change to infrastructure mainly out of the box solution. Scalability Score Low 0-3 Medium 4-7 High 8-10 Increase Security Score Low 0-3 Medium 4-7 High 8-10 Access and Availability Score High 8-10 Medium 4-7 Low 0-3 Authentication Systems 15 | P a g e System is only meant to be installed on network size it supports and either does not provide room for growth or too elaborate to be practical on smaller systems. System has a workable level of flexibility but generally can’t handle extremes. System is highly flexible and can be implemented with ease on networks of any size. System provide little or no security advantage over password security. System provides some security advantages over password security. System is much more secure then password authentication. Found in any office or computer store. Implementation exists but special orders need to be made. Only exists in theory or is a prototype so development overhead is need to make the solution. Now that the baseline on what the goals are of this paper, in the next few Chapters, we will take a look at various authentication systems and in the end we should eventually have a good idea on what systems will be good for the purposes outlined here by using the quantitative graph above and my own critical analysis as a guide. Chapter 1: Graphical Passwords Introduction Traditionally, passwords have been used for years and they usually were made up of a secret string of chars that would be prompted by a systems login screen when ever authentication was required to access some kind of secured resource. For a long time, this had been adequate enough in environments where people only had to Figure 1.0.0–Problem with Passwords [20] memorize a single combination usernames and passwords. of However, today’s world is different such that many of us now need to memorize many sets of user-password combinations, forcing users to shy away from using secure practices and doing things like creating overly simplistic passwords and using the same passwords for multiple systems. As such, system administrators responded by creating strict password policies which forced users to create user unfriendly passwords in which they usually forgot. 16 | P a g e For these reasons, users often debunked to the even less secure practice of writing things down. This generally seemed to be the common problem with traditional passwords, so while searching for solutions, graphical passwords seemed to be a good place to start since it plays on the human’s natural ability to more easily remember pictographically images over, texts, numbers and symbols and as mentioned earlier, it has been a common belief by many experts that security can be solved if a system is developed that plays on the humans ability to memorize. Such systems as a whole are often regarded as memory based authentication systems. In this first writing, we will look at and examine how various flavours of graphical passwords work, their strengths and weaknesses, and finally, we will rank it accordingly to see if it would make a good replacement for the current text based password system. [20] How does the Technology Work? In general, graphical-based authentication takes on many forms. But they usually all have the same distinguishing component in which in order for a user to initiate the authentication process, that user must ‘click’ a series of graphics, colors, or patterns as opposed to difficult to remember text, in order for authentication to take place. As I began exploring there various forms graphical based password could take place, there were two predominate forms I discovered, and for the purpose of this report and because of the fact that all other systems seem to have stemmed off these dominate two, I will only talk about its most common iterations. The first being often referred to as “Passfaces”, which uses the theory that human beings are more easier able to memorize a persons’ face then other forms of pictures or even names. (If you really think about it, when you first meet someone new, you never memorize their name right away, their face however is often difficult to forget). The second type is the 17 | P a g e initial and first graphical based authentication system developed by unnamed computer science researchers at Rutgers University-Camden. In this version of the system, users authenticate themselves by clicking on certain points on a picture in sequential order only the user knows. Passfaces This is most likely the most marketed and predominate form of graphical based authentication today mostly because of its great support for Windows systems. As mentioned earlier, is makes the use of a series of randomized faces, in which the user sets up as a password in order to make up the Passface. The faces are usually randomly selected from a large bass of hundreds of faces. But only 9 are displayed on a screen at a time in which the user selects a single face. Once the user selects and clicks on a face, the screen refreshes and a new host of nine faces are randomly fished out from the much larger pool of faces, a few (1 or 2 faces will always be from the users selected Passface). Figure 1.0.1—Passfaces on phone [25] The user then clicks on his/her next face in the Passface string, and this process repeats until the full Passface string is selected. If the series of selected faces match the string stored in the database, the user is granted access to the resource. [9][10] 18 | P a g e Figure 1.0.2 – Passface usage on smartphones [25] Figure 1.0.3—Typical topology of how Passfaces can replace passwords in a workstation through active directory. [10] Other Highlights Workstation Authentication (LAN) Passfaces Client replaces Windows password logon 19 | P a g e Off-line authentication for roaming notebooks Remote Authentication (via Web browser) Integrates with Microsoft IIS (Internet Information Services) Web Server for remote (browser) access All major Web browsers supported without plug-ins or software installation Works seamlessly with "Basic Authentication" (e.g. Outlook Web Access) or forms based authentication Remote email via Outlook Web Access Applications hosted through Citrix Metaframe Custom Web Applications Intranets and Extranets [10] Pros (Passfaces) Easy implementation Solve the problem presented by users not being able to memorize passwords Works on existing technology and OS’s No possibility of lost written down passwords or authentication tokens getting in the wrong hands Support for 2-factor authentication Low cost of ownership Lower costly password reset rate 20 | P a g e Known to have greatly hammered the effects and success rate of phishing [4][5][6] Cons (Passface) Easy for others to shoulder snoop The selected predetermined image can be guessed if the preferences of the user is known. Time to complete the authentication process is slower than traditional password authentication. Due to multiple screen selection VS one and in the case of slower machines, the graphics may take time to load. If Brute force methods are developed, the number of randomized faces are lower then the number of combinations that can be created with text-based passwords. [4][5][6] Ranking based on criteria Category Score Reason Number of security holes 8 Cost 8 Ease of Use 10 Increase in Security 6 The kinds of attacks performed on graphical passwords are the same as that seen on text based passwords. Overall count of holes is less. (2-3 known holes) They include bruteforce (hard to do but possible), shoulder snooping and smart password guessing. Software solution is low as well as maintenance. The costs of password resets is also much lower then text based systems because people usually remember their Passface. Very easy to use, no computer skills or manual required. Offers improvement in areas 21 | P a g e Scalability 22 | P a g e 8 like, reduced phishing, harder to develop cracking software for, and eliminates passwords from being written down. However, one major flaw is the possibility of the success rate of shoulder sniffing increasing since memorability of faces also applies to the shoulder sniffer as well. There is also the possibility of brute force attacks. If a hacker were to find a way to brute force Passfaces, the much smaller combination of Passfaces would potentially make it possible to crack in no time. However, as of now Passface cracking is only theory and has not been done en mass yet. There was also an issue that arise where hackers were able to intelligently guess Passfaces be knowing little about the user. For example, for a 5 screen selection of faces, each with a grid 3X3, a guy may select the most attractive girl in each selection for his password. In a similar example, people are often know to select Passfaces of those the same nationality they were. As such, other then having the system automatically choose Passfaces for users, there is very little methods that can be used to enforce good password policy’s as there are with textbased passwords. E.g. in text base passwords, if users keep choosing simple passwords like ‘password’ as there login. Admins may enforce a policy to does not also dictionary words. It’s much harder to do this kind of filtering on graphics since the computer can’t interpret human faces like humans can. [4][5][10] Very scalable, works in all Practicality of implementation 8 and modding (How much change to existing infrastructure is needed) Access and Availability 7 environments and can even be applied to end devices like smart-phones and laptops. Require little change to infrastructure, and server software is readily available for Windows. Client software must also be installed on individual clients. Enterprise based software solutions are readily available but special orders must be place to acquire them. Overall Score = 55 Click-Based Graphical Password authentication The original implementation of graphical passwords relied on the user’s ability to memorize certain points on a picture in which they would click in sequence in order to authenticate themselves. These individually locations are often referred to as ‘click points’ and they can either be chosen randomly by the system, or specified by the users. This iteration also has a means of preventing and mitigating the effects of shoulder snooping. Basically, how this works is that a user clicks images within images. Example, if a user clicks on a certain shape within another shaper, though user and system recognize what image was clicked, to the should snooper, they would be confused on what shape was actually clicked, the inner or outer shape. When multiple click points are added to the equation, the difficulty in following what shape is being clicked on increase by a large order of magnitude. [16][26] 23 | P a g e Figure 1.0.4—a complex image in which a user sets a series of shapes to be used as a clickpoint Figure 1.0.5—a series of user defined clickpoints [26] Pros(Clickpoints) Solve the problem presented by users not being able to memorize passwords No possibility of lost written down passwords or authentication tokens getting in the wrong hands 24 | P a g e Support for 2-factor authentication Lower costly password reset rate Known to have greatly hammered the effects and success rate of phishing Has anti-shoulder snooping measures [16][26] Cons(Clickpoints) The selected predetermined image can be guessed if the preferences of the user is known. Time to complete the authentication process is slower then traditional password authentication. Due to multiple screen selection VS one and in the case of slower machines, the graphics may take time to load. Possible brute force tools have been created for use again single image click-based password systems Not as widely available as Passfaces May require costs allocated for development (since most click based schemes are prototypes and research projects) [16][26] Category Number of security holes Score 8 Cost 3 25 | P a g e Reason The kinds of attacks performed on graphical passwords are the same as that seen on text based passwords. Overall count of holes is less. (2-3 known holes) They include Bruteforce (hard to do but possible), and smart password guessing There are not many suits as complete and readily available for this type of graphical Ease of Use 10 Increase in Security 7 Scalability 8 Practicality of implementation 8 and modding (How much change to existing infrastructure is needed) Access and Availability 3 password technology. With that said, cost allocated for personal tuning and maybe even catered development costs may be required. Very easy to use, no computer skills or manual required. Offers improvements in areas like, reduced possibility of phishing, keyloggers, etc. Some implementations even have antishoulder snooping measures. However, this form of graphical based passwords is still susceptible to brute force clicking algorithms. Can be fit into any size system. It simply replaces the password authentication process with its own. [26] Require little change to infrastructure, and server software is readily available for Windows. Client software must also be installed on individual clients. Hard to find and mostly unavailable. Overall Score = 47 Future Outlook and Conclusion of Graphical Passwords After taking a look into both kinds of graphical passed authentication methods, I’ve come to conclude that the Passface method is superior to click-based authentication most due to the fact that it is already readily available for purchase. Though click-based authentication is likely to be more secure, I don’t think it would be wise for any company to jump in to this yet because since most of it is still in beta stages, the overall development cost does not seem to justify its two vulnerabilities VS three. Overall, both systems are very promising and scalable, 26 | P a g e they are also very easy to deploy and use and its possible for use to see more use of this technology is some shape or form in the near future. Chapter 2: Biometrics Introduction Often regarded as one of the stronger forms of authentication and one that has more recently began being implemented in many roaming devices today, Biometrics encompasses a broad scope of technologies in which provides user authentication by using the unique physical or behavioural based traits as a means of verifying who individuals are. Some forms of physical based biometric technologies include, the ever popular finger print recognition, face recognition, vascular pattern/vein geometry recognition, iris recognition, retina recognition and DNA scan identification. Some forms of behavioural based authenticating technologies include voice recognition and typing rhythm. For the purpose of this section, I will be looking into the more widely available biometric systems for each of the two categories and then proceed to identify the superior technology of the overall. Technologies that will be explored in this section of this report will include; Finger print recognition (3 subcategories based on sensor technologies) Face recognition Retina recognition Rhythm based technologies But before getting into individual systems, lets first take an overall look at how biometrics in general work an features that are shared amongst all systems. [9][11] 27 | P a g e How does the Technology Work? Although the underlining layers on all biometric based technology achieve the same functions through different means, they all encompass 3 phases in which are required to works. The three phases are; 1. Enrolment—The process of scanning and registering a unique individualist trait that will be used as an personal access key. [11][13] 2. Storage—Once the enrolment process is completed, the information scanned is converted into a digital signature which is then either stored on the device itself or on the hard disk of the system in encrypted form. [11][13] 3. Comparison—After both the enrolment of new traits is stored, authentication can now be ready to be used. During authentication, the users typically allows the scanner to analyze their individualist trait. That trait is that compared against those signature image(s) stored during enrolment. If there is a match, the user is granted authorization to the specified resource. [11][13] Necessary Components In order for the 3 phases above to be achieved, several components are also required so that those goals could be achieved. The first component needed, as mentioned earlier is the sensor. The sensor is typically used for capturing unique imprints during the enrolment phase and is usually a piece of hardware that can be integrated or an added add-on to a system. In addition, it is also used in the scanning of users who wish to authenticate themselves. The second component necessary for biometric technology to take place is the computer that 28 | P a g e stores and compares the scanned images. However, it should be noted that not all biometric devices require the PC to perform those function and may actually store enrolment images on the device instead (advantages to this would be that the stored encrypted image would be much more difficult to access the image to performing brute force cracking). And the final component required for biometric authentication to work is software that actually interacts with the sensor and storage device and performs the actual image comparison. [22] Now that the you know a bit about the generalities about biometrics overall, it’s now time to get into specifics so that we can later analyzes their strengths and weaknesses in comparison to password based security. [9][11] Finger Print Recognition Today finger print recognition is one of the most widely deployed form of biometrics authentication and in recent years has been integrated into devices such as USB thumb drives and laptops, in which much of its success in smaller scaled devices I believe may be attributed to the fact that; 1. Finger Print Biometrics is the least expensive form of biometrics 2. The small size of the scanner used for print captures. (Recall earlier that one aspect for an authentication technology to be a success is that the change must not greatly impact infrastructure of what already exists. A large sensor may have physical implication to infrastructure that may deter people from implementing the technology. ) With that said, it would be interesting to see how it would fair in a workstation environment. But first let’s look at how it works and the 3 forms this technology comes in. 29 | P a g e How Finger Print Scanners Work? There are 3 main types of scanners used in finger print biometrics and they all work in completely different way to map out the unique ridges and values in a fingerprint. [9][11] Three Types of Finger Print Biometrics: Optical, Capacitance, & Ultrasonic Optical in this implementation, the capturing of the finger print image is done by a charged coupled device (same capture technology used in digital cameras and camcorders). The CCD is essentially a collection of light-sensitive diodes that generate electrical signals in the presence of light. The light-sensitive diodes are also referred to as photosites, and each individual photosite is responsible for recording a single pixel of light. When combined together with other photosites, they merge together and form an image. In the case of the scanner used in finger print biometrics, the image captured is typically the inverted image of the human finger print. After capturing the print, the software usually attempts to clean up the image by making the ridges more defined by darkening them etc. If the image taken is too bad, the scanner would request a rescan until a desired image is captured. [17] Pro (Optical) Most readily available form of biometric technology on the market Cheaper than most other forms of biometrics Cons (Optical) Higher fault rate among competing finger print biometrics Easier to fool then Capacitance and Ultrasonic scanning [17] 30 | P a g e Capacitance scanning is another method in which the human finger print can be recorded. However, instead of using light to capture the various ridges and values that make up the print, it uses a small electrical current that is responsible for recording the depth of the ridges. Figure 2.0.0 –Capacitance Circuitry diagram [17] In the above diagram, it outlines how the sensor makes use of the values and ridges to complete a circuit. [17] “The sensor above is typically made up of one or more semiconductor chips containing an array of tiny cells. Each cell includes two conductor plates, with an insulating layer. The sensor is connected to an integrator, an electrical circuit built around an inverting operational amplifier. The inverting amplifier is a complex semiconductor device, made up of a number of transistors, resistors and capacitors.” [17] The function of the amplifier is to alter a supply of voltage based on the relative voltages of two inputs, called the inverting terminal and non- 31 | P a g e inverting terminal. “The non-inverting terminal is what grounds the current, and the inverted terminal is connected to a reference voltage supply and feedback loop. The feedback loop, which is also connected to the amplifier output, includes the two conductor plates.” [17] The two conductor plates illustrated above is what form the bases of the capacitor, and the fingerprints’ surface acts as the third. Because of the fact that the valley’s in a fingerprint create pockets of air between the plates, it causes the varying distance between the capacitor plates to change in total capacitance (ability to store electrical charge). With that, the capacitor in a cell “under a ridge will always have greater capacitance than a cell under a valley.” [17] During scanning voltage output is read and depending on a cells charge the software is able to determine rather or not a surface area on the finger is a ridge are a valley. After reading all the cells underneath the finger and sensors, the processor is able to generate an image of what the fingerprint looks like. [17][9] Pros (Capacitance) the ability to measure depth makes capacitive scanners harder to fool the optical scanners. The semiconductor chip used in this technology is physically smaller then the CCD unit in optical scanners. So the overall scanner can be made more compact. [17] Cons (Capacitance) More expensive then optical sensor biometrics Ultrasonic sensors use very high frequency sound waves that bounce off the surface area of the finger and recreate the image of the prints. The technology behind this is similar to how 32 | P a g e bats use echo location in the wild to home in on food. If the refracted sound wave comes back soon, it means the object is close by. In the case of a finger print, this could mean the presence of a ridge. [9][18] Pros (Ultra Sonic) High accuracy Con (Ultra Sonic) Expensive Some people don’t like the feel of the ultrasonic waves Ranking based on criteria Category Score Reason Number of security holes 8-9.5 Cost 5-6.5 Ease of Use 7 Not many security holes aside from the fact that it may put the lives of its users in danger in such that an attacker may cut off the finger of a user to gain access to a resource. It may be possible for an attacker to somehow gain access to the stored fingerprint image and use it during authentication to login. This attack is possible with optical based finger print recognition that does not map out depth of its ridges. Dependant on the technology used. Optical being the least secure but cheapest followed by Capacitance and ultrasonic. Average level of false return rates typical of biometrics in general may irritate some 33 | P a g e Increase in Security 9 Scalability 8 Practicality of 6.5 implementation and modding (How much change to existing infrastructure is needed) Access and Availability Overall Score = 47.5 – 53.5 34 | P a g e 4-7 users. From personal experience, on may old XPS1300 laptop, using an optical scanner, it took an average of 2-3 finger swipes form me to log into Windows Vista. A finger print is also difficult to forget. Another thing which could deter the use of the technology is that users without hands or poor quality fingerprints would not be able to register a print to use. Much higher security then password based security. Because the password is a finger print, it’s impossible to share and difficult to copy. The only real problem is that if compromise does occur you can’t simply change your existing fingerprint you have. Scalability is dependent on rather or not your OS supports a particular piece of attached hardware. All forms of biometric technology may require a slight change to existing network infrastructure in that you may need to purchase the scanner and then replace usernames and passwords with fingerprint images. You will also need appropriate software. Depends on the technology. Optical scanners are found everywhere whereas ultrasonic biometric is very hard to find. Face Recognition Introduction Facial recognition is a type of biometrics technology that records distinguishing facial geometries and other key focal points on the face. Today, next to finger print biometrics, it is the second most commonly used form of biometrics used and can be found bundled in many laptops that have built in digital cameras. In the following section, we will explore how this technology works, its strengths and weakness as well as how practical it work if we were to apply it in a workstation environment. [9][13] How It Works? Facial recognition typically requires 3 components for it to function. 1. Camera (the sensor used for capture) 2. Software (responsible for mapping focal areas on the face that make it distinct) 3. Hard Drive (for storage) The camera typically takes an optical image of the face and stores the image on the storage device. A specialized camera is not required for this form of authentication to work, but a better web cam may yield lower false rejection rates obviously due to high resolution images. Once the image is taken, the underlining software takes over and lays the image out on a grid. It then maps out key points, like the distance between two eyes, size and height of forehead etc. [9] 35 | P a g e Pros (Face Recognition) Does not require any kind of specialized capture device, a simple web cam will do in which could be found for as little as $9.99 at Factorydirect. the what you have means of authentication token is universal in such that everyone has a face. Among the cheaper forms of biometric technologies. No hygiene-related health concerns since you don’t need to touch the sensor. [18] Cons (Face Recognition) The system's field of view must cover a wide range of heights, from the tallest standing user to a user in a wheelchair. Requires the user to face the camera directly during authentication and user must remember the exact facial expression and position they used during registration for authentication to proceed. Lighting must be uniform and consistent—with good front lighting and little back lighting—any change in lighting conditions will cause false rejections. This makes it hard to authenticate if lighting level were not the same as registered images. Some systems can be tricked into accepting photographs or even drawings of faces. Since the capture device is optical, it’s possible for malicious users to decapitate legit users to gain access to resource thus putting their life in danger. Likewise, an attacker could coerce a legitimate user to look at a camera to complete an authentication under duress. Optical sensor could be tricked with really detailed masks 36 | P a g e Privacy concerns since images are photos of your face easily be traced back to you without the need to compare it with anything. There are unknown accuracy rates, with a high chance of false negatives. Thus making the whole authentication process painfully longer then it should be. [18] Ranking Based on Criteria Category Score Reason Number of security holes 5 Cost 6-8.5 Ease of Use 0.5 Increase in Security 6.5 Scalability 8 Most of the holes found are related to the flaws with tricking the optical sensor. Such as, using a well modeled clay face or photograph, decapitating the individual who has access and using their face. Taking a photo of the individual and using it. Scanner (web cam can vary in price) from $9.99 – over $100. The average web came costs around $19.99. Huge false rejection rate makes this form of authentication very difficult and frustrating to use. No huge increase in security over password based security. Only that it can’t be brute forced. Very Scalable. Very software dependant. Minor to no change to infrastructure. E.g. if your workstation allows laptops to dock and connect to network that way, most laptop now come with built in webcams and thus no modification to Practicality of 8 implementation and modding (How much change to existing infrastructure is needed) 37 | P a g e hardware infrastructure would be required. Access and Availability 10 Very easy to find since any computer store or even retail stores should have a basic web cam. Overall Score = 49 – 51 Personal Experience with Using this Technology Although hardware requirements is just a standard web cam, and authentication seems simple, Face biometrics in general has an extremely high false rejection rate, much higher then the 2-3 swipe requirement for fingerprint recognition. Its so bad, and it takes so long to authenticate, (10mins or more) I usually have to default to the backup authentication method to log into Windows. Software for Face recognition usually allows you to store not just 1 imprint but an infinite number of images that can be compared against during authentication. In essence, with multiple snap shots taken of your face, the false rejection rate should be lower. However in reality, even after I took over 500 photo images of my face, the authentication process was still bad. To make matters worse, the sensitivity is so sensitive that, simply by changing chairs thus lowering or raising the position of your face, to moving your system to a different room, or even getting a haircut can completely through the system off and thus require you to register all new images. My testing was done on my laptop which can be moved around. This has the effect of causing the system to reject you because lighting and color differ in different rooms. To offset this, I re-registered my face under various conditions. 250 images in one room under bright light and 250 images under low light. Then I did the same things for other rooms. However, I eventually gave up on this because every time there was some sort of 38 | P a g e environmental change, or a change to how I looked, I needed to register all new faces. Another frustrating thing was trying to remember what position and facial expression I used during registration. I eventually defaulted to always putting on a huge and unnaturally large frown simply because even expressionless faces could be hard to remember. In a workstation like environment, even though systems would generally not be moving around, if the system is networked and you need to access a system in another room, again, lighting would be a problem. Retina Scan Introduction Often regarded as the successor to the other form of eye biometrics, retina recognition is a very accurate scanning technique that makes the use of the unique formations of blood vessels that are found within the lining of the retina located in the back of the eye; the retina is basically a lining layer of tissue around the eye that is light sensitive, and captures and interprets what the eye sees. Since the blood vessels within the retina are unique and because of the fact that the eye is not exposed to harsh conditions, it’s safe to say that most of the time, the unique patterning within the retina will remain the same for the individual for the rest of their life. [9][13] How Does It Work? As mentioned before, the blood vessels within every individuals’ retina is unique. The scanner is usually some device in which typically looks into and focuses the eye on a specific point. 39 | P a g e Then, for the next 10-15 seconds, a low intensity light would laminate the blood vessels and photograph the image reflected that is later used for image comparison. [9] Figure 2.0.1--Large retina based sensors [12] Pros (Retina) Military grade reliability Very accurate/low false positives; error rate of 1 in 10,000,000 compared to 1 in 500 for some fingerprint biometrics. Almost 0% false negative rate Retina does not change throughout life (only exception is certain diseases) Nearly impossible to fake. Even if a person were to lose their eye, since the vessels in the eye deteriorate rapidly, it can’t be used for authentication. Speedy results[9][13][18] 40 | P a g e Cons (Retina) Very expensive Scanners are often large Subject being scanned must be close to the camera optics. Requires training and patience to use and thus not user friendly Measurement accuracy can be affected by a disease such as cataracts Measurement accuracy can be effected by contact lenses or glasses Measurement accuracy can be affected by severe astigmatism. May not accommodate all people properly, e.g. people in wheel chair may be too low on the ground to use the sensor which most are large, can’t be moved and requires user to look into it directly. Some will find it intrusive or may be even fearful because of the fact a laser is being used to scan the eye. [9][13][18] Ranking Based on Criteria Category Score Reason Number of security holes 10 Cost 2 No known exploitable security holes at this time. Hardware is too expensive Ease of Use 4 Increase in Security 10 Scalability 5 41 | P a g e Users must train to be able to use device. One of the most secure forms of authentication methods used today. Not scalable for smaller workstations with little physical space. The scanner is Practicality of 4 implementation and modding (How much change to existing infrastructure is needed) Access and Availability 5 often big and some would have difficulty accommodating for it. Lots of accommodations must be made to make room for the scanners. Not readily available on the market. Overall Score = 40 Typing Rhythm Introduction As it is well known that while the problems involved in maintaining balance between usability and security for text-based password authentication is well documented, some suggested that by layering biometrics on top of existing passwords, a higher level of security can be achieved. Typing rhythm biometric is an emerging biometric technology that others improved security by offering a form of 2-factor authentication by having users not only have to know their username and password, but must also know the distinctive typing patterns of a legitimist user in order to be granted access of a resource. The measurements used to provide the ``what you know`` component of authentication include; diagraph legacy—the delay between release of one key and the pressing of pressing of another and the hold time—the time between the press of one key and the release and another, all in which are measured in milliseconds. In the next section, we will explore the benefits and shortcomings of this technology and see how it may fair in a workstation environment. [9][13] 42 | P a g e How Does it Work The underlining foundation to how this technology works is simple in terms of concept, but complex in terms of implementation. Basically, everything is performed through software that not only stores username and password information, but also streams of diagraph legacy and hold times associated with at minimum the corresponding username and password. During enrolment, users make up a password. Then usually one, two or both of the following things happen depending on the software used; 1) After user comes up with a password, they are then told to repetitively retype the password so that it can learn the timing associated with the specific word. 2) The system evaluates user typing patterns during regular PC usage and profile’s the users based on what it learns during the session. Obviously as more information is gathered, the more accurate the more resistant it becomes in terms of false rejection rate. [18][19] The above phases can also be broken up into the; Enrolment phase – keystrokes are collected to form a profile. Classification—user provides typing samples used to comparison. Pros (Typing Rhythm) Very little change to existing infrastructure and no need for special hardware. No training required Offers 2-factor authentication (thus knowing user password is not enough to log in) Difficult to share timing information with others via writing it down 43 | P a g e Forces system admin to make use of policies for password length of at least 8 characters since typing rhythm cannot or is difficult to extract from short passwords. Costs the least among other forms of biometrics[18][19] Cons (Typing Rhythm) Attacks may potentially be able to use a recorder to pick up the sound made between key strokes and then from their attempt to get the password through traditional means. False rejection rate may be high in the beginning causing some user frustration when they are denied access. The technology at large is not yet widely available yet. Thus limited to only a small pool of vendors that offer the technology. The only large commercial product suite is BioPassword and it is limited to Windows systems[18][19] Ranking Based on Criteria Category Score Reason Number of security holes 7 Attacks may potentially be able to use a recorder to pick up the sound made between key strokes and then from their attempt to get the password through traditional means. Cost 10 Ease of Use 9 No expensive hardware needed. The only form of biometrics that does not require training 44 | P a g e Increase in Security 7 Scalability 5 Practicality of 10 implementation and modding (How much change to existing infrastructure is needed) Access and Availability 3 to use. Increased level of security over password based authentication. Limited support for other OS’s other then Windows at the moment. No additional hardware required. All performed through software which is easy to configure. Standard keyboard serves as the capture device. Very much a developing and prototype technology with limited suites. Overall Score = 51 < 53 Future Outlook and Conclusion For Biometrics Without a doubt, biometrics is definitely a good approach to improving security within the industry, but at the moment, most of the technologies review above either added too much expensive extra hardware to make it a widespread replacement for passwords or, are too inaccurate and provide too many false rejection rates to be productive in the work environment. The only exception that passed the comprehensive scoring system within this paper was Finger Print biometrics, and while it still does have the disadvantage of requiring specialized scanners, it is very secure, unique, and accurate enough to replace password in the near future providing they continue to be integrated into newer laptops and keyboards that a developed. In terms of what variation would be best for a company to invest in (optical, capacitance, ultra sonic) , I believe it would up to the company in which their security needs will come into play. 45 | P a g e Chapter 3: Token Based Authentication Introduction Token based authentication is a growing authentication solution that draws exclusively on the “something you have” component in authentication security although it is common in most token based systems to use one other additional component either the “something you know” or “something you are” component in a multi-layer authentication combination. The token itself is usually in the form in a small physical key (although not always the case since electronic tokens exist and will be touched on later), but it is usually some identifier that has been issued by the system administrator for the purpose of authentication. (Two-factor authentication). In a sense, the token rather hardware or software is in fact very much similar to a ‘key’. Keys are used in the real world to open doors. If you do not have a key or if you don’t have the one that corresponds to the lock, you will not be granted access to the secured content inside. The token is similar in the fact that it is used as a means to gain access to protected data, and without it, access to this content is denied. The next few paragraphs will be focused on the some of the various forms this technology can take shape, how they work, and the practicality of implantation over other authenticating technologies, and while each vendor implementation of this technology implements token based authentication differently, this paper would be discussing some of its more common iterations. [23] How does the Technology Work? 46 | P a g e Similar in a sense to biometrics in terms of options in that token based authentication can take many forms. The technology does not necessary have one methodology on how it functions, but instead can be broken down and implemented in a vast array of configurations. However, they do seem to share some common traits. First of all, they all make use of a token in which is used as a means to prove who a user is. These tokens also all generally fit into one of 3 categories. Paper based tokens—A challenge response that can either take the form of a ‘one time password’ or a ‘grid of codes’ the user enters in response to a challenge. Soft tokens—This kind of token system use digital tokens found on the client machine usually in the form of a cookie or some other specialized token application. Hard token—A physical token the user possesses that is used for authentication. It often takes the form of a specialized USB key with an encrypted digital signature on it or a smartcard. Hardware tokens are what most people usually think of when they think of token based security as a whole, is most likely the most secure of the 3 attributed to the two factor authentication that comes with having something that is physical, and as such will be the focus of this section. Hardware Token Breakdown Hardware tokens can be further broken down into three more sub categories which is based on how they connect to clients. They include; Disconnected Tokens 47 | P a g e Token’s that don’t make any physical contact with its clients. Authentication is usually randomly generated and entered manually. E.g. System A’s token generates a randomly generated single sign-on one time password on its LCD display and the user punches it in the system during the authentication process. [23] Figure 3.0.0—Using one-time login generated from token to log into system [27] Pros (Disconnected Tokens) Higher levels of security achieved through multi-level authentication Save money on sophisticated token scanning devices No wear and tear cause by swiping token against a reader, thus lowers costs of replacing damaged tokens. 48 | P a g e Randomly generated one time passwords eliminate the risks and problems permitted when users are given the power to come up with their own passwords. Multi-factor authentication reduces the risk of compromises occurring due to lost or stolen tokens. Immune to reply attacks that plague Connectionless tokens RSA encryption is added to reduce tampering No sophisticated readers or scanner required Many vendors to choose from [23] Cons (Disconnected Tokens) Users may lose their token and thus they will be denied access to service until token is reissued. You need dedicated department to manage tokens at all stages of the token life cycle. (e.g. tokens can be lost/broken, new users need new tokens, people leave the organization) If the algorithm that generates the one-time password is compromised for a particular vendor, hackers may be able to predict the next occurring one time password. These tokens have an LCD display and thus requires a small watch battery. As such, users need to replace the internal battery as needed or they may find themselves denied to a service should the battery die. The life of the average life battery is 3 years. [23][9] Ranking Based on Criteria Category 49 | P a g e Score Reason Number of security holes 9.5 There is a chance that an attacker could somehow get a hand on both the physical token as well as the second authentication requirement if through means of forcefully attacking and stealing the token from the user and then demanding them to provide them with the other requirement needed for access. (e.g. password) Even though the token itself is encrypted, if the attack does somehow figures out the algorithm behind the number generated by the one-time password. Security of the system would be cut in half and all new tokens would need to be purchased. (most tokens can’t be upgraded or programmed via firmware update) Cost 50 | P a g e 6.0 A study by InfoSec illustrates how lazy some end users are and because of the inconvenience brought in by another layer of authentication, some have defaulted to insecure practices like ‘leaving tokens on their desk’ or in drawers next to the workstation they normally use. Again this cuts security in half, but again complete access for an attacker is still not possible. Can be costly, if organization does not have experts on site knowledgeable on how to Ease of Use 9.5 Increase in Security 9.5 Scalability 10 51 | P a g e install the system. Also, tokens themselves have a short life-cycle, and replacements for damaged or lost tokens must be taken into consideration. Estimated life is based on battery life, that is 3-5 years. The cost of the actual token is estimated to be $12.00’s [32] per token but some may be a lot more. Also, some tokens have expiry dates so it’s important to looking at this when purchasing. [31] Straight forward. All that is required is the user gives the system the required 3 pieces of information needed to log in. That includes the username (if applicable) the one-time password (displayed on the LCD screen on the token) and the second form of authentication required which varies depending on module. Some however found Disconnected tokens and added inconvenience. Few major security risks. Even if the token is stolen, by the attacker, the multi-layer authentication requirements needed to gain access to the system will prevent compromise. The second authentication that kicks in could be anything from a user password to biometrics depending on the vendor. Disconnected tokens can be deployed in businesses of all size, however, the complexity involved in setting up some Practicality of implementation and modding (How much change to existing infrastructure is needed) 6.5 Access and Availability 7.0 systems may discourage small business owners with no IT staff. Studies show that many IT professionals found hardware tokens “cumbersome to install and maintain, with token deployment proving particularly time-consuming.” [31] Many website vendors offer disconnected tokens online but sometimes you may be forced to buy in large volumes. Overall Score = 58 Connected Tokens Tokens that make physical contact with the system during the authentication process. Smart cards and USB tokens fall into this category. [23] Figure 3.0.2—Smartcard [28] Figure 3.0.1—Example of USB token made by Goldkey 52 | P a g e Notice how the tokens above need to be inserted and left in the system during authentication. Pros (Connected Tokens) Higher levels of security achieved through multi-level authentication Multi-factor authentication reduces the risk of compromises occurring due to lost or stolen tokens. Immune to reply attacks that plague Connectionless tokens RSA encryption is added to reduce tampering Many vendors to choose from The physical token may take many forms, such as a smart card which can easily fit in a persons’ wallet or a USB key. Some software based connected token variations, the software token is put on a USB key and the reader reads and looks for the token on the key. This allows any key to be used as the token and thus provided flexibility in that specialized tokens may not be required. Connected tokens are cheap to replace Long life compared to battery operated tokens found in the other 2 token variations [23][28][9] Cons (Connected Tokens) Connected tokens are subject to wear and tear simply from daily use and thus have a much shorter life-cycle then the two other token forms. 53 | P a g e Users may lose their token and thus they will be denied access to service until token is reissued. USB tokens may get replaced faster than smartcards however since it’s not really a specialized component. Very little computational power since these tokens don’t have an internal battery. The smart card version requires special card readers [23] Ranking Based on Criteria Category Score Reason Number of security holes 9.0 There is a chance that an attacker could somehow get a hand on both the physical token as well as the second authentication requirement if through means of forcefully attacking and stealing the token from the user and then demanding them to provide them with the other requirement needed for access. (e.g. password) Even though the token itself is encrypted, if the attack does somehow figures out the algorithm behind the number generated by the one-time password. Security of the system would be cut in half and all new tokens would need to be purchased. (most tokens can’t be upgraded or programmed via firmware update) A study by InfoSec illustrates how lazy some end users are 54 | P a g e and because of the inconvenience brought in by another layer of authentication, some have defaulted to insecure practices like ‘leaving tokens on their desk’ or in drawers next to the workstation they normally use. Again this cuts security in half, but again complete access for an attacker is still not possible. Cost 55 | P a g e 7.0 With smartcards that use the older magnetic strip, the is the possibility the scanner could be rigged and extract and clone the PKI on the card. Later, the attack may clone the card. USB tokens can really very in price depending on who you buy from. Also, many supplies only sell in bulk orders in which have minimum purchase values. USB . Most USB tokens fall within a $50.00-$100.00 range. Some such as the ones made by SecureID goes for $300.00 but its lasts 5yrs. For a cheaper USB solution, there are some solutions that allow you to transfer digital certificates to ordinary USB keys. Smartcards are really cheap at around $0.10 per card but will require a specialized scanner, costing anywhere from $19-73 dollars. In addition, one needs to keep in mind that the everyday use of swiping the card against the reader Ease of Use 10 Increase in Security 8.5 Scalability 10.0 Practicality of implementation and modding (How much change to existing infrastructure is needed) 6 Access and Availability Overall Score = 56.5 56 | P a g e 6.0 will eventually wear it out and it will eventually need to be replaced. The exposed scanner may also be exposed to abuse by end-users. Anyone who has ever used a debit/credit card should be able to use this technology. Risks are low but still possible especially with smartcards in which are cheap enough to clone. Connected tokens can be deployed in businesses of all size, however, the complexity involved in setting up some systems may discourage small business owners with no IT staff. [31] Studies show that many IT professionals found hardware tokens “cumbersome to install and maintain, with token deployment proving particularly time-consuming.” [31] Smartcards require further changes to hardware infrastructure since it require a specialized card reader. Availability of connected tokens seem to only be offered at companies the specialize in them. These systems are not something you will find easily in retail. Also, many especially smartcards are only sold in large volumes or as packages. Contactless Tokens Similar to connected tokens except that connection between the token and the system is done wirelessly instead. E.g. some RFID solutions by ‘swiping’ card over a scanner. Figure 3.0.3—Contactless card and wireless dongo [29] Pros (Contactless Tokens) Higher levels of security achieved through multi-level authentication Multi-factor authentication reduces the risk of compromises occurring due to lost or stolen tokens. No wear and tear due to physical contact with the reader [30] Convenience and speed offered without either having to manually enter a displayed one-time password or inserting card into the reader. (can be read from a distance by the scanner) [30] Multiple tags can be read at once (10 – 100) [30] Cons (Contactless Token) Susceptible to rely attacks (there are capture devices readily available that captures the encrypted token as it is transmitted from the physical tag to the reader) Attackers can then reply the signal they captured and gain unauthorized access to protected 57 | P a g e resources. The capture devices for RFID tokens only go for a few hundred dollars while Bluetooth versions can be done through installable software. [30] Easily cracked [34][35] Users may lose their token and thus they will be denied access to service until token is reissued. Shorter battery life then connected tokens [35] Ranking Based on Criteria Category Score Reason Number of security holes 6 Cost 3 Ease of Use 10 Increase in Security 3 Has security issues the other token types don’t have, the most threatening being relay attacks. Very costly, could be anything from a few hundred to a few thousands and that does not include installation. The high price of this system and the reduced security is attributed to its ease of use. With this system, all you much do is wave the card in front of the scanner and it will read it. Huge security risks because of readily available tools that can be used to compromise systems. Bluetooth contactless tokens are susceptible to the many script kiddy tools available on line to download. The encryption is used in the Bluetooth token is only 48 bits. RFID is really bad at defending itself against 58 | P a g e relay attacks and for a few hundred dollar, attacks can purchase scanners that copy RFID authentication sessions as you make successful logins from a distance and then use them later. Contactless tokens can be deployed in businesses of all size, however, the complexity involved in setting up some systems may discourage small business owners with no IT staff. Scalability 10 Practicality of implementation and modding (How much change to existing infrastructure is needed) Access and Availability 6 Contactless tokens all require both the token itself and a specialized scanner to operate. 6 RFID contactless tokens are not mainstream while Bluetooth based ones are. The grade here reflects the average of both. Overall Score = 44 Typical Life Cycle of a Token Figure 3.0.4—process diagram of token life cycle [23] 1. User Registration—admin creates an account for the user 2. Token Production—A token is created 59 | P a g e 3. Token Distribution—Token is issued 4. Normal usage—user makes use of token through regular authentication sessions 5. Replacement—users may damage or misplace tokens in which they must be re-issued by system administrator. 6. Revocation—recalling and suspending tokens that already exist. (e.g. an employee who leaves the company no longer needs access) Various Vendors and Types of Token Based Solutions GoldKey USB tokens (connected) NagraID Security (connected smart card) VeriSign one-time-passwords (contactless) SecureID (disconnected) Speedpass (contactless) (uses RFID technology) Remote keyless entry systems (contactless) Bluetooth tokens (contactless) Simage Contactless Tokens (contactless) Future Outlook and Conclusion For Token Based Security Definitely one of the better forms of security in terms of practicality. Token based security seems to have a bright future, and while contactless tokens did not performed well my examination the other two did suggesting that this technology is defiantly something to look into. There is also a lot of vendor to choice from, which may make selection a bit nerve racking, but in general, based on scores alone, I feel connected tokens that make use of SmartCards are 60 | P a g e the best solution because of their much more reasonably priced reader, its two factor security, and the replacement cards are cheap. The USB tokens also seemed to be a good choice because they did not require specialized readers but because of the fact that the individual tokens were a bit pricy, it seems impractical in a way and may prove expensive since token keeping requires someone to manage token life cycle. Interpreting the Results After evaluating many authentication technologies, it was very surprising to find that none of the systems hit even close to a perfect score of 70/70 points. As you may have recalled from the beginning of this report, the goal was to find systems that meet the minimal passing threshold of 53/70 points in the evaluation system (which would equate to a score of about 75% if you do the math). The 75% mark to me seemed to be a high enough performance level indicator in which a change in authentication might be justified for an organization. Of the systems studied and put through the rigorous tests, only a few met the requirements, and those that did only marginally passed. The scores for the passing systems were as followed; Graphical passwords (Passfaces) = 55pts Biometrics (Finger Print Recognition) = 53.5pts Disconnected Tokens = 58pts Connected Tokens = 56.5pts These borderline results paint a picture why wide scale adaptation of higher level authentication has not taken off as quickly as it should of despite the fact nearly all systems offer improved security over passwords. It is also interesting to note that all the systems above 61 | P a g e were the only ones I found actually being use in industry, and while more exotic forms of authentications systems did exist and addressed various security issues, these systems in the end did not pass the tests and in turn, were not really used often in actual practice. Conclusion In the end, even though nearly every other form of authentication system offers increased security over password based authentication, once other variables are thrown into the equation, you get a better representation on what is actually going on in the market. As such, this marginal improvement may not be enough to stimulated change on a large scale as of yet and thus we may not be at the point where we can ditch passwords altogether. Glossary One-time-password—a randomly generated password that is assigned and used for access for a single session. Single-sign-on—the practice of using a one-time password for logging in Graphical password—authentication system that replaces traditional symbols with graphics. Biometrics—an authentication system that makes use of the “what you are” in order to function. Authentication is usually by means of utilizing a unique trait and comparing it to a match on the systems database. Token—an authentication system that utilizes the “what you have” part of security. The token is an object that is used for the authentication process. Many tokens are a physical representation of an object, however, soft tokens also exist. Contactless Token—works like connected token excepted the connection between the reader and token is done wirelessly. Disconnected Token—token generates a one-time-password that is then typed into the system. Connected Token—token that need to making physical contact with the reader to connect to a system. 62 | P a g e Paper Tokens—A challenge response that can either take the form of a ‘one time password’ or a ‘grid of codes’ the user enters in response to a challenge. Soft tokens—This kind of token system use digital tokens found on the client machine usually in the form of a cookie or some other specialized token application. Hard token—A physical token the user possesses that is used for authentication. It often takes the form of a specialized USB key with an encrypted digital signature on it or a smartcard. Bluetooth—a 2.45Ghz band wireless standard that is used for the transfer of data over short distances. It is commonly used for connecting peripherals like mice to pc’s. Bluetooth devices can be networked together to form piconet. Piconet—a small Bluetooth network. Radio-frequency identification (RFID)—A wireless technology that uses radio waves for information exchange between an electronic tag (or token) and the RFID sensor. They are commonly found in remote garage door opening systems as well as barcode scanners. They seem to have a history for being not very secure and as such is constantly under critical review. 2-factor authentication—an authentication system with two layers of different kinds of authentication. They are normally composed of two of the three kinds of systems; what you know, what you are, have you have. Multi-factor authentication—an authentication system with many layers of different kinds of authentication, not limited to just two. Algorithm—a mathematical formula often used to generated pseudo-random numbers in cryptography or can be used for the cryptographic key. Digital Signature—similar to a hand written signature, but applies to digital information. They are often used for data integrity purposes. Digital Certificate—an electronic document that uses a digital signature to associate public key with identity. Integrity—verifying data is accurate, unaltered and from who is says its being sent from. Confidentiality—protecting information from those who do not have privileges to access such information. Authentication—process of verifying who you are so you can access a secure resource. Encryption—a method of obscuring data so it cannot be read by those who do not have the decryption key. 63 | P a g e Decryption—process of making unreadable encrypted data readable. Smart Card—a pocket sized card that is often used as a security token. They can come in connected and disconnected form. Examples can be found in debit/credit cards used by banks. false rejection rate (FRR) –a measure used in biometrics to determine that rate in which valid authentication fails. False acceptance Rate (FAR) –the opposite of FRR and more dangerous, it is the rate in which a system give unauthorized persons entry to the system. RSA – a strong public key encryption standard that relies on its on-way function and the fact assurance that an extremely high prime number can not be factored easily. Keyloggers—malware that logs user keystrokes. Its normally deployed without the users knowledge in order for attackers to harvest sensitive information like credit card numbers and passwords. Brute-force attack—A kind of password based attack where the entire alpha-numeric combination is exhausted in order to get the password. The longer the password, the longer the attack takes to cycle through ever possible password combination. This attack is usually automated. Dictionary attack—A kind of password attack that uses commonly used passwords and other dictionary words in an attempt to crack a password. It typically is a faster alternative to the dictionary attack. It is also automated. photosite—light sensitive diode that is responsible for recording a single pixel of light. Optical Scanner—A type of finger print scanning method that uses shades of bright and dark light to scan the ridges and valley’s of a fingerprint. Capacitance Scanner—A type of finger print scanning method that uses electricity to scan the depth of each valley using the concept of open and closed circuit between the peaks and contact. Ultrasonic Scanner—A type of finger print scanning method that makes use of sound to scan a fingerprint much like how bats use echo-location to navigate around objects in front of them at night. diagraph legacy—the delay between release of one key and the pressing of pressing of another measured in milliseconds. 64 | P a g e hold time—the time between the press of one key and the release and another measured in milliseconds. Work Cited 1. Heckle, Rosa, Wayne Lutters, and David Gurzick. "Network authentication using single sign-on." Network authentication using single sign-on 1 (2008): 10. http://portal.acm.org (accessed February 10, 2010). 2. Adams, Anne, and Martina Angela Sasse. "User’s are not the enemy." Users are not the enemy 42, no. 12 (1999): 40-46. http://portal.acm.org (accessed February 18, 2010). 3. Weinshall, Daphna, and Scott Kirkpatrick. "Passwords you'll never forget, but can't recall." Passwords you'll never forget, but can't recall 1 (2004): 1399-1402. http://portal.acm.org (accessed February 18, 2010). 4. Moncur, Wendy, and Grégory Leplâtre. "Pictures at the ATM: exploring the usability of multiple graphical passwords." Pictures at the ATM: exploring the usability of multiple graphical passwords 1, no. 1 (2007): 887-894. http://portal.acm.org (accessed February 18, 2010). 5. Tari, Furkan, A. Ant Ozok, and Stephen H. Holden. "A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords." A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords 1 (2006): 56-66. http://portal.acm.org (accessed February 8, 2010). 6. Saita, Anne. "Graphical passwords still far from picture perfect." Graphical passwords still far from picture perfect 1, no. 1 (2004): 1-2. http://google.com (accessed March 3, 2010). 7. Chapman , D. Brent , and Elizabeth D. Zwicky. "Building Internet Firewalls." Building Internet Firewalls 1 (1999). http://google.com (accessed March 3, 2010). Heckle, Rosa, Wayne Lutters, and David Gurzick. "Network authentication using single sign-on: the challenge of aligning mental models." Network authentication using single sign-on: the challenge of aligning mental models 1 (2008): 1-10. http://portal.acm.org (accessed February 18, 2010). 8. Ratha, N.K, J.H. Connell, and R.M. Bolle. "Enhancing security and privacy in biometrics-based authentication systems." Enhancing security and privacy in biometricsbased authentication systems 40, no. 3 (2001): 1-21. http://google.com (accessed April 8, 2010). 9. Cranor, Lorrie Faith. Security and usability . Beijing [u.a.: O'Reilly, 2005. 10. " Two Factor Authentication, Graphical Passwords - Passfaces." Two Factor Authentication, Graphical Passwords - Passfaces. http://www.realuser.com/ (accessed December 18, 2010). 11. “Biometric Technology | eHow.com,” n.d. http://www.ehow.com/about_5452533_biometric-technology.html. 12. " Review: Biometrics Technologies Measure Up (Part 2/3)." PhysOrg.com - Science News, Technology, Physics, Nanotechnology, Space Science, Earth Science, Medicine. http://www.physorg.com/news8334.html. 65 | P a g e 13. “Biometrics.gov - Introduction to Biometrics,” n.d. http://www.biometrics.gov/Documents/Glossary.pdf 14. " Information Security: Covering today's security topics ." Information Security: Covering today's security topics . http://searchsecurity.techtarget.com/ (accessed December 19, 2010). 15. Jermyn, Ian, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. “The design and analysis of graphical passwords.” In Proceedings of the 8th conference on USENIX Security Symposium - Volume 8, 1-1. Washington, D.C.: USENIX Association, 1999. http://portal.acm.org/citation.cfm?id=1251421.1251422. 16. “Sonia Chiasson - Carleton University » Research Interests,” n.d. http://hotsoft.carleton.ca/~sonia/wordpress/research-interests/. 17. “HowStuffWorks "How Fingerprint Scanners Work",” n.d. http://computer.howstuffworks.com/fingerprint-scanner3.htm. 18. “Advantages and disadvantages of technologies,” n.d. http://biometrics.pbworks.com/w/page/14811349/Advantages-and-disadvantages-oftechnologies?mode=print. 19. Ratha, N.K, J.H. Connell, and R.M. Bolle. 2001. Enhancing security and privacy in biometrics-based authentication systems. http://74.125.155.132/scholar?q=cache:rPoYTVV2R0kJ:scholar.google.com/&hl=en&as _sdt=2000. 20. Fernando, Chris. n.d. Password Protection: How to Create Strong Passwords | PC Magazine Middle and Near East. PC Magazine Article. Password Protection: How to Create Strong Passwords. http://www.pcmag-mideast.com/2010/08/31/passwordprotection-how-to-create-strong-passwords/. 21. Ives, Blake, Kenneth R. Walsh, and Helmut Schneider. 2004. The domino effect of password reuse. Commun. ACM 47, no. 4: 75-78. doi:10.1145/975817.975820. 22. Tracy V. Wilson. n.d. HowStuffWorks "How Biometrics Works". Science. How Biometrics Works. http://science.howstuffworks.com/biometrics.htm. 23. Borde, Duncan de. "Two-factor authentication." Siemens Insight Consulting. http://www.insight.co.uk/files/whitepapers/Twofactor%20authentication%20%28White%20paper%29.pdf (accessed Feb 2, 2011) 24. Technology News. "The Cost of Implementing Multi-Factor Authentication." The Cost of Implementing Multi-Factor Authentication. www.mirror99.com/20060202/the_cost_of_implementing_multi_factor_cdei.jspx (accessed February 14, 2011). 25. Anon. 2005. Two Factor Authentication, Graphical Passwords - Passfaces. http://www.realuser.com/. 26. Chiasson, Sonia. "USABLE AUTHENTICATION AND CLICK-BASED GRAPHICAL PASSWORDS." Chiasson PHD Theisis. hotsoft.carleton.ca/~sonia/content/Chiasson_PhDThesis2008_UsableAuthentication.pdf (accessed December 19, 2010). 27. Anon. n.d. Getting Computers to Understand Overlapping Speech - Innovation Toronto. Simple Arithmetic for Faster, More Secure Websites. http://www.innovationtoronto.com/2011/04/simple-arithmetic-for-faster-more-securewebsites/. 28. Anon. n.d. ExcelSystems. http://www.excelsystems-eg.com/sc.asp. 66 | P a g e 29. Anon. n.d. Tx Systems, Inc. - Contactless Readers. https://www.txsystems.com/sct.pages.php?p=contactless. 30. Aarti, R. 2000. Pros and Cons of RFID Technology. Pros and Cons of RFID Technology. http://www.buzzle.com/articles/pros-and-cons-of-rfid-technology.html. 31. , InfoSec. 2010. GrIDsure - Infosec Survey Illustrates Mistrust of Hard Token Based Authentication. News. News and Press. May 20. http://www.gridsure.com/news/detail.asp?ItemID=164. 32. Anon. n.d. RSA Lifeboat: It’s time to jump ship! | Mi-Token. Company Website. http://mi-token.com/rsa-lifeboat/. 33. Anderson, Ross J. 1994. Why cryptosystems fail. Commun. ACM 37, no. 11: 32-40. doi:10.1145/188280.188291. 34. Biba, Erin. n.d. Does Your Car Key Pose a Security Risk? - PCWorld. PCWorld. http://www.pcworld.com/article/119661/does_your_car_key_pose_a_security_risk.html. 35. Admin. 2011. What are contactless tokens? | uCertify Articles. UCertify Articles. April 8. http://www.ucertify.com/article/what-are-contactless-tokens.html. 36. 67 | P a g e
