Securing Systems: A three-pronged solution for identifying users

Secure your system by determining who's at your door

Joseph Sinclair (JosephS@iisweb.com), Solution Architect, Integrated Information Systems

Joseph Sinclair is a Solution Architect with Integrated Information Systems, Inc. in Tempe, Arizona. He has been working with computers and microelectronics in a wide variety of roles for well over 10 years. You can contact Joseph at JosephS@iisweb.com.

Summary: The problem of system security starts with discovering the identity of the user on the other end of the communications link. In this article, Joseph Sinclair discusses three familiar approaches for identifying users, highlights their strengths and weaknesses (alone and in combinations), and provides some examples of each.

Tag this!

Date: 01 Jun 2001
Level: Introductory
Activity: 3149 views

Knock, knock. "Who's there?"

The Java Authentication and Authorization Service
User-centric security for the Java platform was introduced with the debut of the Java Authentication and Authorization Service API (JAAS). Creating effective authentication systems using Java technology starts with this important API.

JAAS provides a service-unifying interface, in much the same way that JMS provides a unifying API to messaging services or JDBC provides a unifying API to various database drivers. Because JAAS is an API, various service providers are free to implement that API with whatever technologies are available.

The JAAS is a pluggable and stackable API, which means that authentication services can be added, combined, and modified during system deployment, rather than having to be hard-coded during system implementation. This approach allows the authentication architecture of a system to be modified and enhanced as needed without requiring the system to be rebuilt or modified internally. So, if analysis indicated that a system needed more security, a knowledge challenge could be enhanced with an ownership challenge, and this could be further enhanced with a characteristic challenge, but only if needed and only when the need became apparent.

The JAAS provides an authorization API in addition to the authentication API. JAAS provides authorization support by enabling a user (a "subject" in JAAS parlance) to retain one or more identities, each of which might be included in the Access Control List (ACL) of a resource. Thus, the system can examine the subject's identities and the ACL of the resource, and if a match is found, permit the access specified. If a match is not found, it can deny access.

The JAAS provides a single sign-on capability as well, through the credential interface. Credentials may contain a wide variety of additional information objects, including delegated security context information or access credentials to external systems such as Kerberos or Public Key Infrastructures. Credentials allow the user to be authenticated through a JAAS provider and simultaneously authenticated to a wide variety of enterprise resources.

I strongly encourage any enterprise-level Java developers to examine the full JAAS specification (see Resources) and explore the solutions already available for their vendors' platforms. Using the JAAS interface for application security can dramatically reduce the effort required to implement an effective security layer and simultaneously increase the safety of the system.

This simple question is at the core of all security efforts. Without establishing the identity of those who request access to your sensitive and valuable data, you cannot extend your trust. And system security is predicated on a system's ability to establish that trust.

How do you decide whom to trust? Because there are unscrupulous people in the world, how do you determine that requesters are who they say they are?

Follow along as we discuss three ways to determine user identity -- two of them are old (in computer-industry terms), "trusted" friends and one relies on relatively new technologies.

Establishing identity

At first glance, establishing a requester's identity seems simple. It is predicated on answering one or more of these three basic questions:

What do you know? Knowledge is a traditional pass key into a secure system. The ubiquitous username and password prompt is the most common identity challenge; even when computers communicate with other computers, they typically start by verifying knowledge of some previously agreed-upon bit of information. This passphrase method of identification is much older than computers -- it is a "social" means of identification.
What do you have? The lowly key, the foundation of security since ancient times, is a form of ownership challenge. Any person possessing the key to a lock can open that lock. Now, ATM and credit cards fulfill similar purposes. It is a "material" means of identification. (This question extends beyond simple identification into several other areas of security.)
What are your characteristics? When speaking in general terms, using relatively immutable physical characteristics as identifiers (biometrics) is the oldest form of identifier; it comes from pre-verbal society. Case in point: before a newborn can speak (or even focus its sight or understand the concept of ownership), it recognizes its mother by the tone of her voice -- it is a "biological" means of identification. In terms of technology, biometrics is a relatively new method of identification. Efforts abound to make it readily available, though, because it can be the most reliable means of identification -- it is exceptionally difficult to change or counterfeit your physical characteristics.

In all their myriad forms and formats, these three questions can help verify a person's identity to any level of certainty you require. The specific question or questions asked and the form in which the challenge is presented determine how difficult it is to fool the system and how reliable the identification is.

Let's examine each question in detail.

And the password is ...

Passwords, secret gestures, hidden signals, secret codes. All of these are answers to the question "What do you know?" That this question is necessarily overt makes it the one most often associated with security.

There are many ways to challenge a user on the basis of shared knowledge:

The most common way is simply to ask the user to repeat the shared item, whether it is a password, a secret phrase, or some other hidden bit of information.
The next most common method is to refuse to acknowledge any request that doesn't embody the secret knowledge.
Another means is to make the existence of the secured entity itself the shared secret.

Each of these challenges has its own strengths and weaknesses; each is appropriate in different situations.

Simply ask

Simply asking the user is the most common method of knowledge challenge. The simplicity and overtness of this method ensures that nobody attempts to access the secured entity without knowing that it is, indeed, restricted; it simultaneously reduces the burden on the persons creating and maintaining the system.

This method is not terribly resistant to attack. Malicious users can monitor communications in hopes of catching another user entering a response, attempt random responses until one works, or use a wide variety of other techniques to guess or obtain a valid response.

For this reason, this method should never be the only means of authentication used in a sensitive system. Other means of identification, including other methods of knowledge challenge, should be used as a secondary verification. While the ubiquitous password prompt is the prime example of this method of knowledge challenge, there are other options, including some of the questions asked during a Diffie-Hellman key-agreement sequence between secure systems.

Refuse to acknowledge

Refusing to acknowledge any request that does not embody the shared secret is another common method for establishing a knowledge challenge. This method involves establishing the format of the request, the source and/or destination, or some other characteristic in advance.

If a request comes in that does not fit the expected profile, then the request can be ignored, refused, or re-routed. Business-to-business transactions often use this means because each can establish stable source IPs and agree on fixed and obscure formats (obscure to humans).

While this is a fairly effective means of knowledge challenge, it suffers from a serious weakness. If the shared secret is ever deduced by an attacker, the security breach can be exceptionally difficult to detect.

The use of a secret handshake -- common among secret societies -- is one example of this type of challenge. Another example is the use of restricted source-addresses in many B2B systems.

Hide the existence

Hiding the existence of the secured entity, often referred to as security through obscurity, is used commonly in the physical realm. This method relies on the fact that it can be difficult to find something if you don't know that it exists.

While this can be an effective technique, it is almost never adequate by itself. The prudent designer will add at least one additional identity check before permitting access to the secured entity, just in case someone stumbles across it unintentionally. In electronic systems it is even more crucial that additional authentication be included, because it is relatively common to use automated search tools to find locations not previously known.

Knowledge challenges on the Java platform

The Java platform provides some interesting support for knowledge challenges and some interesting challenges as well.

The support provided includes a wide variety of cryptographic functions that can both generate highly complex shared secrets and protect those secrets in transit. Additional support is available through the JNDI API (see Resources). This API provides access to directory services, the most effective place to store the shared secrets for knowledge challenges.

The Java platform also provides some challenges for systems that rely on knowledge challenges as well: the Jini network initiative (see Resources) provides facilities for the automatic discovery of systems on a network; the availability of portable code provides additional avenues for would-be thieves; and the wide breadth of the Java platform is adding intelligence to devices that would never have been imagined a decade ago.

All of these capabilities, while enabling solutions to previously intractable problems, also make it ever more difficult to prevent an attacker from obtaining access to shared secrets.

"Social" security wrap-up

Each of the various methods of knowledge challenge has strengths and weaknesses. All of them, however, share certain common characteristics.

Knowledge is rather difficult to obtain by force, usually requiring extended time and resources to get what you don't know. Knowledge is easy to share -- and change; if the secret is compromised it can be changed quickly to prevent a more serious breach.

The most significant weakness of knowledge challenges is that knowledge is easily copied. The secret can become known to an attacker without the breach being noticed and without harm to any individual. In this situation, an attacker could access a system without anyone knowing for some time. Knowledge challenges are also particularly susceptible to human factors that can significantly compromise the security of the system.

For the above reasons, I recommend that at least one additional means of identification be used for any system with significant value. The easiest, most common, means used in this situation is to challenge the user for something owned.

Insert in lock and turn

Keys, badges, credit cards -- all of these objects exist to answer the question "What do you have?"

Knowledge challenges can be both subtle and effective, but they suffer from some fairly serious drawbacks. Token challenges can be an effective means of compensating for those issues.

The defining characteristic of a token challenge is the possession of some physical item. The most common token is a simple key.

The key is constructed such that it is relatively unlikely that any given lock will respond to any key other than the correct one. This is an important point -- token challenges are an exercise in probability. You will have to balance the cost and complexity of the token with the probability that the token can be duplicated or will match another, invalid, token.

There are several varieties of tokens currently available, but each of them operates on one of two principles -- basic storage or active response.

Basic tokens

Basic tokens -- also called dumb tokens -- are the most common of all token types. Everything from a door key to a credit card falls into this category. Their central attribute is that they simply encode data in some form.

A key encodes the data in a pattern of ridges or teeth; a credit card encodes it on a magnetic strip. This simplicity is valuable because it makes these tokens inexpensive (usually much less than $1US), which firmly places them in the mass-market realm. Because basic tokens only encode data, however, they are susceptible to counterfeit or bypass.

It is a simple matter for a skilled professional to bypass all but the most complex locks, and it is even easier to access a credit account once the number is known. If you need to defend against this type of misuse, you need a more substantial token.

Active tokens

Active tokens -- also called smart tokens -- are much more complex than basic tokens. Active tokens incorporate some form of embedded intelligence. They are both harder to counterfeit and much harder to bypass than basic tokens.

A smart token can verify its validity by actively changing some provided nonsense value (commonly referred to as a nonce) in a way that, while difficult to duplicate, is easy to verify.

Cryptographic smart cards, common in Public Key Infrastructures, can do this by digitally signing the nonce. This enables the secured system to verify that the token is the same entity that it claims to be. Because active tokens frequently make use of highly unique internal characteristics to modify the nonce -- and because most active tokens will self-destruct if the integrity of their packaging is violated -- active tokens are very difficult to counterfeit.

Because they actively change the nonce, active tokens are extremely difficult to bypass, especially if the nonce changes with each challenge. The difficult-to-bypass feature is why some luxury vehicles now use active tokens embedded in the vehicle ignition key to prevent vehicle theft. If the ignition key doesn't properly authenticate to the engine computer, the engine simply will not run.

One interesting characteristic of active tokens is that they can be permanently installed within a server. Once such a token is installed, it can be used to identify the system to other systems in business-to-business transactions with the same characteristics that make tokens useful in identifying people.

Ownership challenges on the Java platform

The Java platform provides more support for ownership challenges than perhaps any other platform. The most important part of this support is embodied in the JavaCard specifications.

JavaCard specifications describe a platform for Java technology embedded in smart cards. This integral support for smart cards enables Java developers to take advantage of the most effective tokens available within the same familiar platform as their enterprise applications.

Further support from the Java platform is provided by the Java Cryptography Extensions (JCE), the Java technology in the Open Card Framework, and Jini network technology (see Resources) to support automatic discovery of card devices. All major card-reader vendors, as well as most smart-card vendors, provide support for the Java platform and JavaCard technology (see Resources). The reason for such broad support is the vast capability and multi-application flexibility of JavaCard technology and the corresponding benefits in securing a high-stakes system.

"Material" security wrap-up

There is one major problem with all token challenges. They only verify that the user owns the token involved. Because it is entirely possible for a malicious user to obtain another user's token, it is still possible to misidentify the user.

This problem is alleviated to a certain degrees with active tokens by preventing the counterfeit or duplication of the token and, frequently, by adding a knowledge challenge into the token. However, the problem still exists.

It would be a marvelous security measure to be able to ensure that the individual who possesses the token is, in fact, the unique individual to whom the token was assigned. ID cards, US drivers licenses, and a few credit cards use a picture to perform this function.

Computers need more than a picture, though, and the emerging science of biometrics is providing a solution.

Print that!

Fingerprints, voice prints, iris patterns, facial geometry, retinal scans -- all of these are means of answering the question "What are your characteristics?"

Biometrics is the science of measuring the unique physical characteristics of individuals. These techniques offer the promise of delivering a long-dreamed-of level of security -- a computer system that recognizes a user more accurately than people recognize each other. The ideal still doesn't exist, but systems are available today that can dramatically increase security by presenting a physical characteristics challenge.

Biological to numeric

There are different ways to present physical characteristics challenges, but a common thread is that all of these challenges work by reducing a raw measurement -- quite often an image of a face, fingerprint loops and whorls, capillary vectors in the retina -- to a numeric template. Then the system attempts to match the requester template to stored templates until a match is found or all templates have been examined.

A balancing act

Each biometric system possesses a probability rate associated with both failure to reject an imposter and failure to recognize the user. These attributes, called false acceptance rate (FAR) and false rejection rate (FRR), must be balanced to meet the usability and security needs of your solution.

The false acceptance rate describes how frequently the system may be expected to recognize someone incorrectly, allowing access under a different identity. The false rejection rate describes how frequently the system may be expected to fail in identifying a user, refusing access to a user who is validly permitted to access the system.

Many systems permit these two values to be balanced, one against the other. By adjusting how carefully the system checks a template against those stored internally, the FAR can be reduced with a corresponding increase in FRR, or the FAR can be increased in order to reduce the FRR. This ability to adjust the sensitivity of the system is important because higher FRR rates reduce the usability of the system, while higher FAR rates reduce security. If both FRR and FAR are inadequate, then the only option is usually to choose a different characteristic.

The correct biometric

Believe it or not, biological characteristics that were once considered to be unique to an individual may not be. Each characteristic has an expected level of recurrence within a population.

One of the more unique biometrics is facial geometry. However, most people have seen two people with faces so similar that they are difficult to tell apart; there are a limited number of ways the face can be expected to form and remain a human face.

Each individual's characteristics will be identical to a certain number of people. Fingerprints are known to be unique to 1 person per 100,000. The pattern of an iris may be unique to 1 person per 10 million.

The uniqueness of the actual characteristic must be taken into account when selecting a biometric for a secure system.

Java technology in characteristic challenges

Java technology is noticeably absent in the characteristics challenge space. The relatively new and untried nature of biometrics is part of the reason for this. Another reason is that biometric vendors have yet to define a standard means of interacting with biometric hardware and this is necessary before the Java platform can offer a language interface.

The one bright light in this situation is that many vendors provide a set of Java classes for interacting with their devices that permit the creation of biometric authentication services for Java applications with minimal difficulty.

"Organic" security wrap-up

Characteristics challenges are generally considered to be the most accurate and reliable of the three primary means of identification. They are not, however, perfect. If you've seen one of those spy movies in which the bad guy (and sometimes the good guy) has whacked off a hand or plucked out an eye just to fool a security system, you'll agree that biometrics systems can be fooled. (In fact, some fingerprint systems can be fooled by a high-quality photograph.)

So, as with all security measures, it is recommended that security system designers consider using as many additional challenges as cost, the human factor, and the system's operation will allow.

If the user isn't human

I've focused on each challenge type, generally assuming the need to identify human users and not other computer systems. That is not always the case.

Computers may also communicate with other computers over insecure links. When identifying other computer systems, there is considerably more freedom to enable strong security because the human factor can be removed.

Computer systems can:

Remember the most complex answers to the knowledge challenge
Possess exceptionally complex active tokens that are permanently installed
Own unique physical characteristics that can be tested across certain types of network connections

Some of these unique characteristics can include the phase-frequency characteristics of the network transceiver or the frequency variation of their internal crystal oscillator.(And, though these characteristics sound quite exacting, each possesses the same benefits and weaknesses that apply to identifying people.)

The greatest advantage when authenticating computer systems is that the smaller number of systems means you can use much more complex techniques without much concern for unit cost.

Another advantage is that computers never complain about usability, so multiple challenges can be issued without concern and characteristic challenges can be adjusted to maximize FAR without fear that the resulting high FRR will cause users to stop using the system.

Three in concert

When dealing with high-stakes systems, a single identity challenge or challenge type is usually not secure enough. When the security needs of a system exceed the security available with one challenge type, it is necessary to implement multiple challenges. Figure 1 ranks the approaches for security.

Figure 1. Best to worst rankings of all approaches

Both of the most common multiple-challenge duos involve the knowledge challenge -- using it with a characteristics challenge and with a token challenge. (Why is the knowledge element the common thread? Simple -- it is the easiest to carry, implement, and use.) While these two combinations certainly improve the security of a system, they are not the most secure.

The most secure combination is to use all three challenges. The next most secure is to combine token and characteristic challenges by storing the characteristic on an active token and having the token validate the characteristic before authenticating to the secure system; adding the internal biometric template into the response to an authentication challenge makes this even more secure. Having a token authenticate a biometric is not possible with most current active tokens, but it is expected to become possible within two product generations.

A final (key)word

Some users cannot provide an answer to all challenge types. If making your system accessible to as many valid users as possible is important, then it is important to implement multiple challenge methods while requiring that only one challenge be met.

For example, some cannot respond to a fingerprint challenge due to a lack of fingers. For these people it would be wise to permit a token challenge so that they could still use the system. Some users, due to injury or youth for example, cannot be expected to remember an adequately complex shared secret. For these users a characteristic or token challenge would enable them to use the system without having to remember a complex shared secret.

The key concept is that the designer must take into account those persons who may not be able to work with the selected system, then determine if the security concerns outweigh the needs of those persons to access the system or if another challenge type should be implemented for them.

Authentication with the Java 2 platform

The Java 2 platform provides one of the most comprehensive sets of APIs for accessing the various means of identification available. The Java platform further provides a service API for interacting with various authentication systems, the Java Authentication and Authorization Service (JAAS) API. With this API, you can implement your high-security authentication as a service provider and allow JAAS to provide the general interface to applications that want to use that means of authentication.

The Java Cryptography Extensions provide a number of methods for working with knowledge challenges to both generate shared secrets and to reduce the chance of those secrets becoming available to attackers.

The JavaCard standard provides APIs and an environment specifically designed to run within an active token, as well as enabling the designer to provide identification, information, and a variety of other services for multiple secure systems all within a single active token.

There aren't any specific APIs that support characteristic challenges yet, but most biometric vendors provide a Java-language interface.

Resources

Details regarding IPSec key-agreement protocol can be found in the IETF document RFC 2409.
Details regarding the IPSec protocol set are at the IETF Web site.
Security magazine provides a wide-ranging discussion covering many security techniques and technologies, including computer security in high-stakes systems.
The United States Navy hosts a number of security-related forums, including the Center for High Assurance Computer Systems.
Princeton University has a research effort on Secure Internet Programming.
The Electronic Privacy Information Center is an excellent source for information on privacy issues.
The United States National Institute of Standards and Technology hosts a high-quality security resource center.
The Computer Security Institute is always an excellent source for security issues.
IBM offers the SmartCard Security Kit for those interested in key-based security options for desktops and portables.
The Java Authentication and Authorization Service is a Java API that lets services authenticate and enforce access controls on users. There is more on JAAS in this white paper, "User Authentication and Authorization in the Java Platform."
The Java Cryptography Extension provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code algorithms.
Download JavaCard Developer Kit and enhance your Java security.

About the author

Comments (Undergoing maintenance)

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=Java technology

ArticleID=10547

ArticleTitle=Securing Systems: A three-pronged solution for identifying users

publish-date=06012001

author1-email=JosephS@iisweb.com

author1-email-cc=