impossible for ideas to compete in the marketplace if no forum for
their presentation is provided or available." Thomas Mann, 1896
WHO GOES THERE?
Authentication in the On-Line World
Author: Dr. Charles Williams, Chief Scientist
Contributed by Cylink Corporation - 2001
The Internet is changing the way we make and spend our money. Consumers are expected to spend $20 billion on-line this year. We are buying virtually everything on-line: travel, books, medication, software, and groceries to name a few. The trend is even more striking as our spending rate is expected to exceed $100 billion in 2003. In other words the web is no longer the toy for the hobbyists.
The web is having even a greater impact on business-to-business commerce. This year, we expect about $100 billion of business-to-business transactions. By 2003, the analysts are expecting over $1 trillion of business-to-business e-commerce, which represents about 10% of all business trade of hard goods.
One of the major concerns consumers, merchants, and businesses are having with e-commerce is how do we identify our customer or partner over an electronic network? We feel comfortable, although not entirely safe, with our current business processes based on face-to-face interactions, phone conversations, faxes, or letters. But when your only contact with your customer or business partner is an e-mail or "clicks" at a web site, how do you know with whom you are doing business?
Fortunately there is a body of technologies and practices that address the question of "Who goes there?" over the Internet. Let's look at identification and authentication over the web.
Identification and Authentication
Identification and Authentication, commonly called I&A, form one of the pillars of information security. The term "identification" deals with who you claim you are. The "authentication" part of I&A is how do you prove your claimed identity. For example, in a face-to-face interaction I can claim I'm Chuck Williams, and I can prove it by showing you my driver's license.
Just as we have many methods of I&A for face-to-face commerce, we have a number of options for I&A to support e-commerce. It is interesting to note that some of the techniques used for I&A over the Internet are actually more trustworthy and reliable than conventions we use for face-to-face commerce. Let's look at some of these methods for on-line authentication of people.
I&A is based on one, or a combination, of three characteristics of a person:
Something the person and only the person
For example, I possess a badge that allows me to enter my office building. The electronic lock on the front door opens the door for "Chuck Williams" when I place the badge near the badge reader.
Something the person and only the person knows:
For example, I also possess a password that lets me into the computer systems at work. My user id is "cwilliams" and my password is "%#@*&" (not really). I and only I know my password (not really).
A physical characteristic of the person:
For example, I my badge has my picture on it. In highly secured environments, a guard will compare the picture on the badge with my face to determine if I am indeed the owner of the badge. This is an example of "two factor" authentication: something I have (the badge) and a physical characteristic (my face).
Now that we have the basic understanding of techniques for I&A, let's look at the possibilities for e-commerce. The discussion will go from those techniques that provide the lowest levels of assurance to those with the highest.
A "cookie" is a number that a web site passes to your browser on your PC. If you chose to accept the cookie, the browser will return the cookie to the web site every time you revisit the site. This allows the web site to know who you are and possibly even know your name, address and other information if you had provided these at a previous visit.
Cookies are really little more than a convenience to track the user rather than true security. It is easy for an attacker to intercept the cookie and install it in his machine.
User Names and Passwords:
This is the most widely used and least popular of all Internet authentication methods. Each user is assigned or allowed to select her user name and an associated secret password. This authentication system is based on the assumption that only the user knows her password. Therefore, if user presents Alice's name and password, the web site can assume with a high degree of assurance that it is Alice and not someone else.
User names and passwords are popular because they are easy to understand and simple to implement. However, these systems tend to be expensive to maintain because users often forget their passwords. Furthermore, passwords are plagued by the complexity paradox: complex passwords are difficult to attack but they are hard to remember, so users tend to write them down, which, in turn, makes the passwords more vulnerable. Finally, password systems are not particularly secure: it is possible to attack a password while it is in transit between the user and the web server. Passwords are particularly vulnerable at the web server, where unscrupulous system administrators can access your passwords and provide them to other users. In order to protect their accounts, most serious users use a different password for each service. I personally have 20 passwords -- good security, but difficult to manage. Be careful of passwords since there are cases where user names and passwords are actually posted on the web for everyone to use.
The bottom line is that passwords systems are expensive to maintain, are inconvenient, and they provide only modest security. Once an attacker has your password, he has your identity.
User Names and Dynamic Passwords:
Dynamic password systems are considered stronger than conventional (also called "static") passwords, because the password changes every minute or so. So, if the password is compromised, it can be exploited for only a short period of time.
Most dynamic password systems require the user to carry a "token", which computes and displays the dynamic passwords. The user simply reads the password off the token's display every time the user needs a password.
Actually the dynamic password systems is an example of "something the person has", since the user must have the token to get the dynamic password. Since the authentication is based on the possession of the token (if I have your token, I become you), many systems augment dynamic passwords with secret static passwords, which is an example of two-factor authentication: "something you know" and "something you have".
Note that dynamic password systems require that the web server is also capable of generating the user's dynamic password so it can check the password presented by the user. This means that a dishonest system administrator could provide your password generation secret to other users, so they can duplicate your token and masquerade as you.
User Names and Biometrics:
There is a strong desire to get away from password-based authentication systems. The most attractive alternative is to use biometrics to measure a physical characteristic of a person. Potential biometrics include fingerprints, hand shape, face shape, voice recognition, and iris scanning. The idea is to authenticate yourself by sending your biometric (e.g. an image of your finger print or face) to the web site. The authentication database at the web site then matches your biometric with that stored at the site. If they match, you are who you say you are.
Biometrics are not widely used because they tend to be expensive, tend to be unreliable, and are viewed by the public as being "big brotherish". There is great deal of work to lower the cost and increase the reliability of biometrics. Biometrics might be useful in the future.
Public Key Authentication:
This is similar to passwords, but it has a distinctive twist, which makes public key authentication much more powerful than simple passwords. In a public key system, each user has two keys: a private key and a public key. Only the user knows the private key, and the public key is available to anyone (e.g. a web site) that wishes to do business with the user. The user prepares "digitally signed" messages with her private key and the web site checks the validity of these signatures with the user's public key. In this manner the web site can check that the signature was produced by the user, yet the web site does not have the private key that was used to generate the signature. This is very different from password systems where both the user and the web site have the password. In a public key system, the user can and must keep the private key secret -- no one else knows the value of the private key, yet any merchant or partner can check the validity of digital signature by knowing the user's public key.
There are two major benefits of using public key systems:
First there is no secret information at the web server, so the user is not required to trust the server's administrator. A user can use the same private/public key pair for all of her e-commerce, since the private key is always a secret no matter how many partners know the public key.
Second, the user and only the user knows the private key. This allows the merchant or business partner to use the digital signature in a court of law to prove that the user and only the user could have generated the digital signature. Lawyers call this feature non-repudiation: the signer cannot repudiate ("disown") the message she has signed. In this manner the digital signature plays a similar role to the handwritten signature on a contract -- it provides a mechanism for the user to commit, which is an absolute necessity for e-commerce.
Public key technology is commonly available -- it is part of every web browser shipped today. The browser's private and public keys are generated and stored on the user's PCs. Additional convenience and security are afforded when the keys are stored on a "smart card". This is a removable, hence portable, secure computer, which is the size and weight of a standard credit card. This allows the user to carry her keys (her digital identity) in her wallet.
Because the smart card carries your private key, if someone steals your smart card they essentially steal your electronic identity. Most smart card systems solve this problem by requiring a personal identification number, PIN, to activate the smart card: a thief must steal your smart card and PIN in order to impersonate you.
We can expect public key authentication systems and smart cards to be widely used in the next few years. All business-to-business e-commerce will use public key systems and most consumer transactions will be protected by public keys and smart cards.
Public Key and Biometrics:
There is considerable excitement about using biometrics in addition to or instead of PINs to protect smart cards. The idea is that you and only you can use your smart card because the smart card won't work without your fingerprint, voiceprint or some other biometric. There are a few products on the market that use biometrics to protect smart cards, but the field experience indicates that biometrics are not quite ready, yet.
The Identification and Authentication, I&A, functions are critical for any commerce: you must know with whom you are doing business. Fortunately, there are many methods for performing I&A over the Internet. We can expect
the widespread deployment of public key systems, which will provide stronger I&A than we are accustomed to today. E-commerce is coming and the I&A to support e-commerce is here.
Search the ENTIRE Business
Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.
The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site. Please refer to: