CrossNodes Briefing: Authentication
Authentication is not a new concept. Organizations need to protect assets, and they traditionally limit access to databases and sensitive data. In the IT world, the most basic form of authentication relies user names and passwords. If each person has a password, then the person that knows that password has permission to access system resources. However, passwords are lost or stolen, and hackers seem to capture and decipher passwords with apparent ease.
As the defined boundaries of the corporate network dissolve to meet the demands of an increasingly mobile and distributed workforce, the weakness of simple password protection becomes obvious. Legitimate users can access the network from a variety of systems, and this makes it difficult to screen remote connections. At the same time, businesses want closer contact with customers and suppliers. They need to share information and corporate resources. The increased use of messaging technologies like e-mail increase the risk, because intruders can use legitimate messages to invade a server.
Authentication provides a method of identifying legitimate users, and when combined with utilities that guard against data modification, helps protect against unauthorized accesses. Authentication vendors offer a broad array of products, including:
- Digital certificate uses a unique identifier stored on a users system. The server compares the certificate and logon information against a database that identifies the user. If the information matches, the session continues. Many companies use third-party providers, call Certification Authorities (CAs), to control the database of identities and the distribution of certificates. The CA then generates a certificate that permits the session to continue.
- Hardware token establishes a digital notification generated by the users workstation. This, along with a password, implies that the user accessing the network is at a known workstation. As IT adds wireless components and workers increasingly access corporate networks from home, establishing a hardware-based system becomes more difficult.
- Smart card permits users to access a network after they identify themselves using a personal identification card and a card reader. This is a secure method as long as users protect their identification cards. Passwords permit network managers to prevent access through a misplaced or stolen card. This approach requires a card reader on any workstation accessing the network.
- Biometrics uses fingerprints, eye scan, or face recognition technology to ensure that the user is the person associated with a specific password. This is the most costly technology to implement, and it requires special hardware on each system that the person uses to access the network.
- Public Key Infrastructure (PKI) implements several encryption based security measures based on key that is available only to authorized users. Authentication provides protection for the key.
- Kerebos provides authentication service and secure transmission across platforms. It works at a layer above the operating system login authentication service, and it is popular in those networks that support multiple operating systems.
The Importance Grows
The emergence of e-commerce systems and the acceptance of digital signatures as legally binding consent also pushed developments in authentication. The World Wide Web provides a flexible platform, but that flexibility comes at a loss of privacy and security. Still, financial institutions, retail sites, and companies seeking to create electronic links with customers and suppliers, see the appeal of a convenient, easy to use, and pervasive network. The full growth of e-commerce, however, remains limited by security concerns.
Vendors are addressing the problem. Microsoft, for example, included the Security Support Provider Interface (SSPI) in Windows 2000. SSPI supports a range of APIs that can perform authentication, context management, and message security. The developer also released a digital certificate and electronic signature system called Passport. Through this system, registered users can submit payment, and the authentication system assures companies that the transaction is legitimate.
In addition to Microsoft, such vendors as IBM, Hewlett-Packard, Oblix, Securant Technologies, and Tivoli systems, offer security suites that include authentication utilities.
A Search for Standards
The market needs standards, and these will emerge. Several committees exist to look at creating secure network connections and transactions. An XML standard, called Security Assertion Markup Language (SAML) focus on securely transferring authentication and authorization information. Under SAML, security can be built into the XML code based on the content being transferred. This shifts control to the content provider.
Obviously, implementing an authentication system can be complex. The network manager must register each user and the associated systems. This information generally resides in a database, but the database must be secure. As a result, many companies turn to third-party providers to establish an authentication and encryption system. This implies some loss of control. Therefore, network managers must carefully assess the risk to their networks and the ability of in-house personnel to support an on-going authentication system before they select an approach.
Gerald Williams serves as director of quality assurance for dolphin inc., a software development company. williams has extensive background in technology and testing, previously serving as editorial director with national software testing labs (nstl), executive editor with datapro research, and managing editor of datapro's pc communications reference service.