Email-Security.Net HOME       Papers       Blog       Atom Feed       RSS Feed       Contact Us  
 

"Take Five" In Internet Security

This is a public discussion paper. It may change frequently.
Read the Compact Version    Read Blog    Post Comment


Ed Gerck, Ph.D.
Vernon Neppe, M.D., Ph.D.
Copyright © 2009 by E. Gerck and V. Neppe, first published online on November 10, 2009.
All rights reserved, free copying and citation allowed with source and author reference.
Published online at http://email-security.net/papers/takefive.htm


Abstract

This work applies to all online applications and services that require user login or access control, possibly the top security problem facing Internet users today. We appraise the affordability, security and usability of Internet user access control systems by using five frequently asked questions. We evaluate username/password and the cryptographic systems X.509/PKI, PGP, Voltage (IBE), and ZSentry (NMA). ZSentry is a next-generation technology that is shown to be more affordable, secure and usable than the best point qualities provided by the other solutions.
We need your help. We are conducting a study of user login and access control systems using this methodology. You may participate anonymously. Please Post Your System's Answer To The Five Questions. Thank you!

Introduction: Conventional Systems

In a five-minute appraisal, a typical dialogue with someone claiming that they have a secure server while using username/password authentication would predictably go along these lines:
Q1: Can you use strong authentication as provided by cryptography to control user access?
A: No. The main reason is that this would strongly increase cost and reduce usability when compared with a username/password system. [1], [2]

Q2: How is user access controlled?
A: Access is controlled by username/password, with entries protected online by server-authenticated SSL. [3]

Q3: How do you protect against dictionary attack?
A: User is locked out after three failed attempts.

Q4: How do you protect against someone stealing the password file online?
A: Our servers are in SAS 70 Type II certified data centers, behind advanced firewalls, with network security assurance, actionable vulnerability management, security auditing, and are secure.

Q5: How about if someone has onsite physical access to the server? For example, an employee, a technician?
A: Our employees and service providers are all vetted and trusted, must pass through two-factor authentication barriers, and our servers are in a secure building.
Let's reflect on these answers. Each answer given above to Q3, Q4, and Q5 works as a link in a chain, where the weakest link defines the security. If one answer is broken, the security of the system is broken.

Regarding the Q3 answer, the "3-strikes-you-are-out" dictionary attack defense is defeated, for example, by an adversary that cycles tries over a large number of accounts, with an interval time for returning to each account that is long enough to avoid detection. Additionally, it can be defeated by spoofing and phishing attacks, with or without a man-in-the-middle attack, even with SSL encryption, two-factor authentication, and one-time passwords.

How about adding biometrics? Let us consider an utopical best scenario for biometrics, and with further assurances such that Q3 can be disregarded. Still, the vulnerabilities in the Q4 and Q5 answers would remain (they do not depend on online biometric user authentication) and allow the system to be compromised by attacking either one of them.

A common aspect of systems where passwords are chosen by users is the inevitable existence of weak passwords, even if supposedly avoided by rules requiring passwords with some mix of letters and numbers (which reduces usability because users will more likely forget them and/or make mistakes in their input).

Q4 reflects a fundamental problem with username/password systems, that it is feasible to quickly find weak passwords (which are inevitable, see above) by dictionary attacks online or onsite, even routinely on the very first try.

Q5 reflects another fundamental problem of username/password systems, that is the existence of a target, the password file, even though with encrypted entries and usually hidden in a so-called "shadow" file or as records in an encrypted database file. One-time passwords, such as those that use clock models to generate unpredictable time-codes, also present a vulnerable target in the model records allowing those time-codes to be calculated for verification.

Further on the Q5 topic, although username/password systems can be acquired at very low or no cost, they scale poorly in cost and performance for large number of users and require an operational cost overhead to try to prevent the password file, and other records by consequence, from being stolen online or onsite.

Regarding the Q4 and Q5 answers, not even US Department of Defense and Pentagon servers are secure, and not even the FBI can prevent having a national security traitor for many years among their own directors. Also, statistically, over 70% of security breaches come from insiders (all correctly identified). Thus, while username/password breaches occur every day as we can see in national news, it is clear that any of the answers above may compromise security.

In summary, with conventional systems used today:
1. Cryptographic solutions providing strong authentication [1] are avoided because although they are useful and work well for authenticating servers in SSL, they notoriously lead to increased cost and reduced usability for user access control.

2. Username/password providing simple authentication [3] is more commonly used for user access control because of its comparatively lower cost and acceptable usability. However, even with SSL encryption, two-factor authentication, biometrics, and one-time passwords, such systems are unable to prevent well-known attack vectors from causing security breaches in any of the answers given above to Q3, Q4 or Q5, multiplying the opportunities for attacks.

Next-Generation Systems

Let's use the same five-point dialogue with a system using ZSentry (NMA technology) for user access control. The dialogue goes as follows:
Q1: Can you use strong authentication as provided by cryptography to control user access?
A: Yes. ZSentry delivers strong two-factor authentication and offers improved usability over username/password (specially for credential revocation, recovery and reset), while the total cost of ownership is much less than with conventional systems.

Q2: How is user access controlled?
A: ZSentry accepts user-defined passwords and delivers 6-character usercodes to users, with entries protected online by server-authenticated SSL. The usercode is created by cryptographic methods, is designed to be user-friendly, and is short enough to be mnemonic.

Q3: How do you protect against dictionary attack?
A: Users are temporarily locked out after a small number of failed attempts, mostly to preserve resources. Security, however, does not depend on this block being effective (see Answer to Q5).

Q4: How do you protect against someone stealing the password file online?
A: There are no password or usercode files anywhere. There are, therefore, no such attack targets online or onsite, and no associated scaling limitation, cost overhead, or liability. Hereafter, this property is called sans target.

Q5: How about if someone has onsite physical access to the server? For example, an employee, a technician?
A: In addition to any required physical and network protections, every file is de-identified and protected by strong encryption, with no user-keys available without user authentication, and with a prohibitively large safety factor built-in against direct dictionary attacks on user authentication.
Even in the worst case scenario, if someone would have physical access to the server and is able to boot as root, all user files are de-identified and encrypted with time-varying user-keys. Each user-key is unpredictable, has 128-bits for symmetric keys and 2048-bits for asymmetric keys, cannot be leveraged to other users, and is itself enciphered with no key available. Transferring the encrypted user files to attack them directly in a more powerful computer would require breaking 128-bit symmetric keys or 2048-bit asymmetric keys, which is considered infeasible today.

Thus, ZSentry operates sans target. Starting with the unique property that there are no usercode or password files to be attacked, ZSentry makes the entire system sans target, including user-keys and user files.

In practical terms, user-keys are only decipherable by knowing the user's exact usercode/password combination, which search time can be prohibitively larger (as defined by operational considerations) than when using a conventional username/password system for the same password.

To put this improvement in perspective, a weak password that would enable a dictionary attack to break a conventional username/password account in one millisecond for a given server, could require more than two million years to break the ZSentry system, for the same password and server. This protection time ratio is provided under open access (online or onsite) and is just an example for current systems and current needs; it can become much higher if so desired.

Thus, ZSentry still shares with username/password systems the common aspect of systems where passwords are chosen by users, which is the inevitable existence of weak passwords (see previous section). However, with ZSentry, weak passwords cannot be leveraged into a quick attack because the usercode is unknown, unpredictable, and has a prohibitively large search space (as shown above).

Together, the usercode (what you receive) and the password (what you know) provide sans target, unforgeable two-factor user authentication. A second authentication channel can be added sans target by ZSentry, with one-time passwords provided for example by means of hardware, software, or mobile devices. Mutual authentication can be added also sans target to help allay phishing, spoofing, and man-in-middle concerns.

In a practical example, ZSentry can be used to protect SSL SMTP login. By requiring "always on" SSL, there is no plaintext "bridge" to attack (as possible with web browsers) in order to mount a man-in-the-middle connection. Because the SSL SMTP connection relies on the verified server name that is typed once and then securely stored in the client, which name is also server-authenticated using SSL, spoofing and phishing attacks cannot occur (as possible with web browsers). Unforgeable authentication of both full name and email address is provided by ZSentry, solving some critical usability and security problems [2] relating to key-signing and certificate distribution in X.509/PKI. ZSentry further uses adaptive security, which evaluates threats in real-time and quickly isolates potential attacks, providing immediate service suspension and real-time user-requested revocation.

Where Do We Stand Today?

This topic requires a deeper look into the technical background. The following considerations apply to all online applications and services that require user login or access control, the worst Internet security problem today. The consequent vulnerability of both information and identity create additional security problems such as those derived from impersonation to third-parties and privilege escalation, resulting in a much larger risk surface than the local risk indicates.

ZSentry provides strong authentication credentials [3], defined as used in X.509/PKI [4], but without the user purchasing a CA (Certification Authority) certificate (the usercode is a private digital certificate) or having to safe-keep the private-key (the password is the private-key). ZSentry can be used for user access control and also, for example, to secure email (called ZSentry Mail, or Zmail), providing services including data integrity, data lifetime management and expiration, user identification and two-factor authentication, mutual authentication, user non-repudiation, data confidentiality, encryption, digital signature, credential revocation, recovery and reset, as reviewed in [2].

Because the ZSentry usercode is unpredictable and was designed to be long enough to offer a prohibitively large number of possible combinations to attack, the usercode is able to sufficiently harden the password against dictionary attacks trying to guess the correct usercode + password combination.

Conventional username/password access control, or simple authentication [3], is used by most web services companies, including most companies offering what should be HIPAA-compliant access. However, simple authentication is notoriously insecure and, for example, is no longer accepted for use in online banking by the Federal Financial Institutions Examination Council (FFIEC).

A 2004 paper by Andreas Dittrich and Philipp Reinecke [5] shows step-by-step how an attack on simple authentication could be done rather easily and escalate to total control of the server; and attacks get even easier and more automated every day. For context, the material in Dittrich's paper is useful to help understand why, no matter how clever an implementation may become, user authentication with username/password systems cannot be made secure in terms of the three initial questions Q3, Q4, and Q5. And since username/password systems cannot provide a trustworthy outcome in the authentication layer, it is potentially moot to look into what must be required in further layers, such as authorization.

Thus, the basic limitation of simple authentication, and this was one of the motivations to develop X.509/PKI more than 20 years ago, is that the technology simply cannot answer the critical questions that must be asked at the start, in a simple five-minute appraisal, as shown above.

The ZSentry technology is shown to not have these limitations, leading to a next-generation system that is more affordable, secure and usable than the best point qualities provided by each username/password (usability, cost) and conventional cryptographic solutions (security). [6]

References

[1] Conventional cryptographic solutions include X.509/PKI (Public-Key Infrastructure), PGP (Pretty Good Privacy), and Voltage (using IBE, Identity-Based Encryption). Each of these systems have their usability and security ranges. For a review of X.509/PKI, PGP, and IBE, see [2].

[2] Gerck, E. (2007). Secure email technologies X.509/PKI, PGP, IBE and Zmail. In Corporate Email Management, Chapter 12, Edited by Krishna SJ, Raju E., pp.171-196, Hyderabad, India, ICFAI University Press. Available online at http://email-security.net/papers/pki-pgp-ibe-zmail.pdf

[3] Username/password authentication is also called "simple authentication" in international standard terms (International Telecommunications Union, ITU). To contrast, ITU standards define "strong authentication" when using credentials created by cryptographic methods. The ITU and other standards recommend that only strong authentication should be used as the basis of providing secure services.

[4] Public Key Infrastructure [PKI] is a service of products that provide and manage X.509 digital certificates for public key cryptography. Certificates are issued by a Certification Authority (CA), provide identifiers for the entity (e.g., an individual) named in the certificate, and bind those identifiers to a particular public/private key pair. PKI provides services for programs and applications, including data integrity, user identification and authentication, user non-repudiation, data confidentiality, encryption and digital signature, as reviewed in [2].

[5] Dittrich, A.,  and Reinecke, P. (2004). Testing of Network and System Security. In 2004 Security Seminar, Humboldt University, Berlin. Available online at http://andreas-dittrich.eu/wp-content/uploads/2008/05/testing_paper.pdf

[6] Neppe, V. M. (2008). The email security-usability dichotomy: Necessary antinomy or potential synergism?. In Telicom, 21:3, May-June, pp.15-31. Available online at http://email-security.net/papers/usable-secure-email.pdf.

Contact Information

Ed Gerck, Ph.D.
Vernon Neppe, M.D., Ph.D.

DISCLAIMER:

This paper does not intend to cover all the details of the technologies reported, or all the variants thereof. Its coverage is limited to provide support and references to the work in progress on new email security technology and to unify references, concepts and terminology. No political or country-oriented criticism is to be construed from this work, which respects all the apparently divergent efforts found today on the subjects treated. Products, individuals or organizations are cited as part of the fact-finding work needed for this site and their citation constitutes neither a favorable nor an unfavorable recommendation or endorsement.


We also share a guitar solo of "Take Five" by P. Desmond in classical interpretation & arr. by Douglas Niedt

Copyright © 2009 by E. Gerck and V. Neppe, first published online on November 10, 2009.
All rights reserved, free copying and citation allowed with source and author reference.