BNL Home

Strong Authentication & One-Time Passwords

The Importance of User Authentication in Network Security

In a network environment, user authentication can enable a perimeter device (a firewall, proxy server, VPN server, remote access server, etc.) to decide whether or not to approve a specific user's request to gain entry to the network.

It is necessary to be able to identify and authenticate users with a high level of certainty, so that they may be held accountable should their actions threaten the security and productivity of the network. The more confidence network administrators have that a user is who they say they are, the more confidence they will have in allowing those users specific privileges and the more faith they will have in their network device’s internal records regarding that user. Reliable user authentication can help achieve what are necessary elements in basic network security... positively identifying someone; allowing them specific rights; and holding them accountable for their actions should they compromise the security and productivity of the network for other users on the network.

The Need for Something More Than Standard Passwords

Predictable, easily-crackable, and/or unchanging passwords are the single weakest point in the standard site-security model. The majority of security attacks are achieved through password access. User authentication that relies on standard passwords alone fails to provide adequate protection for network systems. When users make up their own passwords, they tend to choose ones which are easy to remember and, as a result, easy to guess. When passwords are created from randomly-generated characters, users tend to write them down because they’re difficult to remember. Even if users are careful about the passwords they use, they are victim to a much more informed hacker/cracker community. A variety of easily accessible password-attack techniques can be used to guess user passwords or even decipher them when certain known encryption methods are used.

Because of the vulnerability of standard passwords, it is imperative that standard password-based access to systems or networks be managed properly, with the utmost attention given to controlling the generation, distribution, retrieval and use of passwords. In a network as large and diverse as the BNL network, this is often a very difficult goal to achieve.

Luckily, there is an easier solution to this problem, and that is to use strong user authentication. As you’ll see in the next section, strong user authentication eliminates the need to remember passwords and thus eliminates the need to generate, distribute, and retrieve them.

(It is important to understand that effective security is not found in a single product or system, but rather in the compilation of a variety of security solutions and tools used throughout the network. A firewall may be somewhat effective, but it is not flawless in keeping out potential trouble-seekers and is therefore only part of the overall security picture. Multiple layers of defense are necessary and a highly effective additional layer of defense is strong user authentication.)

Strong User Authentication

There are three types of information that a system can use to prove that users are who they say they are. Although the presence of all three is most desirable (and most demanding), the presence of at least two out of the three allows for a reasonable level of confidence in someone’s identity. When two out of the three are present, it is generally referred to as 'strong authentication.'(In practice, a network can achieve various levels of 'strength' or 'weakness' and thus various levels of trust and reliability, all tailored to its own particular security needs.)

  • The first type of information is "something you have". Typically, this means that the user has a particular physical device that they alone were given and authorized to use that allows them access.
  • The second is "something you know." Typically, this means that the user knows a secret, such as a particular password that only they were supposed to have been given and that they alone know.
  • The third is "something you are." This means that the user possesses some human attribute, some biometric feature that can be scanned and digitally documented, such as a fingerprint or retinal scan.

The third type of information, comparing a biometric feature, is the most costly and the most difficult to implement. Therefore, when security managers are seeking a simple, cost-effective 'strong authentication' solution, often they look to incorporate the first two pieces of information, 'something you have' and 'something you know.'

Security Tokens... "something you have"

A security token is a user authentication device; it is the 'something you have.' It is a device that has been assigned to a trusted user by a trusted administrator, and it must be in-hand when used for authentication. It is small enough to be carried by the user; typically, it is the size of a credit card or is sometimes shaped even smaller so that it can be hung from a key chain. Most importantly, it is difficult and costly to counterfeit.

Security tokens, sometimes called 'smart cards' or 'smart tokens' are made up of microprocessors contained within a protective casing. Using an active or interactive authentication process, the security token uses a hidden secret (usually a large number) to identify itself. Using various cryptographic schemes, it can prove that it knows the secret without actually revealing the secret. Using this approach, it can generate a unique password each time the token is used. The user must then use a keyboard to transfer this unique password between the host computer and the authentication system. In this context, these unique passwords have come to be known as 'one-time passwords.'

Variation on these physical security tokens is a software implementation that does essentially everything the physical version does but via a software utility loaded on the user's host computer. Although this option is not quite as secure as a physical token (the 'something you have' is no longer a physical device), it is still very secure. (Each copy of the software is unique for each user, guaranteeing unique one-time passwords for that user.) It also offers ease of use with the availability of fully-automated logon processes and, perhaps more importantly, there's no physical device to forget or misplace.

One-Time Passwords... "something you know"

It's easy enough to provide users with the physical 'something' they must have (the security token), but how do we help to enforce that a user will keep sensitive information (such as a password) secure? How do we keep users from being tempted to write down, share or otherwise compromise passwords that must change often to ensure a secure environment? In steps the concept of a 'one-time password.'

A 'one-time password' is a password that is used just once for a brief interval and then is no longer valid. If it is intercepted in any way, it has such a limited life span that it quickly becomes useless. A variety of cryptographic schemes are used to generate one-time passwords from assigned secrets (binary 'seeds' or 'secret keys'). Shared secrets are fed into an encryption engine residing at both ends of a communications link, but the secret itself is never actually transmitted or revealed.

In full challenge/response authentication systems, a host system typically sends a random 'challenge' to a remote user. The user uses his secret key and an encryption algorithm to encrypt the random challenge with his secret key. This generates the 'response,' which is returned to the host. The remote host decrypts the response, using its database record of the user's key, and matches it to the original challenge to authenticate. In practice, there are variations on this challenge/response process, with vendors offering varying degrees of security depending on individual network security needs.