As remote access of computer systems and applications grows in popularity, the number and variety of transactions which are accessed remotely over public networks such as the Internet has increased dramatically. This popularity has underlined a need for security, in particular authentication and data integrity. Authentication deals with ensuring that people who are remotely accessing an application are who they claim they are and ensuring that the transactions being conducted remotely are initiated by legitimate individuals. Data integrity deals with ensuring that transaction data has not been altered before being received at an application server.
In the past, application providers have relied on static passwords as client credentials to provide the security for remote applications. In recent years, it has become evident that static passwords are not sufficient and that more advanced security technology is required.
Several software or hardware based solutions have been devised to provide a higher level of security. The most important ones are hardware-based strong authentication tokens, smart cards, USB tokens, and authentication software. These solutions and their respective advantages and disadvantages will be discussed in the following paragraphs.
A hardware-based strong authentication token is a pocket-size battery-powered device with its own display and keypad. In some cases the keypad is reduced to a single button or even completely omitted. The main purpose of a strong authentication token is to generate so-called ‘One-Time Passwords’ (OTPs) as client credentials. In some cases strong authentication tokens are also capable of generating electronic signatures or Message Authentication Codes (MACs) on data that has been entered on the token's keypad (these signatures and MACs are also considered to be covered by the term “client credentials”). If the token has a keypad, the usage of the token is often protected by a personal identification number (PIN). To be able to generate OTPs or MACs, strong authentication tokens are capable of performing cryptographic calculations on a dynamic variable, such as a time indicator, a counter, a challenge or transaction data, based on symmetric cryptographic algorithms parameterized with a secret value or key. Typical examples of such symmetric cryptographic algorithms parameterized with a secret value or key are symmetric encryption/decryption algorithms, such as DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), or AES (Advanced Encryption Standard), and/or keyed one-way hash functions (such as MD5 or SHA-1 in OATH compliant tokens).
The advantages of hardware-based strong authentication tokens include a very high level of security, independence of application, and independence of delivery channel (there is no need to install any driver).
Disadvantages include a certain minimum size and volume due to the presence of display, battery and keypad; a certain minimum cost due to the presence of those same elements; and practical limitations on the nature and size of data that can be signed (because all data needs to be manually input by the user on a keypad, which is usually numerical).
Smart cards are essentially microprocessors embedded in a credit card sized piece of plastic. They are often capable of performing sophisticated cryptographic algorithms. Examples include so-called EMV-compliant bank cards (EMV is the abbreviation of “Europay, Mastercard, Visa”) to secure payments and PKI (Public Key Infrastructure) cards capable of making generic digital signatures on any kind of electronic data.
Advantages of smart cards include a high level of security, broad applicability to a wide range of applications (securing payments, protecting e-mail, computer login, signing electronic documents, . . . ), and a very practical form factor (they can be carried along with credit cards in a wallet).
Disadvantages include a complex technical interface (requiring specific command structures and drivers), dependence on specific reader infrastructure (which very often means that end users have to install smart card readers on their client computers, which is not always possible), and relatively high direct and indirect costs.
USB (Universal Serial Bus) authentication tokens try to overcome some of the major disadvantages of smart cards by combining into a single hardware device the functions of both a smart card reader and a smart card. Usually such USB tokens offer the same functionality as PKI enabled smart cards. USB tokens interact with a host according to the USB specification [USB Implementers Forum. Universal Serial Bus Specification Revision 2.0. Compaq Computer Corporation et al., 2000.].
Disadvantages of USB tokens include the need to install a driver prior to use, specific security issues (once connected and unlocked, malicious software can ask the token to perform security sensitive operations without the user noticing), and—for PKI-based USB tokens—high cost and a need for large amounts of data to be exchanged.
Several software-only security solutions exist whereby all cryptographic operations are done on the user's PC instead of in dedicated hardware. One example of such software solutions is comprised of so-called software certificates whereby a PKI private key and certificate are stored in a software repository. Another example is comprised of so-called software tokens which emulate in software the functionality of hardware strong authentication tokens.
By avoiding the need for hardware, these software solutions try to circumvent the cost and complexity often associated with rolling out hardware solutions. However, since the cryptographic calculations take place on the user's PC, all secret keys involved in these calculations must appear in the clear at least at some time on this PC. This makes software solutions inherently less secure. Another disadvantage of software solutions is that quite often they rely on a file with cryptographic secrets being present on the client PC. This considerably reduces the ability of the user to work from any client PC (mobility).