As the trend toward computer networking continues, the ability to verify the identity of system users with a high degree of accuracy becomes more important. Adequately secure systems deter, prevent, or detect unauthorized disclosure, modification, or use of information. Systems which cannot differentiate between requests for service by legitimate users and unauthorized access attempts are vulnerable to a variety of attacks.
In the past, it was relatively easy to protect computer systems because they were typically installed in a centralized computing facility. Because the terminals used to access the computer usually were in the same building, only those persons having physical access to the building would be able to use the terminals. However, as networked IT systems proliferate, this level of physical access control becoming much less feasible. The design of open computing systems permits access to more systems, thereby allowing access to legitimate users and intruders, alike.
Among the popular methods used by IT system intruders are:
Password cracking PA1 Exploiting known security weaknesses PA1 Network spoofing PA1 "Social engineering" PA1 Masquerade PA1 Replay PA1 Repudiation PA1 Interception of data PA1 Manipulation of messages
One of the most common techniques used to gain unauthorized system access involves password cracking and the exploitation of known security weaknesses. Password cracking is a technique used to surreptitiously gain system access by using another user's account, often because the other user selected a weak password, for example, one easily guessed, based on knowledge of the user (e.g. wife's maiden name) a password that is susceptible to dictionary attacks (i.e., a brute-force guessing of passwords using a dictionary as the source of guesses). Unauthorized system access can be gained through the exploitation of known security weaknesses, such as system configuration errors, and security bugs.
In network spoofing, a system presents itself to the network as though it were a different system, for example, by presenting the other system's address as its own. In "social engineering," an intruder may call a system operator, pretending to be some authority figure, and demand that a password be changed to allow them access.
Masquerade refers to users representing themselves as other users. Replay of data can be accomplished by recording the authentication data and playing it back at the whim of the intruder. If a user denies sending (or receiving) a communication, the communication has been repudiated. Passive eavesdropping on communications is a simple, but effective, form of data interception. Messages can be manipulated through unauthorized insertions, deletions, or modifications to messages. Clearly, some techniques, when implemented, can be indistinguishable from others, but the effect of these methods is undeniable--compromised computer security.
Users may be able to access network-connected computers from any physical location on the network, indeed from anywhere around the world, and the logical connection which supports a session between the user and a given computer may travel through many communications circuits, each subject to intrusion by the above methods. The increasing level of interconnection between computer systems has made it possible to distribute and process information far more easily than in the past. However, it has also become significantly more difficult to identify system users based on physical location, because the pathway between a user and the computing resources accessed by that user may be impossible to trace. One key process in determining the identity of a user, or claimant, is that of authentication.
Authentication is the verification of the true identity of a user. It is of such fundamental importance in IT systems that the DoD Computer Security Center standard, "Department of Defense Trusted Computer System Evaluation Criteria" (CSC-STD-001-83, August 1983) states: "Without authentication, user identification has no credibility. Without a credible identity (no) security policies can be properly invoked because there is no assurance that proper authorizations can be made." Authentication, then, is essential to the proper use of IT systems handling sensitive data.
The three generally-accepted categories of methods for authenticating a user's identity are based on: (1) something the user knows, such as a password; (2) something the user possesses, such as an authentication token; or (3) some physical characteristic of the user, such as a fingerprint or voice pattern. Collectively, these are called credentials. Authentication systems can be hardware, software, or procedural mechanisms that enable a user to obtain access to computing resources. At the simplest level, the system administrator who adds new user accounts to the system is part of the system authentication mechanism. More sophisticated solutions can use fingerprint readers or retinal scanners to establish a potential user's identity. Without establishing and proving a user's identity prior to establishing a session, an IT system is vulnerable to any sort of attack.
Traditionally, users have been individually supplied with a secret password, which they must submit when requesting access to a particular system. The majority of computer systems in use today rely solely on passwords for authentication. The primary advantage of password-only authentication is that it can be implemented entirely in software, thus avoiding the cost of special purpose authentication hardware. However, password-only systems have a number of disadvantages in practice which restrict their use to applications with minimal security requirements, or situations where password management can be strictly controlled. Suitable secret information often cannot easily be remembered by a human. It may consist, for example, of from 56 to 1024 bits, or an even longer length, of randomly generated material.
A password is a sequence of characters obtained by a selection or generation process from a set of acceptable passwords. A good password system has a very large set of acceptable passwords in order to prevent an unauthorized person (or intruder) from determining a valid password in some way other than learning it from an authorized person (i.e., owner). The set of acceptable passwords should be large enough to assure protection against searching and testing threats to the password, commensurate with the value of the data or resources that are being protected. The set of acceptable passwords must be such that it can be specified easily, that acceptable passwords can be generated or selected easily, that a valid password can be remembered, can be stored reasonably, and can be entered easily.
Broadly stated, the security provided by a password depends on its composition, its length, and its protection from disclosure and substitution during storage and transmission. Composition is defined as the set of characters which may comprise a valid password. The composition of a password depends in part on the device from which the password is going to be entered.
Length is closely associated with composition in assessing the potential security of a password system against an intruder willing to try exhaustively all possible passwords. The length of a password provides bounds on the potential security of a system. The potential number of valid passwords is proportional to the number of characters in the acceptable composition set, raised to the power of the length of the password. The potential number of passwords in a credentialing scheme with a composition of 10 digits and a length of exactly 4 provides for 10.sup.4 or 10,000 possible passwords, ignoring any other limiting factors.
Increasing these parameters would be expected to have a positive effect on the overall security of the system because exhaustive attacks become more difficult. Other factors, though, cannot be ignored in practical password systems. For example, entering a password into an automated authentication system in a secure manner can be a difficult task. An interested observer can detect part or all of a password while the user is entering the password. Computer keyboards are the typical entry device, and are not particularly suited for password entry. A user that is not a trained typist often enters the password slowly, with one finger, allowing a greater degree of observation. Long, random passwords can be more difficult to remember, be entered more slowly and visibly, and may be more subject to error when being entered. Paradoxically, a long, random password thus may be more vulnerable to observation than a short, easily-entered password.
Whether passwords are distributed electronically, in hardcopy form, or through other means, the distribution process also is subject to attack or subversion, and be impotent against disclosure. Sealed envelopes with tamper-evident features can be used for distribution of hardcopy passwords. If an unauthorized party intercepts a tamper-evident envelope and opens it to read the password, the envelope cannot be resealed and sent to the intended recipient without evidence of tampering. This approach relies on the system users to recognize and report suspected disclosure of hardcopy passwords. If a password is compromised in this fashion, there may be a short period of time before the legitimate user detects and reports the compromise.
The effectiveness of passwords often is questioned, primarily because they can be easily forgotten, lost, or given to another person. A user who allows his account to be compromised increases the chances of compromising other accounts or resources. In some circumstances, passwords are shared as "community" passwords among members of an organization because maintaining password integrity is considered as a nuisance that is ineffective and subservient to the organization's primary mission (e.g., health care, banking, law enforcement). Despite the heightened awareness of the need for tighter controls on access to computer systems, it is not unusual for one to find a password written on note paper and taped to a heavily-used monitor in public view.
In these situations, the composition, length, and manner of distribution of the passwords are meaningless. However, passwords can provide reasonable deterrence to unauthorized access if properly handled by people authorized to use them and if properly stored and processed in the password verification system. Token-based credentials can be as susceptible to attack as password systems: tokens (e.g., ID cards) can be lost, stolen, or counterfeited. The bearer of a compromised token can be just as indistinguishable to an IT system as the bearer of a pilfered password.
Authentication systems are useful in commercial and government environments in a myriad of applications. The strength of an authentication system should be chosen to provide a degree of assurance appropriate for the security requirements of the application and environment in which the system is to be used and the security services provided by the system. The central design objective of an authentication system is to protect against adversaries mounting cost-effective attacks on sensitive data, that is, an effective security system design makes the cost of an attempted attack greater than the expected payoff.
As used herein, the concept of identity verification is described primarily with respect to human users but could be applied to other types of users as warranted by the application and with suitable modifications known to skilled artisans.
Reliable authentication mechanisms are critical to the security of any automated information system. If the identity of legitimate users can be verified with an acceptable degree of accuracy, those attempting to gain access without proper authorization can be denied permission to use the system. When a legitimate user's identity is verified, access control techniques are applied to mediate that user's access to system resources. If a computer system cannot verify the identity of users and other computers, the system will not be able to protect itself against unauthorized access.
Networking not only makes it more difficult to identify system users, it also increases the opportunities for unauthorized parties to intercept authentication data passing through the network during the course of a legitimate session between a user and a remote host computer. User passwords are sometimes transmitted through a network in plaintext form. If an attacker is able to monitor the user's session, the attacker may be able to record the user's password or other critical authentication data. This would allow the attacker to masquerade as a valid user by initiating a login on the remote host and submitting the user's authentication data when the host requests it.
Some systems apply a cryptographic algorithm to scramble (encrypt) passwords before they are transmitted, so that the plaintext password is not exposed. However, an attacker may still be able to record the encrypted password, and gain access to the host computer by submitting the encrypted value. In either case, the host computer will be unable to distinguish between the attacker and a valid user, and will grant access to the attacker. This "replay" attack can be defeated by using a random challenge/response mechanism in which a variable parameter (typically time-varying) is integrated into the encrypted password and an attempted replay of the "stale" password reveals the attacker, thus permitting the system to preserve its integrity. Obviously, the security of a replay-prevention technique hinges on the generation of random challenges which have a low probability of being repeated.
Furthermore, an IT system typically stores passwords for use in the authentication process. When a user attempts to login to the system, the user will submit a password which must be compared to the stored password, or some one-way mapping thereof, which the system knows to be valid for that user. Protection can be provided for passwords by storing them in a physically separate area which can only be accessed by authorized system components. Stored passwords may also be protected by encryption or through the application of a one-way mapping function before storage.
The aforementioned shortcomings of existing authentication schemes are magnified when human users are required to access multiple services on multiple hosts. Separate authentication events may be required for each service a user wishes to access, particularly if these services are resident on separate host machines. Users might, for example, be required to provide a separate password for each service. In some cases, services or host computers may even use different authentication techniques which would, for example, force users to memorize passwords for some services and carry tokens or provide biometric scans for others. This situation quickly becomes an unreasonable burden for users, and can lead to, or exacerbate, poor security practices.
To address the problems described above, login authentication schemes have been developed that only require users to authenticate once during a session. These approaches are commonly referred to as unitary login, or single sign-on. Unitary login is generally a two-step process, in which the user first authenticates to a user using, for example, a password, token, or biometric sample. The principal may be the user's workstation, a physical authentication token, or some other device. Then, as the user requests access to various services, the principal is responsible for authenticating the user to each service.
Conceptually, the principal acts as a proxy for the user in conveying the original authentication event, and automates subsequent authentications with little or no intervention from the user. These subsequent authentications are usually based on strong cryptographic protocols which are secure across communications networks. Both the principal and the verifying entity of the service accessed by the user must understand, and adhere to, the pre-arranged authentication protocol. Also, it is preferred that the principal be responsible for determining the point at which a given user's current authentication terminates. This termination point is often tied to the end of a user's login session.
Authentication based on public key cryptography may have an advantage over other authentication schemes because no secret information has to be shared by the entities involved in the exchange. A user presenting for authentication can use a private key to digitally sign a random number challenge issued by the verifying entity. This random number is desired to be a time-variant parameter which is unique to the authentication exchange. If the verifier can successfully verify the signed response using the user's public key, then the user has been successfully authenticated.
The foregoing interactive exchange is sometimes referred to as a "zero-knowledge proof" in which knowledge of the private is proved without divulging the actual key. That is, the prover convinces the verifier of a statement (with high probability) without revealing any information about how to go about proving that statement.
Because a given user's private key does not need to be shared with other parties, there is a strong association between the user's identity and possession of the private key. Digital signatures can be used for authentication as follows: when a host system wishes to verify the identity of a user who is in possession of a particular private key, the host system can challenge the user with an electronic message. The user would sign this message with the private key and return the signature to the host system. The host can then verify the signature, and thus the identity of the user, with the user's public key. Because only one specific user possesses a particular private key, a signature generated by this key is strong proof of the user's identity.
These cryptographic methods are referred to as "asymmetric" or "two-key" methods, because they rely on two different keys to perform cryptographic processing of data. The requisite keys are generated and used in pairs consisting of private and public key components. Because there is no longer a single secret key shared by a pair of users, and each user has his own key material, public-key techniques differ from conventional systems. Furthermore, the key material of each user is divided into two portions, a private component and a public component. The public component generates a public transformation E, and the private component generates a private transformation D.
The public key becomes in effect part of the user's identity, and should be made as well known as necessary, like a phone number. Conversely, the private key should be known only to the user, because it can be used to prove ownership of the public key and thus the user's identity. A desirable property of public key systems is that it essentially computationally infeasible to derive a user's private key from the corresponding public key, so free distribution of the public key theoretically poses no threat to the secrecy of the private key. The private key can be used to create a digital signature which is unique to the signer, which signature is infeasible to forge and can be verified electronically.
Also, public key cryptography makes it possible to place the authentication information under the direct control of the system user. For access control, this is especially helpful because secret authentication information need not be distributed throughout the system.
However, the security of authentication protocols based on secret- or public-key cryptography is dependent on the level of protection provided for the private keys and, for public-key cryptography, the degree to which a verifier trusts the source of the public keys. Authentication using secret-key systems requires sharing of some secret data, with the attendant risk of discovery and misuse of the secret information. Also, a trusted third party may need to act as an intermediary in secret key systems, risking message repudiation or, in some instances, widespread forgery due to an attack on the third party's central database. In the latter case, the cost for refreshing all compromised keys to an organization could be staggering. Where trusted third parties are needed to certify the validity of a principal's public key, the risk of compromise of the trusted third party's private key is much reduced, but not eliminated, as compared with an attack on a secret-key database.
In the event an intruder, having knowledge of the encryption algorithms used, gains access to the encrypted private keys, the integrity of those private keys based on immutable properties may be forever lost. This can be a risk for both secret- and public-key approaches.
Furthermore, where a certifying authority is interposed between the communicating parties in a public-key system, a successful attack on the authority by an adversary will allow the adversary to impersonate whomever the adversary chooses by using one of the compromised authority's public key certificates to bind a key of the adversary's choice to the name of another user. As before, it is critically important to an authentication system to permit rapid, widespread key refreshment if compromised keys are discovered.
Two authentication schemes use fingerprint-related data, or minutiae, to verify successful key recovery. For example, Veridicom, Inc. of Santa Clara, Calif., has described a solution that uses an algorithm based on graph theory to verify successful key recovery. Because this solution derives the key from true minutiae, rather than false minutiae, key refresh in the event of compromise is problematic, regardless of the encryption technique employed. Barring the use of a compromised fingerprint can potentially bar the compromised user from ever again gaining access to the system.
In another example, U.S. Pat. No. 5,541,994, Fingerprint Controlled Public Key Cryptographic System (Tomko, et al.), the system generates a cryptographic key from an analog, optical transform of a fingerprint, as opposed to a reduction to digital minutiae. In addition to the complexities imposed by the analog implementation, the system creates the key from the actual biological sample. As before, key refresh in the event of key compromise poses a particularly vexing challenge, given that the compromised user is saddled with forever bearing the basis for the compromised key--his fingerprint. This patent is herein incorporated by reference in its entirety.
In U.S. Pat. No. 5,621,515, Identification System Using Regions Of Predetermined Properties Interspersed Among Regions Of Other Properties (Hoshino, et al.), a system attempts to obfuscate authentication data by combining effective and ineffective identification regions which are hardly distinguishable by naked eyes. This system relies upon a predetermined pattern of diffracted light being reflected by the identification regions. These regions are permanently affixed to an authentic article. The system is defeated, however, in the event a forger gains access to a "genuine optical reader/writer," in which case the effective and ineffective identification regions are revealed. Because the identification regions are affixed to the article, the obfuscating pattern can not be altered or updated without damaging the article. This patent is herein incorporated by reference in its entirety.
What is needed, then, is an apparatus, method, and computer program to provide an enhanced level of security to IT systems by providing users or claimants with a secure, unique, easy-to-use credential that is passively in their possession, and not susceptible to omission, subversion, loss or theft. Furthermore, where immutable characteristics such as fingerprints and fingerprint minutiae are used to authenticate a system user, it is desirable to obviate the difficulties that may arise in the event the user's fingerprint is compromised. In such cases, it is particularly desirable to provide a refreshed encryption key, which may be quite difficult if the key is based on immutable features. In general, there is a need for an apparatus, method, and computer program that provides an enhanced degree of self-authentication for an entity.