Next Generation Identity Assurance

If Condoms had the same protecting performance as Passwords they would be laughed off as a joke- http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/.

Why do Governments and Corporates still think that passwords are sufficient security to protect personal or sensitive data? You might well ask and indeed lawyers might begin to ask and seek profit from pursuing negligence claims.

There are well known weaknesses with Passwords including the multiple re-use of User chosen favourites for different sites and the susceptibility for discovery by phishing subterfuges. Of course, un-memorable phrases have the habit of being forgotten, requiring the overhead of resetting with resultant vulnerability. Then there is hacking success- especially with the connivance of Insider knowledge. However, the most important disadvantage is that Users can deny liability – “someone has looked over my shoulder/guessed/taken a movie/hacked my Password/inspected my laptop while I was at Lunch and I have been innocently and unknowingly compromised”.

This “Repudiation Defence” provides the biggest handicap to getting a successful prosecution for illegal access or conspiracy with accomplices. The persistence of Passwords as a security measure is mainly because finding satisfactory alternatives has proved surprisingly difficult – many alternatives exist but very few are satisfactory as the following paragraphs reveal.

Like passwords, this category of authentication also relies on a fixed (static) seed which could be a biometric signature template or a fixed, embedded key that is used to generate response either from a program (soft) or an external token (hard) such as RSA SecurID. The vulnerability here is “The Things we Now Know we Know”-Any security authentication system that relies on its keys being kept secret is compromised when a penetration attack succeeds as witnessed in the RSA SecurID debacle in 2011 or when a corrupt insider has sufficient access (Insider Attack).

There has been recent attempts to improve Biometric based security by adding “dynamic extras” -eye blinks or pulses or indeed speed of typing but these remain fixed targets so clones can be made and can continue undetected. One legal complication is that the fact that any Biometric is really personal data by any reasonable definition, meaning such technique and storage should be subject to the national, personal data protection laws.

However, the main reason that Biometrics are unsuitable for any serious authentication application is that it fails the Golden Rule of Security Systems – the need to detect and recover easily and quickly from compromise, e.g. you normally run out of Irises after 2.

In NIST Electronic Authentication Guideline 800-63-2, August2013, the use of biometrics is deprecated for remote authentication as indeed is any “knowledge based” technique such as remembering the order of recognised images presented on the login display screen. Static “client footprint” discovery such as the GPS client location or the characteristics of the client device also appear in this category. In these cases, additional complications arise when the User is required to be mobile or needs to use another client device.

In summary, the main disadvantages in the case of Passive technologies just described is the impossibility of denying the Repudiation Defence, the inability to detect “clones” and the difficulties in overhead, time and cost to detect and recover from compromise.

Public/Private Key cryptography (PKI) has come under scrutiny recently with the Heartbleed bug rendering 500,000 Server certificates doubtful. The validation of a certificate occurs “under the bonnet” of the client workstation so the User is often unaware of the verification validity, revocation methods have been the weak point in this technology. Stolen Certificates can be exploited to introduce malware into a client workstation without disturbance.

The bug was introduced in the publicly available OPEN SSL library with only one code reviewer approving it (whilst missing the liability of the modification). It is not known how many exploitations occurred between the widespread adoption of the flawed code and its fix two years later in April 2014.

Flexibility requirements- the need for a User to use Laptop at home, Smartphone on the Train and Workstation at the Office, each with a different Operating System and internal processor manufacturer -make Authentication Management complicated. There is no point in wanting to insert a Smartcard or USB dongle into a heavily virtualised environment as it defeats the objective in keeping the source workstation virginal.

There is a plethora of out-of-band solutions using your mobile to receive a SMS text message with a transaction code to authenticate. However, this assumes the mobile remains impervious to malware attack- the same bet as a house built on sand. It is interesting to see the increasing sophistication of these attacks with the malware using injection techniques to modify Bank’s or Trusteer’s own page!- see http://blog.kaspersky.com/faketoken-2014q1/.

What can be confidently predicted is the continued refinement and proliferation of spear phishing attacks and the persistence of motivation (greed, revenge, blackmail) for Insider attacks.

The good news is that we believe we have satisfactory alternative- CASQUE SNR (www.casque.co.uk). Our technology is based on a Challenge/Response method (patents pending) with handheld Tokens or Smartcards which are contactless, active devices with the hardware platform- the secure element rated at EAL5+. The System prevents Token clones and automatically recovers from Insider attacks.

The product is certified for UK Government use, is NATO approved and in daily operation in the UK’s Ministry of Defence; it does not depend on any third party IP nor uses any external software library.

It is able to be integrated with the leading Gateway Solutions and has a public API to enable Web Host Developers to easily interface. Moreover, CASQUE SNR allows the Host to authenticate the User as well as the User to authenticate the Host- Mutual, Multi-factor Authentication.

From:
Dr Basil Philipsz
Distributed Management Systems Ltd

Share: