Strong
Authentication
As we have seen in earlier
chapters, operating systems and database management systems enforce a security
policy that specifies who—which individuals, groups, subjects—can access which
resources and objects. Central to that policy is authentication: knowing and
being assured of the accuracy of identities.
Networked environments need
authentication, too. In the network case, however, authentication may be more
difficult to achieve securely because of the possibility of eavesdropping and
wiretapping, which are less common in nonnetworked environments. Also, both
ends of a communication may need to be authenticated to each other: Before you send
your password across a network, you want to know that you are really
communicating with the remote host you expect. Lampson presents the problem of
authentication in autonomous, distributed systems; the real problem, he points
out, is how to develop trust of network entities with whom you have no basis
for a relationship. Let us look more closely at authentication methods
appropriate for use in networks.
One-Time
Password
The wiretap threat implies that a
password could be intercepted from a user who enters a password across an
unsecured network. A one-time password can guard against wiretapping and
spoofing of a remote host.
As the name implies, a one-time password is good for one use only. To see how
it works, consider the easiest case, in which the user and host both have
access to identical lists of passwords, like the one-time pad for cryptography
from Chapter 2. The user would enter the first password for the first login,
the next one for the next login, and so forth. As long as the password lists remained
secret and as long as no one could guess one password from another, a password
obtained through wiretapping would be useless. However, as with the one-time
cryptographic pads, humans have trouble maintaining these password lists.
To address this problem, we can use
a password token, a device that generates a password
that is unpredictable but that can be validated on the receiving end. The
simplest form of password token is a synchronous one, such as the SecurID
device from Security Dynamics. This device displays a random number, generating
a new number every minute. Each user is issued a different device (that
generates a different key sequence). The user reads the number from the
device's display and types it in as a one-time password. The computer on the
receiving end executes the algorithm to generate the password appropriate for
the current minute; if the user's password matches the one computed remotely,
the user is authenticated. Because the devices may get out of alignment if one
clock runs slightly faster than the other, these devices use fairly natural
rules to account for minor drift.
What are the advantages and
disadvantages of this approach? First, it is easy to use. It largely counters
the possibility of a wiretapper reusing a password. With a strong
password-generating algorithm, it is immune to spoofing. However, the system
fails if the user loses the generating device or, worse, if the device falls
into an attacker's hands. Because a new password is generated only once a
minute, there is a small (one minute) window of vulnerability during which an
eavesdropper can reuse an intercepted password.
Challenge–Response
Systems
To counter the loss and reuse
problems, a more sophisticated one-time password scheme uses challenge and
response, as we first studied in Chapter 4. A challenge and response device
looks like a simple pocket calculator. The user first authenticates to the
device, usually by means of a PIN. The remote system sends a random number,
called the "challenge," which the user enters into the device. The
device responds to that number with another number, which the user then
transmits to the system.
The system prompts the user with a
new challenge for each use. Thus, this device eliminates the small window of
vulnerability in which a user could reuse a time-sensitive authenticator. A
generator that falls into the wrong hands is useless without the PIN. However,
the user must always have the response generator to log in, and a broken device
denies service to the user. Finally, these devices do not address the
possibility of a rogue remote host.