Stronger Authentication: The Feeling is Mutual

Burt Kaliski, RSA Laboratories December 6, 2005

Introduction

User authentication is growing in importance in e-commerce Many organizations are calling for stronger authentication mechanisms than the typical password-based schemes
e.g., FFIEC guidance on authentication in Internet banking (Oct. 2005); FSTC Better Mutual Authentication project

As these efforts illustrate, authentication strength depends on more than just the factors
And the authentication story depends on more than just the user

User Authentication Model

User

Agent

Resource

Evidence

Auth. Factors
Users Devices

Auth. Protocol

Forward Authentication Steps

User and Users Devices present Evidence to Agent demonstrating possession of Authentication Factors
Agent conveys Evidence to Resource in Authentication Protocol

Variations on the Model

Local authentication: User authenticates directly to resource, without agent

e.g.: Log into PC; Unlock smart card

Authentication server: User authenticates once to authentication server, which relays ticket or authentication assertion to resource
e.g.: Kerberos; Identity providers

Validation server: Resource relies on separate validation server for part or all of authentication decision
e.g.: Credential federation

Contextual factors: Where & when did the protocol originate?

Describing an Authentication Mechanism

An authentication mechanism is a ceremony* involving:

Selected authentication factors Particular evidence about those factors; and a Specific protocol for conveying the evidence

Simple authentication mechanism has one resource, one authentication decision

Ceremony = Carl Ellison / Jesse Walker model for protocols involving users

Composing Authentication Mechanisms

Compound authentication mechanism combines two or more mechanisms more than one authentication decision

Recursive composition: One mechanism enables access to factors of another

e.g.: Unlock smart card with PIN, authenticate to resource with smart card smart card = (local) resource for first decision

Sequential composition: One mechanism adds to another

e.g.: Authenticate to resource with password, then later with answers to life questions; Risk-based approaches

Example Factors

Something you know:

Password / PIN Knowledge-based authentication CognometricsTM (PassFacesTM)

Something you have:

One-time password token Smart card / USB token Mobile phone

Something you are / can do:

Biometrics

Example Factors & Evidence

Something you know:

Password / PIN Knowledge-based authentication CognometricsTM (PassFacesTM) Password / PIN Answer Image selection

Something you have:

One-time password token Smart card / USB token Mobile phone One-time password Signature Voice confirmation

Something you are / can do:

Biometrics Fingerprint

Example Authentication Protocols

Agent can send evidence directly to resource over secure channel

e.g.: Password over SSL/TLS; Simple EAP mechanisms

Or, can prove knowledge of evidence

e.g.: MS-CHAP e.g.: Zero-knowledge password protocols: EKE, SPEKE, etc.

Agent can transform evidence to associate with resource context

e.g.: Password hashing; EAP-POTP

Can also combine evidence, perhaps with factors held locally

Security Challenges

Corrupted agent can misuse evidence Rogue resource can also misuse evidence, unless agent runs strong protocol Man-in-the-middle is also a threat, depending on protocol Even if mechanism protects user authentication, attacker may be able to mislead the user into disclosing other sensitive information

Key question: How does user authenticate the resource and the agent?

Resource Authentication Model

User

Agent

Resource

Evidence

Auth. Factors
Users Devices

Auth. Protocol

Reverse Authentication Steps

Resource demonstrates authenticity to Agent in Authentication Protocol

Agent presents Evidence of authenticity to User and Users Devices

Resource Authentication Examples

1. Resource PKI
Resource authenticates to agent with certificate Agent presents evidence via lock icon, certificate status But how does user know lock is actually from agent? Also, certificate trust lists can easily be confused

2. Zero-knowledge protocols
Resource authenticates via ZK proof of knowledge of evidence Reverse hashing is a weaker variant Agent presents evidence via visual indicator But how does user know indicator is actually from agent, or that protocol is even running?

Resource Authentication Examples (contd)

3. Next one-time password

Resource authenticates to user by providing next one-time password (assumes user has OTP device as one factor) Agent presents next OTP directly to user But only authenticates that resource is present doesnt detect man-in-the-middle

4. Dynamic security skins (Rachna Dhamija)

Resource authenticates to agent with certificate

Agent presents resource identifier via pattern based on hash of resource identifier
But again, how does user know that pattern is from agent?

Resource Authentication Examples (contd)

5. Watermark or user-selected image

Resource authenticates to user by providing a previously registered watermark or image Agent presents picture directly to user Again, doesnt detect man-in-the-middle

Summary: Mutual User Authentication

Each approach to resource authentication has pros and cons in terms of usability, security against various threats

Agent needs a trustworthy user interface*, otherwise user cant rely on evidence presented
Resource should enable some evidence that the agent can present to user Rapport-building is important if user cant be sure that agent is running strong protocols
Contextual factors provide a foundation
* See Trustworthy Interfaces for Passwords and Personal Information workshop (crypto.stanford.edu/TIPPI)

Related Example: RFID Tag Authentication

Radio-frequency ID tags tiny chips with antennas are used to track inventory, and increasingly to authenticate items
e.g.: Passports, containers, etc.

Authentication model is similar to user authentication:

User / Devices = RFID tag Agent = Reader Resource = Back-end system

Security challenges are also similar plus, rogue reader can potentially read without permission How does RFID tag authenticate the reader?

Reader Authentication Examples

1. Reader / back-end PKI

Reader or back-end authenticates to tag with certificate But hard for typical tags to do public-key crypto operations

2. Symmetric crypto
Reader authenticates with shared symmetric key But how to identify which key without enabling tracking?

3. One-time identities (e.g., Ari Juels minimalist crypto)

Reader, tag authenticate with one-time identifiers and PIN

4. Reader identification
Reader broadcasts its authorization for the auditors; tag checks that authorization is present, but doesnt verify

Conclusions

All parties need assurance that the others are authentic both the user or tag, and the system

Obtaining this assurance is an important challenge in protocol design whether for e-commerce or physical objects
Authentication is more than just about factors the evidence, the protocols and the user interface all affect security

Contact Information

Burt Kaliski RSA Laboratories bkaliski@rsasecurity.com www.rsasecurity.com/rsalabs