|
"Take Five" In Internet Security
Ed Gerck, Ph.D.
Vernon Neppe, M.D., Ph.D.
Copyright (c) 2009 by E. Gerck and V. Neppe, first published online on November 10, 2009.
All rights reserved, free copying and citation allowed with source and author reference.
Published online at
http://email-security.net/papers/takefive.htm
Abstract
This work applies to all online applications and
services that require user login or access control, possibly the top
security problem facing Internet users today. We appraise the affordability, security and usability of Internet user access control systems by using five
frequently asked questions. We evaluate username/password and
the cryptographic systems X.509/PKI, PGP, Voltage (IBE), and ZSentry (NMA). ZSentry is a next-generation
technology that is shown to be more affordable, secure and usable than the best point qualities provided by
the other solutions.
Introduction: Conventional Systems
In a five-minute appraisal, a typical dialogue
with someone claiming that they have a secure server while using
username/password authentication would predictably go along
these lines:
Q1: Can you use
strong
authentication as provided by cryptography to control
user access?
A: No. The main reason is
that this would strongly increase cost and reduce usability when
compared with a username/password system.
[1]
,
[2]
Q2: How is user access
controlled?
A: Access is controlled by username/password, with entries protected online by server-authenticated SSL.
[3]
Q3: How do you protect against
dictionary attack?
A: User is
locked out after three failed attempts.
Q4: How do you protect against
someone stealing the password file
online?
A: Our
servers are in SAS 70 Type II certified data centers, behind advanced firewalls, with network security assurance,
actionable vulnerability management, security auditing, and are secure.
Q5: How about if someone has onsite physical access to the server? For
example, an employee, a technician?
A:
Our employees and service providers are all vetted and trusted, must pass through two-factor
authentication barriers, and our servers are in a secure building.
Let's reflect on these answers. Each answer given above to Q3, Q4, and Q5 works as a link in a chain,
where the weakest link defines the security. If one answer is broken, the security of the system is broken.
Regarding the Q3 answer, the "3-strikes-you-are-out" dictionary attack defense is defeated, for example, by
an adversary that cycles tries over a large number of accounts, with an interval time for returning
to each account that is long enough to avoid detection. Additionally, it can be defeated by spoofing and
phishing attacks, with or without a man-in-the-middle attack, even with SSL encryption, two-factor
authentication, and one-time passwords.
How about adding biometrics? Let us consider an utopical best scenario for biometrics, and with further assurances such
that Q3 can be disregarded. Still, the vulnerabilities in the Q4 and Q5 answers would remain (they do not depend on
online biometric user authentication) and allow the system to be compromised by attacking either one of them.
A common aspect of systems where passwords are chosen by users is the inevitable existence of weak
passwords, even if supposedly avoided by rules requiring passwords with some mix of letters and numbers (which
reduces usability because users will more likely forget them and/or make mistakes in their input).
Q4 reflects a fundamental problem with username/password systems, that it is feasible to quickly find weak
passwords (which are inevitable, see above) by dictionary attacks online or onsite, even routinely on the very first try.
Q5 reflects another fundamental problem of username/password systems, that is the existence of a target, the
password file, even though with encrypted entries and usually hidden in a so-called "shadow" file or as records in
an encrypted database file.
One-time passwords, such as those that use clock models to generate unpredictable time-codes, also present a
vulnerable target in the model records allowing those time-codes
to be calculated for verification.
Further on the Q5 topic, although username/password systems can be acquired at very low or no cost, they
scale poorly in cost and performance
for large number of users and require an operational cost overhead to try to prevent the password file, and
other records by consequence, from being stolen online or onsite.
Regarding the Q4 and Q5 answers, not even US Department of Defense and Pentagon servers are secure, and not even
the FBI can prevent having a national security traitor for many years among their own directors. Also, statistically,
over 70% of security breaches come from insiders (all correctly identified). Thus, while username/password breaches
occur every day as we can see in national news, it is clear that any of the answers above may compromise security.
In summary, with conventional systems used today:
1. Cryptographic solutions providing strong
authentication
[1]
are avoided because although they are useful and work well for authenticating
servers in SSL, they notoriously lead to increased cost and reduced usability for user access control.
2. Username/password providing simple
authentication
[3]
is more commonly used for user access control because of its comparatively
lower cost and acceptable usability. However, even with SSL encryption, two-factor authentication, biometrics,
and one-time passwords, such systems are unable to prevent well-known attack vectors from causing security breaches
in any of the answers given above to Q3, Q4 or Q5, multiplying the opportunities for attacks.
Next-Generation Systems
Let's use the same five-point dialogue with a system using
ZSentry
(
NMA
technology) for user access control. The dialogue goes as follows:
Q1: Can
you use strong
authentication as provided by cryptography to control user
access?
A:
Yes. ZSentry delivers strong two-factor authentication and offers
improved usability over username/password (specially for credential revocation, recovery and reset),
while the total cost of ownership is much less than with conventional systems.
Q2: How is user access
controlled?
A:
ZSentry accepts user-defined passwords and delivers 6-character usercodes to users, with entries protected online
by server-authenticated SSL. The usercode is created by
cryptographic methods, is designed to be user-friendly, and is short enough to be mnemonic.
Q3: How do you protect
against dictionary attack?
A:
Users are temporarily locked out after a small
number of failed attempts, mostly to preserve resources. Security, however,
does not depend on this block being effective (see Answer to Q5).
Q4: How do you protect
against someone stealing the password
file
online?
A: There are
no password or usercode files
anywhere. There are, therefore, no such attack targets online or onsite, and
no associated scaling limitation, cost overhead, or liability. Hereafter, this property is called
sans target
.
Q5: How about if
someone has onsite physical access to the server?
For
example, an employee, a technician?
A: In addition to any required physical and network protections, every file is de-identified and
protected by strong encryption, with no user-keys available without user authentication, and with a
prohibitively large safety factor built-in against direct dictionary attacks on user authentication.
Even in the worst case scenario, if someone
would have physical access to the server and is able to boot as root, all user files
are de-identified and encrypted with time-varying user-keys. Each
user-key is unpredictable, has 128-bits for symmetric keys and 2048-bits for asymmetric keys,
cannot be leveraged to other users, and is itself enciphered with no key available. Transferring the encrypted
user files to attack them directly in a more powerful computer would
require breaking 128-bit symmetric keys or 2048-bit asymmetric keys, which is considered infeasible today.
Thus, ZSentry operates
sans target
. Starting with the unique property that there are no usercode or
password files to be attacked, ZSentry makes the entire system
sans target
, including user-keys and user files.
In practical terms, user-keys are only decipherable by knowing the user's exact usercode/password combination,
which search time can be prohibitively larger (as defined by operational considerations) than when using a conventional
username/password system for the
same
password.
To put this improvement in perspective, a weak password that would enable a dictionary attack to
break a conventional username/password account in
one millisecond
for a given server, could
require more than
two million years
to break the ZSentry system, for the same password and server.
This protection time ratio is provided under open access (online or onsite) and is just an example for current
systems and current needs; it can become much higher if so desired.
Thus, ZSentry still shares with username/password systems the common aspect of systems where passwords are
chosen by users, which is the inevitable existence of weak passwords (see previous section). However, with
ZSentry, weak passwords cannot be leveraged into a quick attack because the usercode is unknown, unpredictable, and
has a prohibitively large search space (as shown above).
Together, the usercode (
what you receive
) and the password (
what you know
) provide
sans target
,
unforgeable two-factor user authentication. A second authentication channel can be added
sans target
by
ZSentry, with one-time passwords provided for example by means of hardware, software, or mobile devices. Mutual
authentication can be added also
sans target
to help allay phishing, spoofing, and man-in-middle concerns.
In a practical example, ZSentry can be used to protect SSL SMTP login. By requiring "always on" SSL, there is
no plaintext "bridge" to attack (as possible with web browsers) in order to mount a man-in-the-middle connection.
Because the SSL SMTP connection relies on the verified server name that is typed once and then securely
stored in the client, which name is also server-authenticated using SSL, spoofing and phishing attacks
cannot occur (as possible with web browsers). Unforgeable authentication of both full name and email address
is provided by ZSentry, solving some critical usability and security problems
[2]
relating to key-signing and certificate distribution in X.509/PKI. ZSentry further uses adaptive
security, which evaluates threats in real-time and quickly isolates potential attacks, providing
immediate service suspension and real-time user-requested revocation.
Where Do We Stand Today?
This topic requires a deeper look into the technical
background. The following considerations apply to all online applications and services that require user
login or access control, the worst Internet security problem today. The consequent vulnerability of both
information and identity create
additional security problems
such as those derived from
impersonation
to third-parties
and
privilege escalation
, resulting in a much larger risk surface than the
local risk indicates.
ZSentry provides strong
authentication credentials
[3]
, defined as used in X.509/PKI
[4]
, but
without the user
purchasing a CA (Certification Authority) certificate (the usercode is a private digital certificate) or
having to
safe-keep the private-key (the password is the private-key). ZSentry can be used for user access control and
also, for example, to
secure email (called ZSentry Mail, or Zmail),
providing services including data integrity, data lifetime management and expiration, user identification
and two-factor authentication, mutual authentication, user non-repudiation,
data confidentiality, encryption, digital signature, credential revocation, recovery and reset, as
reviewed in
[2]
.
Because the ZSentry usercode is unpredictable and was designed to be long enough to offer a prohibitively
large number of possible combinations to attack, the usercode is able to sufficiently harden the password
against dictionary attacks trying to guess the correct usercode + password combination.
Conventional username/password access control, or simple
authentication
[3]
, is used by
most web services companies, including most companies offering what
should be HIPAA-compliant access. However, simple authentication is
notoriously insecure and, for
example, is no longer accepted for use in online banking by the Federal
Financial Institutions Examination Council
(FFIEC).
A 2004 paper by Andreas Dittrich and Philipp Reinecke
[5]
shows step-by-step how an attack on simple
authentication could be done rather easily and escalate to total control of the server;
and attacks get even easier and more automated every day. For context, the material
in Dittrich's paper is useful to help understand why, no matter how
clever an implementation may become, user authentication with username/password systems cannot be made
secure in terms of the three initial questions Q3, Q4, and Q5. And since username/password systems
cannot provide a trustworthy outcome in the authentication layer, it is potentially moot to look
into what must be required in further layers, such as authorization.
Thus, the basic limitation of simple authentication, and this was one of the
motivations to develop X.509/PKI more than 20 years ago, is that the
technology simply cannot answer the critical questions that must be
asked at the start, in a simple five-minute appraisal, as shown above.
The ZSentry technology is shown to not have these limitations, leading to a next-generation
system that is more affordable, secure and usable than the best point qualities provided by each
username/password (usability, cost) and conventional cryptographic solutions (security).
[6]
References
[1] Conventional cryptographic solutions
include X.509/PKI (Public-Key Infrastructure), PGP (Pretty
Good Privacy), and Voltage (using IBE, Identity-Based Encryption). Each
of these systems have their usability and security ranges. For a
review of X.509/PKI, PGP, and IBE, see
[2]
.
[2] Gerck, E. (2007). Secure email technologies
X.509/PKI, PGP, IBE and Zmail. In Corporate
Email Management, Chapter 12, Edited by Krishna SJ, Raju E.,
pp.171-196, Hyderabad, India, ICFAI University Press.
Available online at
http://email-security.net/papers/pki-pgp-ibe-zmail.pdf
[3]
Username/password authentication is also called "simple
authentication" in international standard terms (International
Telecommunications Union, ITU). To contrast, ITU standards define "strong authentication" when
using credentials created by cryptographic methods. The ITU and other standards recommend
that only strong authentication should be used as the basis of providing secure services.
[4] Public Key Infrastructure [PKI] is a service
of products that provide and manage X.509 digital certificates for public key
cryptography. Certificates are issued by a Certification Authority (CA),
provide identifiers for the entity (e.g., an individual) named in the certificate, and bind those identifiers
to a particular public/private key pair. PKI provides services for programs and applications,
including data integrity, user
identification and authentication, user non-repudiation, data confidentiality,
encryption and digital signature, as reviewed in
[2]
.
[5] Dittrich, A., and Reinecke, P. (2004).
Testing of Network and System Security. In 2004 Security Seminar,
Humboldt University, Berlin. Available online at
http://andreas-dittrich.eu/wp-content/uploads/2008/05/testing_paper.pdf
[6] Neppe, V. M. (2008). The email
security-usability dichotomy: Necessary antinomy or potential
synergism?. In Telicom, 21:3, May-June, pp.15-31.
Available online at
http://email-security.net/papers/usable-secure-email.pdf
.
Contact Information
Ed Gerck, Ph.D.
Vernon Neppe, M.D., Ph.D.
DISCLAIMER:
This paper
does not intend to
cover all the details of the technologies
reported, or all the variants thereof. Its coverage is limited to
provide support and references to the work in progress on new email
security
technology and to unify references, concepts and terminology. No
political or country-oriented criticism is to be construed from this
work, which respects all the apparently divergent efforts found today
on the subjects treated. Products, individuals or organizations are
cited as part of the fact-finding work needed for this site and their
citation
constitutes neither a favorable nor an unfavorable recommendation or
endorsement.
We also share a guitar solo of
"Take Five"
by P. Desmond
in classical interpretation & arr. by Douglas Niedt
Copyright (c) 2009 by E. Gerck and V. Neppe, first
published online on November 10,
2009.
All rights reserved, free copying and citation allowed with source and
author reference.
|