1. Technical Field
This application relates to updating keys for use in authentication.
2. Description of Related Art
Computer networks, and in particular Wide Area Networks (WANs) such as the Internet, provide opportunities for the misuse and abuse of communications traveling over the network. For example, two users (also referred to as “entities”, e.g., a human user and an enterprise server) communicating via the WAN may have their communications intercepted and/or altered. Also, it is possible for one user to misrepresent his, her, or its identity to another user.
Thus, there is a need for both privacy and authentication between users of the network communicating with one another. In other words, users should be able to rely on the fact that their transmissions will not be intercepted or altered, and that transmissions from someone purporting to be a particular user do in fact originate from that user.
Methods for authenticating an identity of a user are known that are based on something the user knows, something that user has, a biological characteristics of the user (sometimes referred to as something the user is) or some combination of those things. One such computer-based authentication method involves the communication of a secret that is unique to a particular entity or user. The user that is seeking authentication transmits the secret to a verifier who authenticates the identity of the user. Typically, a user communicates both identifying information (such as a user name) and a secret (such as a password) to the verifier. The verifier typically possesses records that associate a secret with each user. If the verifier receives a secret that matches an appropriate record, the authentication of the user is successful. If the verifier receives an incorrect secret, the authentication fails.
In some systems, an entity uses a physical or a digital device, referred to as a token, that incorporates a secret. The secret, stored in some manner in the device, may or may not be known to the entity using the device.
To prove knowledge of a secret contained within the device, some devices provide an authentication code that is based upon, but different from, the secret code contained within the device. The use of such an authentication code allows the device to show knowledge of a secret without revealing it. In some systems, the authentication code is based on time-dependent information. The use of this sort of device has security benefits in that the secret is more difficult to determine by eavesdropping in the communications channel between the entity and the verifier, since the secret itself is not revealed.
Time-based authentication systems also associate a user or an entity with a secret, referred to as a seed, typically a number, which is unique to that entity. Authentication systems mathematically combine the secret with a time-varying value and a personal identification code provided by the user to generate an authentication code. These systems generally perform some algorithmic processing of the secret to generate an authentication code that is ultimately used to authenticate the entity. Some time-based authentication systems use a dynamic variable to calculate a non-predictable authorization code that ultimately authenticates the entity. Here, “non-predictable” means that the authorization code is not predictable by a party that does not know the associated secret, the algorithm for calculating the code, or both. The dynamic variable may comprise any code, typically a number, which is defined and determined by the interval of time in which an authentication code is generated. The dynamic variable can change according to any interval of time, e.g., 2 minutes, 5 minutes, 1 hour and the like. Because in these systems the authentication code changes from time to time, intercepted authentication information has a limited value for a limited time because it cannot be used for authentication in the future.
The user may employ a device to algorithmically compute the correct authentication code for a particular time. The algorithm is typically provided to the user in the form of a hardware token loaded with a program for carrying out the predetermined algorithm, although it may be provided as software executing on a general-purpose computer. The device may also allow the user to input a second, personally selected secret, such as a personal identification number (PIN) in order to generate a correct authentication code. Only a correctly entered PIN produces a correct authentication code for a particular time. One such device is the SECURID authentication token, available from RSA, The Security Division of EMC, Bedford, Mass. These devices can display the generated authentication code to the user, who may then communicate the authentication code to the verifier.
Although the dynamic nature of the generated authentication codes in these systems avoids problems inherent with using fixed authentication codes, such a device is still vulnerable to side channel attacks. In cryptography, a side channel attack is an attack based on information gained from the physical implementation of an authenticating system, rather than brute force or theoretical weaknesses in a mathematical algorithm. For example, timing information can provide an extra source of information which can be exploited to break the system. Some side-channel attacks require technical knowledge of the internal operation of the authenticating system on which the cryptography is implemented, although others are effective as black-box attacks. Attacks that are based on timing information may measure the time it takes to perform algorithmic computations. A timing attack watches data movement into and out of a CPU, or a memory of the hardware performing the mathematical algorithm. Simply by observing variations in how long it takes to perform cryptographic operations, it may be possible to determine the entire secret key. Such attacks involve statistical analysis of timing measurements, and have been demonstrated across networks.
Side channel analysis techniques are of concern because the attacks can be mounted quickly and can sometimes be implemented using readily available hardware costing from only a few hundred dollars to thousands of dollars. The amount of time required for the side channel attack and analysis depends on the type of attack. Some attacks may take a few seconds only. Side channel analysis typically find some information about the internal state of a cipher, that can be learned both by guessing part of a secret key, and additionally by some statistical property of the cipher that makes the secret key slightly non-random. Timing measurements are fed into a statistical model that can provide the secret key with some degree of certainty. Additionally, the number of samples needed to gain enough information to allow the recovery of the secret key are getting smaller as attacks are getting more sophisticated.
Further, a third party attacker may enter multiple guesses for the personally selected secret values during an authentication time period. By associating each personally selected secret with the resulting authentication code generated by the device, an attacker may mathematically solve or otherwise determine the personally selected secret. A similar problem could occur if the user mistakenly provides one or more incorrect secret values and communicates one or more incorrect authentication codes on an insecure channel before communicating a correct authentication code generated from a correct secret value. An eavesdropping attacker can obtain sufficient information from these exchanges to mathematically solve for or otherwise determine the personally selected secret. Although this form of attack could be thwarted by always transmitting the authentication code on a secure channel (such as one using encryption), such channels are not available in all environments or at all times. Thus, despite the security advantages of dynamic authentication code methods, some security disadvantages remain.