Wednesday, October 3, 2007

Beyond Passwords: Stronger Authentication

Today, many organizations enforce password length, complexity, and update rules, operating under the premise that passwords longer than seven alphanumeric characters take much longer to brute-force crack than shorter, simpler passwords. While this is true, the actual time required to guess real user passwords with cracking tools like L0phtCrack and John The Ripper can be far less.

Many users have dozens of passwords, defined independently, with conflicting rules regarding complexity, update, and reuse. It's human nature to pick passwords that are easy to remember, like birthdays or names of a spouse, child, pet, or sports team. To satisfy complexity rules, many users define passwords with a convention, like appending one digit to the same base string. These common practices can make passwords relatively easy to guess in just minutes using dictionary or partial-knowledge attacks.

For most people, remembering a complex password longer than 7 characters means writing it down it somewhere—like on a post-it note that could easily fall into the wrong hands. Some users save passwords in e-mail folders or files, but an unprotected password list is a security incident waiting to happen. Encrypted password "safes" are far better, but even those programs often depend upon one password to unlock the rest.

No matter what their length, passwords are easily compromised through social engineering. In the past, attackers would pose as tech support, calling users to assist with bogus problem resolution and, in the process, request their passwords. Today, attackers flood mailboxes with spam that "phishes" for passwords by luring users to phony websites where they are prompted to "confirm" their account parameters.

For these and many other reasons, password authentication provides a weak foundation for authorization and access control. Putting a weak password in front of an otherwise secure server, firewall, or VPN service is like putting a screen door on a bank vault. ISPs can reduce their own risk—and grow customer confidence—by employing stronger authentication methods.

Exploring The Alternatives
More secure authentication methods have been readily available for many years, including tokens, smart cards, digital certificates, and biometrics. While these methods vary in complexity, cost, and strength, all share a common goal: letting a user demonstrate that he is who he claims to be through one or more factors.

Authentication factors may include:

* Something you know, like a password or personal identification number (PIN).
* Something that represents who you are, like a finger, face, iris, or voice scan.
* Something you have in your possession, like a hardware token or smart card.

Credentials that you know—like passwords and PINs—are widely used because they are cheap and easy to implement. Passwords are free, users can generate them without assistance, and password authentication is embedded in just about every operating system and client/server protocol. In fact, the only significant operational expense is password reset/recovery. According to Burton Group and Gartner studies, password resets represent 30 percent of all help desk calls. The META Group estimates that each help desk call costs $25. Clearly, this "hidden cost" of password authentication can really add up. You may be spending more than you realize for a solution that's relatively weak.

Even so, stronger credentials are more expensive and more difficult to implement than plain old passwords. In some cases, there are material costs associated with hardware (e.g., USB tokens, biometric scanners). There are distribution costs, since a process is required to initialize credentials and bind them to user identities. There may be infrastructure costs associated with purchasing, installing, and maintaining new authentication servers and datastores. After deployment, there may be lost or broken hardware to replace—not as often as password resets, but at a higher per-incident cost.


http://www.isp-planet.com/technology/2005/beyond_passwords_1a.html

Beyond Passwords: Implementing The Vision

In Part 1 of Beyond Passwords, we explained the problem and showed why organizations are interested in improving on password authentication. In part two, we examine the solution.

Organizations that want to implement stronger authentication have a dizzying array of alternatives and products to choose from. To get started, let's break the alternatives down into categories and identify a few products in each category.

1. Digital Certificates
Digital certificates are based on Public Keys, a cryptographic system whereby pairs of keys are generated with a unique mathematical property: anything encrypted by one key can only be decrypted by the other key. In each pair, one key must be safeguarded and known only to the legitimate user—this is the Private Key. The other key is given freely to everyone who wants to authenticate the private key holder—this is the Public Key. If you encrypt a known value with your Private Key, anyone else can decrypt that value with your Public Key and compare those two values. If they match, you are considered authentic because you demonstrated that you hold the Private Key.

For authentication, your identity must be somehow tied to your key pair. This is the purpose of Digital Certificates. A certificate binds a public key to a named entity and some information about that entity (like company, state, and country). Although this binding could be supplied to each correspondent out-of-band, that would not scale well or let strangers authenticate each other. To solve this, certificates are issued by Certificate Authorities (CAs): trusted third parties that generate and "sign" certificates using their own private keys. In this way, everyone can know the public keys of a few trusted "root" CAs and accept as valid any certificate those CAs generate.

Digital certificates are the basis for the SSL server authentication widely used by e-commerce sites. Every web browser is installed with a list of well-known root CAs. For example, Thawte's certificate is included in Internet Explorer's trusted root list (below).

Click to view larger imageOrganizations may purchase certificates from these root operators, or they can install in-house CAs to generate, distribute, and revoke their own digital certificates. MSSPs that provide Managed PKI services generally use their own CA(s) to generate certificates for use by their customers.

For example, an MSSP might issue an "intermediate" CA certificate to YourCorp, and sign all of YourCorp's user certificates with that CA's private key. YourCorp must install that trusted CA certificate in every system. When a YourCorp user wants to authenticate, she presents her certificate, signed by YourCorp's CA, and a value (thumbprint) encrypted with her own private key. The recipient uses the CA's public key to verify the certificate is valid. He then extracts the subject name and public key from the certificate to authenticate the user.

Even from this brief description, we can see that Public Key Infrastructure can be complex. And we haven't even discussed the most challenging aspects of deployment, like expiring, renewing, and revoking certificates, publishing certificate revocation lists, and creating a business process for generating key pairs and certificates and making sure they are distributed securely to legitimate users. Larger enterprises often have the IT staff and security expertise to deploy a PKI, if they choose to do so. But many SMBs do not—and this is where MSSPs can step in to help to fill the gap. To roll your own CA, start with a PKI platform, available from many sources, including:

* Computer Associates
* Cybertrust/Betrusted
* Digi-Sign
* Entrust
* Kyberpass
* Microsoft
* OpenCA Project
* Netscape/RedHat
* Verisign

To learn more about Digital Certificates and deploying a PKI, consult these vendors' websites and third-party sites like this PKI Page. Today, digital certificates are widely used for server authentication—for example, site-to-site VPN gateway authentication. They can also provide strong user authentication—for example, in wireless LANs using 802.1X with EAP-TLS.

However, many organizations have been scared off by PKI complexity and cost. To date, most companies have pursued other options for stronger-than-password user authentication.



http://www.isp-planet.com/technology/2005/beyond_passwords_2a.html

KoolSpan: Bridging The Secure Access Gap

To counter security threats, many organizations have tried using traditional VPNs on 802.11 wireless LANs, often with disappointing results. Wi-Fi roaming tends to break VPN tunnels, disrupting applications and frustrating users. Many who tried IPsec as a WEP alternative have since moved to WPA-Enterprise, seeking a more reliable robust remedy. But WPA's heavy-weight combo of 802.1X and 802.11i has proven challenging to deploy and limited in scope. As a result, wireless-enabled workers are often required to use several different security measures: WPA at the office, VPN at home or hotspot, and unprotected Wi-Fi elsewhere.

Many new products have emerged to address this problem, ranging from mobility-aware wireless switches to proxy-based mobile VPN software. Amid a sea of seemingly-similar solutions, KoolSpan's SecurEdge is strikingly different. Instead of patching around VPN or WPA challenges, KoolSpan created a green field "Lock-and-Key" solution for simple secure access over any kind of LAN.

Starting from scratch
KoolSpan CEO Tony Fascenda believes that many secure access alternatives are fundamentally limited by their architecture. "Most users are proxied onto the LAN, through a perimeter firewall or VPN gateway," explained Fascenda. But running applications like VoIP through a firewall or proxy can be challenging. "Even if you get through NAT, you need to open dozens of ports, associated with changing IP addresses. The problem is that each of those ports then needs to be protected by another measure inside the LAN."

To avoid these and other network and transport layer obstacles, KoolSpan designed SecurEdge to sit at the data link layer. "What we've done is put a Lock inside the firewall, with a single port opened. The Lock doesn't proxy you onto the network like a VPN. Instead, the Lock bridges you onto the LAN. On the client, a virtual LAN adapter gets a local IP address, so the user is connected to the inside of the network, just like a local user," said Fascenda.

How do users obtain access through a SecurEdge Lock? By inserting a matching Key, of course. A SecurEdge Key is a USB token that contains a Smart Card. Users install SecurEdge Client software—a virtual LAN adapter—on Windows XP or 2000 PCs. To connect, each user plugs his or her Key into the PC's USB port, entering a text password when prompted.

Each Lock also contains a Smart Card. The Lock and Key use those Smart Cards to authenticate by RSA signature, establishing a 256-bit AES encrypted UDP tunnel between them. Whether the Lock is on the local LAN or on the far side of the Internet, the tunnel keeps all unicast and multicast LAN packets sent and received by the PC safe from eavesdropping, modification, insertion, replay, and other man-in-the-middle attacks.

Readers familiar with 802.1X port access control may note that Wi-Fi APs and Ethernet switches and SecurEdge Locks all bridge packets onto trusted LANs. But unlike 802.1X EAPOL, communication between the SecurEdge Lock and Key rides over a proprietary IP-routable tunneling protocol. This is why SecurEdge Locks can be placed in virtually any location that's reachable via UDP (port 53248, by default).

Nor is KoolSpan's proprietary protocol a derivative of standard IPsec, SSL, or L2TP VPN protocols. Under the covers, KoolSpan applies strong cryptographic measures like AES encryption, SHA-1 hashing, RSA signatures, and FIPS 140-1 certified Axalto eGate Smart Cards. But just as an automobile is more than the sum of its parts, KoolSpan combined these well-known measures to create a uniquely hardware-centric solution.


http://www.isp-planet.com/technology/2005/koolspan_review_1a.html

Thinking Outside The (Windows) Box,

Over the past decade, Microsoft Windows has grown from a focused operating system into a desktop swiss army knife. Kick start any new Windows PC and you'll find a web browser (Internet Explorer), e-mail client (Outlook Express), and personal firewall (Windows Firewall). While these default applications simplify computing for end users, they are not always revered by network administrators. Internet Explorer and Outlook routinely make the SANS Top 20 list of Internet Security Vulnerabilities. As a result, many administrators are now taking a hard look at other alternatives.

Exploring other options
Microsoft went to court to defend its right to install Internet Explorer (IE) on every Windows desktop. But code bloat, complexity, and security vulnerabilities have crippled IE in a way that the US Justice Department could not. According to the SANS (SysAdmin, Audit, Network, Security) Institute:

"Internet Explorer contains multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an e-mail. Exploit code for many of the critical Internet Explorer flaws are publicly available. These flaws have been widely exploited to install spyware, adware and other malware on users' systems... In many cases, no patch was available at the time the vulnerabilities were publicly disclosed."

To reduce these concerns, SANS strongly recommends upgrading Windows PCs to Service Pack 2. This long-awaited update included numerous security patches, including an IE Pop Up blocker, an Add On Manager, and many explicit download warnings. For additional detail, see What's New for Internet Explorer and Outlook Express. If you cannot upgrade to SP2 immediately, SANS recommends that you stop using IE and move to an alternative browser.

In fact, IE's security woes have created a healthy demand for alternative browsers. In Part 2 of this series, we will explore several popular free web browsers. Changing browsers can help you avoid IE bugs, old and new. For example, Browser Helper Objects (BHOs)—add on programs executed along with IE—are frequently exploited to install hidden spyware and adware programs. Using an alternative browser can eliminate this BHO threat. IE ActiveX Controls or Active Scripting are also common attack vectors. Using another browser that lacks ActiveX support can effectively neutralize these attacks.

On the other hand, there are many websites that depend on these and other IE features (like Microsoft proprietary HTML tags) for data presentation and user interaction. Moving to another browser can inhibit your ability to use websites that were designed for (or tested only with) IE. To address this issue, many users still keep IE around for emergencies, when they really must access a website that requires IE-specific features intentionally omitted from alternative browsers.

Security is one big reason for using an alternative browser. Although SP2 is widely acknowledged as a significant security improvement for IE, its security model is still complex and intrusive. End users are constantly presented with security decisions, but lack the information or motivation to make sound choices. Too many of us routinely click "Ok" or "Accept" when prompted to continue a web connect or download request.

Furthermore, Microsoft has a big target painted on its back. Attackers have already started picking apart alternative browsers, as, for example, this Top 20 entry shows. But there is no reason to expect that new exploits against IE will diminish. And so the game will continue: exploit, patch, exploit, patch, ad infinitum. Even with automated updates, patching is time consuming and cannot eliminate "zero day" vulnerabilities—exploits for which no fix is already known. On the other hand, deploying an alternative browser to every desktop requires both patch management AND software distribution, so don't overlook these administrative costs.

Finally, there other good reasons why alternative browsers are rapidly gaining favor. Many have capitalized upon common IE complaints, turning them into opportunities for improvement. Alternative browsers can be smaller, simpler, and faster than IE. They can require (and allow) less end user configuration. They may offer more user friendly features like tabbed browsing and mouse gestures. Part 2 of this series will take a closer look at features that contribute to the popularity of other free browsers.



http://www.isp-planet.com/technology/2005/secure_windows_1a.html