Email-Security.Net HOME Papers Blog Atom Feed RSS Feed Contact Us

Compact Version:
"Take Five" In Internet Security

This is a compact version of the full paper.
Read the Full Paper Read Blog Post Comment


Ed Gerck, Ph.D.
Vernon Neppe, M.D., Ph.D.
Copyright (c) 2009 by E. Gerck and V. Neppe, first published online on November 10, 2009.
All rights reserved, free copying and citation allowed with source and author reference.
Published online at http://email-security.net/papers/takefivecompact.htm

Summary

The top security problem facing Internet users today is not email or even about email, however it deeply affects email security. We are talking about the security and usability of Internet user access control systems. This problem is well-known but we meekly accept it "as it is" everyday. But the paradigm may shift. In this work we appraise the affordability, security and usability of Internet user access control systems by using five frequently asked questions. ZSentry is a next-generation technology that is shown to be more affordable, secure and usable than the best point qualities provided by the other solutions.
We need your help. We are conducting a study of user login and access control systems using this methodology. You may participate anonymously. Please Post Your System's Answer To The Five Questions . Thank you!

Introduction: Conventional Systems

In a five-minute appraisal, a typical dialogue with someone claiming that they have a secure server while using username/password authentication would predictably go along these lines:
Q1: Can you use strong authentication as provided by cryptography to control user access?
A: No. The main reason is that this would strongly increase cost and reduce usability when compared with a username/password system.

Q2: How is user access controlled?
A: Access is controlled by username/password, with entries protected online by server-authenticated SSL.

Q3: How do you protect against dictionary attack?
A: User is locked out after three failed attempts.

Q4: How do you protect against someone stealing the password file online?
A: Our servers have state-of-art security.

Q5: How about if someone has onsite physical access to the server? For example, an employee, a technician?
A: Our employees and service providers are all vetted, trusted, and identified, and our servers are in a secure building.
Let's reflect on these answers. Each answer given above to Q3, Q4, and Q5 works as a link in a chain, where the weakest link defines the security. If one answer is broken, the security of the system is broken.

We know that not even US Department of Defense and Pentagon servers are secure, and not even the FBI can prevent having a national security traitor for many years among their own directors. Also, statistically, over 70% of security breaches come from insiders (all correctly identified). Thus, while username/password breaches occur every day as we can see in national news, it is clear that any of the answers above may compromise security.

Next-Generation Systems

Let's use the same five-point dialogue with a system using ZSentry (based on NMA technology) for user access control. The dialogue goes as follows:
Q1: Can you use strong authentication as provided by cryptography to control user access?
A: Yes. ZSentry delivers strong two-factor authentication and offers improved usability over username/password (specially for credential revocation, recovery and reset), while the total cost of ownership is much less than with conventional systems.

Q2: How is user access controlled?
A: ZSentry accepts user-defined passwords and delivers 6-character usercodes to users, with entries protected online by server-authenticated SSL. The usercode is created by cryptographic methods, is designed to be user-friendly, and is short enough to be mnemonic.

Q3: How do you protect against dictionary attack?
A: Users are temporarily locked out after a small number of failed attempts, mostly to preserve resources. Security, however, does not depend on this block being effective (see Answer to Q5).

Q4: How do you protect against someone stealing the password file online?
A: There are no password or usercode files anywhere. There are, therefore, no such attack targets online or onsite.

Q5: How about if someone has onsite physical access to the server? For example, an employee, a technician?
A: In addition to any required physical and network protections, every file is de-identified and protected by strong encryption, with no user-keys available without user authentication, and with a prohibitively large safety factor built-in against direct dictionary attacks on user authentication.
Starting with the unique property that there are no usercode or password files to be attacked, ZSentry makes the entire system secure, including user-keys and user files, which are only decipherable by knowing the user's exact usercode/password combination.

With ZSentry, weak passwords cannot be leveraged into a quick attack because the usercode is unknown, unpredictable, and has a prohibitively large search space.

Together, the usercode ( what you receive ) and the password ( what you know ) provide unforgeable two-factor user authentication. Additional and mutual authentication channels can be added.

Where Do We Stand Today?

This topic requires a deeper look into the technical background.

ZSentry can be used for user access control and also, for example, to secure email (called ZSentry Mail, or Zmail), providing services including data integrity, data lifetime management and expiration, user identification and two-factor authentication, mutual authentication, user non-repudiation, data confidentiality, encryption, digital signature, credential revocation, recovery and reset, as reviewed at the ZSentry site.

Conventional username/password access control is used by most web services companies, including most companies offering what should be HIPAA-compliant access. However, username/password is notoriously insecure and, for example, is no longer accepted for use in online banking by the Federal Financial Institutions Examination Council (FFIEC).

It is relatively straightforward to find in the Internet step-by-step instructions on how to attack a username/password system, which can be done rather easily and escalate to total control of the server; and attacks get even easier and more automated every day. This helps understand why, no matter how clever an implementation may become, user authentication with username/password systems cannot be made secure in terms of the three initial questions Q3, Q4, and Q5.

The ZSentry technology is shown to not have these limitations, leading to a next-generation system that is more affordable, secure and usable than the best point qualities provided by each username/password (usability, cost) and conventional cryptographic solutions (security). [1]

References

[1] Neppe, V. M. (2008). The email security-usability dichotomy: Necessary antinomy or potential synergism?. In Telicom, 21:3, May-June, pp.15-31. Available online at http://email-security.net/papers/usable-secure-email.pdf .

(Additional information and references are available in the Full Paper )

Contact Information

Ed Gerck, Ph.D.
Vernon Neppe, M.D., Ph.D.

Copyright (c) 2009 by E. Gerck and V. Neppe, first published online on November 10, 2009.
All rights reserved, free copying and citation allowed with source and author reference.