Security with bite: 15 technologies tested
In this special review, we round up the various authentication devices on the market. From fingerprint scanners, to single sign-on software and biometric technology -- we have the authentication market covered.
Organised crime syndicates would love to get their hands on some smart programmer who could make this dream a reality and capture all that juicy data. And what information would they steal -- credit card information? Bank account details and passwords? Username and password lists for multinational organisations? Potentially yes, but all that is really passé these days and the syndicates have moved on.
These days it is all about personal information, most of which is already publicly available on the Internet or in our garbage bins for those who are happy to search enough for it. If someone with malicious intentions can make enough of a personal profile about someone then they have effectively stolen that person's identity, commonly known as identity theft, which when used by unauthorised individuals becomes identity fraud.
Identity theft is nothing new, in fact it has been going on for years. Traditionally, not even associated with electronic crime it was used by people avoiding the law and tax, and claiming benefits they may not necessarily be entitled too. There are fraud taskforces setup by the Federal Police and ATO who investigate identity fraud full time. It is just that now with technology as an enabler it is easier, faster and able to be performed on a much larger and more anonymous scale.
And to complicate matters even more, in the ICT arena, it is not only humans that have an identity but pretty much any object on your network. Therefore there are a whole lot more identities to manage and decide who or which can or can't be authorised access to resources. This is commonly called IAM (identity and access management). The basic premise which must be understood is that authentication is actually quite different from authorisation.
The definition for authentication as found in the Webopedia is: "The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorisation, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual."
Authorisation, according to Webopedia, is: "The process of granting or denying access to a network resource. Most computer security systems are based on a two-step process. The first stage is authentication, which ensures that a user is who he or she claims to be. The second stage is authorisation, which allows the user access to various resources based on the user's identity." For the purpose of this review on data authentication, a "subject" is the identity attempting to access a device, and an "object" is the device.
Factors of Authentication
There are several types of authentication, one of the most commonly used is a password or personal identification number (PIN). This is known as single factor authentication -- something the subject knows. One of the most secure authentication processes would use a combination of factors such as something the subject knows (password, passphrase, or PIN), something they have (smartcard, token, or tag) and something they are (fingerprint, handwriting, iris, or retina scan, and so on).
Other behind-the-scenes authentication techniques used are digital certificates and digital signatures. Pretty Good Privacy (PGP) uses keys and digital signatures to enable authentication of e-mail messages to ensure that they came from whom they said they did. Likewise, secure Web sites use digital certificates to let the subject know that they are whom they say they are and that they can be trusted.
One-time passwords are a good and relatively low-cost alternative. Like the name suggests, the passwords are used once only and if the same password is used again at a later stage in a login attempt then the subject is rejected.
The tokens are small devices that are synchronised with the authentication server system to issue the user with a password when a button is pressed on the device.
One-time passwords are an excellent choice if one is concerned about keyloggers or spyware infections that may be collecting data from compromised machines. Another benefit to one-time passwords is they can stop identity fraud occurring within the organisation.
Vasco Data Security shipped us a copy of its Radius server middleware and one of its token devices. Vasco has managed to include two-factor authentication with the tokens by having the user input a static PIN first, such as 1234 (something they will know) and then the one-time password supplied by the token (something that they have). Using this, the login would look like 1234 (code on the token). There are also options to interface with Web-based logons, Citrix, Lotus/Domino, Windows, and Novell. RSA, Verisign, and Giesecke & Devrient also supply one-time password generating token devices.
|
|
Single sign-on is taking every existing authentication system used by an individual and changing it to a single authentication technology. So say a user has 12 disparate objects to access via passwords every day, they can reduce that to one password to access all 12.
However, it does mean there is a single point of failure if static passwords are used. But combined with other forms of more secure authentication, such as tokens, smartcards, biometrics, and so on, single sign-on is a very attractive option.
There are two main types of single sign-on concepts. The first is enterprise-wide single sign-on; the second is Web single sign-on or federated (usually via Web interfaces) single sign-on. Enterprise single sign-on is what every company, particularly ICT departments that havee been operating for more than a few years, is trying to pursue. Consider how many applications employees have to log in to every day just to do their work -- accounting systems, stock control systems, operating systems, CRM applications, e-mail systems, intranets, extranets, Internet proxies, even old legacy apps.
Most of these applications are somewhere in the grand scheme of lifecycles, and at the end of the day cannot be replaced in one fell swoop, or indeed ever, with a nice directory compliant application (X.500, LDAP or otherwise).
This is why a middle ground needs to be established to head towards true single sign-on and a balance of smart programming and compliant standards-based applications needs to be achieved.
Vendors, such as Citrix with its MetaFrame Password Manager Access Suite, have taken some of the heartache out of this by developing very powerful tools that enable administrators to capture and set many forms of password controls and even enforce quite complex password policies on legacy applications which never would have had these options in the past, and all without rewriting the application or the interfaces.
Federated single sign-on, however, is where multiple Web sites have an agreement to accept and trust authentication of a user at one Web site and carry it across to the others. This means the user only has to sign in at the first Web site it visits.
Computer Associates has the best of both worlds in both enterprise and federated single sign-on.
It has a truly enterprise-scale directory service in the form of its eTrust eDirectory, which has the options to run with its range of IAM (identity and access management) applications for enterprise single sign-on and with the recent acquisition Netegrity it now has a federated single sign-on product called eTrust SiteMinder.
|
|
Smartcards and proximity cards have been around for many years.
Proximity or magnetic cards (mag cards) traditionally have been used more for physical access controls rather than for the authentication of people. Smartcards have been used for everything from mobile phone SIMs, to satellite decoders.
Smartcards are now becoming quite popular for use in authentication technologies providing the something a user has factor of authentication. So while it technically is possible to steal or copy a user's smartcard it adds another level of complexity to the equation for those with malicious intentions.
Smartcards, like mag cards, can also be printed on and used as company and photo IDs for security checkpoints and visual user identification.
Smartcards can also be used for storing biometric information or digital signatures/certificates and encryption/VPN codes.
The benefits of storing these types of information on a smartcard are fairly significant; firstly it removes the need for that information to be stored all together in a single database. It also removes the need to send that information from a server to a client where it may potentially be intercepted by a man-in-the middle attack; this is particularly relevant in the case of encryption handshaking.
Many vendors are now integrating smartcard readers into some of their devices such as HP and Acer in their notebook range. In a review we performed last year Sun Microsystems had a thin client terminal (Sun Ray 150) which used smartcard technology not only for authentication but in an innovative way by switching the entire user environment from one terminal to another terminal simply by unplugging the card and plugging it into another terminal.
|
|
There are a few companies around who make smartcard authentication, access control technologies their livelihood some have also branched out into other similar technology areas to complement their smartcard range. Three of the larger vendors are LM Gemplus, Giesecke & Devrient, and Keycorp -- all three submitted cards, software, and readers for this review.
LM Gemplus sent us its GemSafe cards and a USB reader (which is also available as a serial interface device) along with its GemSafe software v4.2.0. After taking some time to install -- no wonder seeing as the Gemplus smartcard reader tools takes up 119MB and the GemSafe Libraries and further 116MB -- the application software the system was rebooted. The GemSafe Toolbox is a very impressive tool with quite a lot of functionality and an up-to-date look and feel.
There is also another utility called SmartDiag, which further assists administrators. Overall GemSafe is a very neat and refined smartcard system.
Giesecke & Devrient was kind enough to send us one of its pre-sales engineers to go through some of its products with us. We had a brief look at several products relating to smartcards and authentication, among these were the TODOS system which is a token-type device with a smartcard slot built into it that enables card information to be read onto the small integrated LCD screen -- there are many varying applications for this from financial transactions to password supply.
There was also USB and PCMCIA smartcard reader/writers and associated applications (Safesign) as well as a USB plug device (similar to a very small USB memory key) which has a smartcard chip embedded into it. This is ideal for secure software/system locking as well as very portable authentication and portable configuration settings for applications such as remote office VPN connections and authentication and so on. Included with SafeSign there is a neat token management utility which lets the administrators see at a glance what is on each card.
Keycorp's system was very neat. The application software included was called SCB single sign-on and SCB Secure Logon, and the names are self explanatory.
Installation and configuration was a breeze. We setup a card and had a brief look at the single sign-on component. A SSO wizard is provided which allows the user to record logins for either Windows type or HTML forms.
Recording is a little more complex, however, than some other SSO technologies we have seen but it is certainly not hard by any stretch of the imagination.
An example of the added functionality and versatility of smartcards is their ability to be incorporated with other card technologies such as magnetic swipe for use as physical access devices or even bank cards, they can also be printed with photos and other identification information.
|
|
Like most authentication technologies there are several flavours of biometric technology: from the advanced handwriting and facial character recognition systems to the more common fingerprint scanners and quite a few technologies in between (iris, retina, and palm scanners).
There are almost as many uses for biometrics as there are types. While all five of the devices that we were sent from vendors for this review were fingerprint scanners, most of them had very differing uses. From simple desktop management of passwords, through to three-factor authentication purposes. I will briefly run through the products submitted.
APC sent us a Biopod Biometric password manager which is pretty much exactly that. Designed for use with a desktop machine connected via USB the administrator can enroll up to 20 separate users or 20 fingers (if one is lucky enough to have four arms, that is).
The software that is bundled with the device is very straightforward and easy to use. Whenever an application or Web site is visited that requires a user to login, a small system tray resident applet pops up and indicates that it has detected a username/password field and invites the user to register that password to be used with the fingerprint scanner. Two options exist, one which automatically submits the stored login credentials every time the application is opened or the site browsed to, and the second which prompts the user for their fingerprint upon detection of a previously registered application or site.
The BQT Solutions mib-BT913U device clearly provides for very strong authentication in one device, combining up to three factor authenticatio -- something one knows, something one has and something one is. The hardware component of this solution is a robust contactless card reader/writer with a biometric fingerprint scanner built into it.
The BioEncode 3.1 software runs on Windows NT, 2000, and XP. The card reader is setup as a USB serial device.
Once registered the fingerprint is stored on the card, which is a worry if the card is lost as someone potentially has your fingerprint, however it is preferable to someone cracking a server and getting a database of all employees fingerprints. It also helps in remote or distributed locations where individual authentication terminals may not be hooked into the central authentication information database system or the authentication data may need to travel across potentially hostile or compromised networks.
ComSec Enterprises shipped us a 128MB USB v1.1 flash memory key with an embedded fingerprint scanner. Enrolment took quite some time. But once we were registered the device worked well. Larger capacity and USB 2.0 would be nice, but it is still a step ahead, in the security stakes, of the normal (easy to lose) memory keys.
The Digital Persona U.are.U 4000 Sensor is quite a neat compact optical USB fingerprint scanner. The distributor Automa shipped us both the workstation and server versions of the application software. The workstation Pro 3.1 for Active Directory software runs on Windows XP, 2003, 2000, ME and even Windows 98. This solution provides for Windows machine login replacing the usual Windows username/password authentication system.
Microsoft submitted a device called the Fingerprint Reader which is manufactured by Digital Persona and internally appears to be the same as the Digital Persona device but has a trendy pearlescent paint job. The device drivers/application however is limited to use with the Microsoft Windows XP operating system only.
Recently the lab has also seen embedded biometric fingerprint scanners in portable devices such as Fujitsu and IBM notebooks and HP PDAs.
The Fujitsu sported a traditional fingerprint-sized pad while the IBM notebook and the HP PDA had a small strip scanner that the user runs his or her finger over.
For more information on the notebooks, click here.
An important tip when using fingerprint scanners is once authentication is complete, the finger must be slid off the scanning window to smudge the print. It has been known that some scanners return false positive IDs when a breath of air is blown onto the device or bag of water applied to a scanner with a residual imprint.
There are various other ways of "tricking" a fingerprint scanner and Steve Turvey sums these up in his biometric review in the February 2004 edition of T&B. Another problem is remembering which finger was used during the registration process.
When considering the biometric route look at a vendor's crossover error rate. This is the point where the rejection of legitimate users intersects with the false acceptance of unauthorised users. If a system is configured too tighty then legitimate user frustration can result in too many rejections/re-authentication requests coming through.
|
|
|
|
Device to device authentication and secure online transactions are a little bit harder to achieve, particularly if the customer is not already known, qualified and trusted by the merchant.
In this new era of corporate compliance and policy enforcement, it is best to cover all bases when it comes to security.
So to ensure a device is really what it says it is then digital certificates come into use. Two vendors who are well established in electronic transactions, secure communications, encryption and authentication are Verisign and RSA. These security vendors also have a range of tokens and associated software available.
|
|
| |
This article was first published in Technology & Business magazine.
Click here for subscription information.
Vendor | Web site | Phone | Authentication technology |
Acer | www.acer.com.au | 1300 366 567 | Notebook with smart card reader. |
APC | www.apc.com | 1800 652 725 | Biometric fingerprint scanner/password management |
BQT | www.bqtsolutions.com | 02 8817 2800 | Biometric fingerprint scanner and smart cards |
Citrix | www.citrix.com.au | 02 8870 0800 | Single sign on |
Computer Associates | www.ca.com/au/ | 1800 224 636 | Single sign on |
ComSec Enterprises | www.comsecent.com.au/ | 07 3222 6800 | USB memory key with biometric fingerprint scanner |
Digital Persona | www.digitalpersona.com | +1 650 474 4019 | Biometric fingerprint scanner |
Fujitsu | www.fujitsu.com/au/ | 02 9776 4555 | Notebook with biometric fingerprint scanner |
Giesecke & Devrient | www.gdaus.com.au/ | 03 9765 1200 | Smart cards |
HP | www.hp.com.au | 132 347 | Notebook with smart card reader and PDA with biometric fingerprint scanner |
IBM | www.ibm.com/au/ | 132 426 | Notebook with biometric fingerprint scanner |
Keycorp | www.keycorp.net/ | 02 9414 5200 | Smart cards |
LM Gemplus | www.lmgemplus.com/ | 03 9583 7744 | Tokens and smart cards |
Microsoft | www.microsoft.com | 132 058 | Biometric fingerprint scanner/password management |
RSA | www.rsasecurity.com.au | 02 9463 8400 | Tokens and digital certificates |
Sun Microsystems | www.au.sun.com | 1800 628 193 | Thin client with smart card reader |
Vasco Data Security | www.vasco.com | 02 8920 9633 | Tokens |
Verisign | www.verisign.com.au | 03 9674 5500 | Tokens and digital certificates |
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.