-
Notifications
You must be signed in to change notification settings - Fork 2
/
NIST FIPS 190 Guideline for the Use of Advanced Authentication Technology Alternatives, 1994-09.txt
3304 lines (2816 loc) · 162 KB
/
NIST FIPS 190 Guideline for the Use of Advanced Authentication Technology Alternatives, 1994-09.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Federal Information Processing Standards Publication 190
1994 September 28
ANNOUNCING THE
GUIDELINE FOR THE USE OF ADVANCED
AUTHENTICATION TECHNOLOGY ALTERNATIVES
Federal Information Processing Standards Publications (FIPS PUBS)
are issued by the National Institute of Standards and Technology
(NIST) after approval by the Secretary of Commerce pursuant to
Section 111(d) of the Federal Property and Administrative
Services Act of 1949 as amended by the Computer Security Act of
1987, Public Law 100-235.
1. Name of Guideline. Guideline For The Use Of Advanced
Authentication Technology Alternatives (FIPS PUB 190).
2. Category of Guideline. Computer Security, Subcategory
Access Control.
3. Explanation. This Guideline describes the primary
alternative methods for verifying the identities of computer
system users, and provides recommendations to Federal agencies
and departments for the acquisition and use of technology which
supports these methods. Although the traditional approach to
authentication relies primarily on passwords, it is clear that
password-only authentication often fails to provide an adequate
level of protection. Stronger authentication techniques become
increasingly more important as information processing evolves
toward an open systems environment. Modern technology has
produced authentication tokens and biometric devices which are
reliable, practical, and cost-effective. Passwords, tokens, and
biometrics can be used in various combinations to provide far
greater assurance in the authentication process than can be
attained with passwords alone.
4. Approving Authority. Secretary of Commerce.
5. Maintenance Agency. Department of Commerce, National
Institute of Standards and Technology Computer Systems
Laboratory.
6. Cross Index.
a. FIPS PUB 46-2, Data Encryption Standard.
b. FIPS PUB 48, Guidelines on Evaluation of Techniques
for Automated Personal Identification.
c. FIPS PUB 74, Guidelines for Implementing and Using
the NBS Data Encryption Standard.
d. FIPS PUB 81, DES Modes of Operation.
e. FIPS PUB 83, Guideline of User Authentication
Techniques for Computer Network Access Control.
f. FIPS PUB 112, Password Usage.
g. FIPS PUB 113, Computer Data Authentication.
h. FIPS PUB 171, Key Management Using ANSI X9.17.
i. FIPS PUB 180, Secure Hash Standard.
j. Special Publication 500-157, Smart Card Technology:
New Methods for Computer Access Control.
k. Special Publication 800-2, Public Key Cryptography.
Other NIST publications may be applicable to the use of this
guideline. A list (NIST Publications List 91) of currently
available computer security publications, including ordering
information, can be obtained from NIST.
7. Applicability. This guideline is applicable to all Federal
departments and agencies that use authentication
systems to protect unclassified information within computer and
telecommunication systems (including voice systems) that are not
subject to Section 2315 of Title 10, U.S. Code, or Section
3502(2) of Title 44, U.S. Code. This guideline may be used by
all Federal departments and agencies in designing, acquiring and
implementing authentication systems within computer and
telecommunication systems (including voice systems) that they
operate or that are operated for them under contract. Non-Federal
government organizations are encouraged to use this guideline
when it provides the desired security for protecting valuable or
sensitive information.
8. Applications. Authentication systems may be utilized in
various computer and telecommunication (including voice)
applications and in various environments (e.g., centralized
computer facilities, office environments, hostile environments).
The strength of an authentication system should be chosen
to provide a degree of assurance appropriate for the security
requirements of the application and environment in which the
system is to be utilized and the security services which the
system is to provide.
9. Specifications. Federal Information Processing Standards
(FIPS) Guideline 190, Guideline For The Use Of Advanced
Authentication Technology Alternatives (affixed).
10. Export Control. Many of the authentication systems
discussed in this guideline make use of cryptographic techniques
to strengthen the security of the authentication process. Certain
cryptographic devices and technical data regarding them are
deemed to be defense articles (i.e., inherently military in
character) and are subject to Federal government export controls
as specified in Title 22, Code of Federal Regulations, Parts
120-128. Some exports of cryptographic systems and technical
data regarding them must comply with these Federal regulations
and be licensed by the U.S. Department of State. Other exports
of cryptographic systems and technical data regarding them fall
under the licensing authority of the Bureau of Export
Administration of the U.S. Department of Commerce. The
Department of Commerce is responsible for licensing cryptographic
devices used for authentication, access control, proprietary
software, automatic teller machines (ATMs), and certain devices
used in other equipment and software. For advice concerning
which agency has licensing authority for a particular
cryptographic device, please contact the respective agencies.
11. Implementation Schedule. This guideline becomes effective
May 1, 1995.
12. Qualifications. The authentication technology described in
this guideline is based upon information provided by many sources
within the Federal government and private industry.
Authentication systems are designed to protect against
adversaries mounting cost-effective attacks on unclassified
government or commercial data (e.g., hackers, organized crime,
economic competitors). The primary goal in designing an
effective security system is to make the cost of any attack
greater than the possible payoff.
13. Where to obtain copies. Copies of this publication are
available for sale by the National Technical Information Service,
U.S. Department of Commerce, Springfield, VA 22161. When
ordering, refer to Federal Information Processing Standards
Publication 190 (FIPSPUB190), and title. When microfiche
is desired, this should be specified. Payment may be made by
check, money order, credit card, or deposit account.
Federal Information
Processing Standards Publication 190
1994 September 28
Specifications for
GUIDELINE FOR THE USE OF ADVANCED
AUTHENTICATION TECHNOLOGY
CONTENTS
1. INTRODUCTION.........................................................................................
5
2. PRINCIPLES OF AUTHENTICATION......................................................
5
3. PASSWORD BASED AUTHENTICATION..............................................
7
3.1 Overview................................................................................................
7
3.2 Factors Affecting Password Security....................................................
8
3.2.1 Composition................................................................................
8
3.2.2 Length.........................................................................................
9
3.2.3 Lifetime......................................................................................
9
3.2.4 Source.........................................................................................
9
3.2.5 Distribution.................................................................................
10
3.2.6 Storage........................................................................................
10
3.2.7 Entry and Transmission.............................................................
11
3.3 Problems with Password-Only Authentication.....................................
11
3.4 Example.................................................................................................
12
4. TOKEN BASED AUTHENTICATION......................................................
14
4.1 Overview................................................................................................
14
4.2 Form Factor............................................................................................
14
4.3 Workstation Interface............................................................................
15
4.3.1 Contact Interfaces.......................................................................
16
4.3.2 Non-Contact Interfaces...............................................................
18
4.4 Processing Capability.............................................................................
19
4.4.1 Memory Tokens..........................................................................
19
4.4.2 Microprocessor Tokens...............................................................
21
4.4.2.1 Hand Held Password Generators.......................................
23
4.4.3 Multi-Application Tokens...........................................................
23
4.5 Recommendations..................................................................................
25
4.6 The NIST Advanced Smartcard Access Control System.....................
25
5. BIOMETRIC BASED AUTHENTICATION..............................................
35
5.1 Overview................................................................................................
35
5.2 How Biometric Authentication Systems Function...............................
35
CONTENTS (continued)
5.3 Recommendations..................................................................................
36
5.4 Example.................................................................................................
37
6. COMBINATION METHODS......................................................................
39
7. CRYPTOGRAPHY IN AUTHENTICATION SYSTEMS.........................
40
7.1 Overview................................................................................................
40
7.2 Secret Key Cryptography......................................................................
40
7.3 Public Key Cryptography......................................................................
41
7.4 Cryptographic Authentication Protocols...............................................
43
7.4.1 Kerberos..........................................................................................
43
7.4.2 SPX.................................................................................................
46
8. GENERAL IMPLEMENTATION GUIDELINES......................................
49
9. CONCLUSION.............................................................................................
53
REFERENCES....................................................................................................
55
1. INTRODUCTION
This Guideline provides information and guidance to Federal
agencies on the use of advanced authentication technology as a
critical element in the design of effective access control
mechanisms for automated systems which process unclassified
information. As the trend toward networking continues, the
ability to verify the identity of system users with a high degree
of accuracy becomes more important. Systems which cannot
differentiate between requests for service by legitimate users
and unauthorized access attempts are vulnerable to a variety of
attacks. Although passwords are the traditional method for
verifying the identity of users, there are several alternative
methods which can enhance the security of an access
control system. This document describes these methods and
provides recommendations for their use. Each major section
contains an example authentication system based upon the
technology described in that particular section. The examples
are constructed specifically for the purposes of this document,
with the exception of the Advanced Smartcard Access Control
System presented in Section 4. However, all examples are based
on technology that is available now or is expected in the near
future. Discussion of specific commercial products does not
constitute an endorsement by NIST.
2. PRINCIPLES OF AUTHENTICATION
The broadest definition of authentication within computing
systems encompasses identity verification, message origin
authentication, and message content authentication [1].
The concept of identity verification specifically applies to
principals with information processing and decision making
capabilities, including human users, computing systems and
processes executing on those systems. From an authentication
standpoint, the term "user" applies to all these principals. This
Guideline focuses on technology and techniques for verifying the
identity of human users, but many of these techniques are equally
applicable to authentication of other principal types.
Authentication through knowledge of secret information or
possession of a unique physical authentication token are equally
valid for all the types of entities described above. On the other
hand, biometric authentication only makes sense in the context of
human users.
Reliable authentication mechanisms are critical to the security
of any automated information system. If the identity of
legitimate users can be verified with an acceptable degree of
accuracy, those attempting to gain access without proper
authorization can be denied permission to use the system. When a
legitimate user's identity is verified, access control techniques
are applied to mediate that user's access to system resources. If
a computer system cannot verify the identity of users and other
computers, the system will not be able to protect itself against
unauthorized access. A variety of methods are available for
performing user authentication, and these methods form the basis
for access control systems [2]. The three generally accepted
categories of methods for verifying the identity of a user are
based on something the user KNOWS, such as a password; something
the user POSSESSES, such as an authentication token; and some
PHYSICAL CHARACTERISTIC of the user, such as a fingerprint or
voice pattern. In order to use these characteristics to verify
the identity of an individual, computer systems use software,
hardware, or a combination of both.
In the past, it was relatively easy to protect computer systems
because they were typically installed in a centralized computing
facility. Since the terminals used to access the computer were
usually in the same building, only those persons having physical
access to the building would be able to use the terminals. With
the proliferation of networked computer systems, however, this
level of physical access control is no longer viable. The design
of open computing systems permits access to more systems, and
some of these access attempts may not be by legitimate users.
Users may be able to access network-connected computers from any
physical location on the network, and the logical connection
which supports a session between the user and a given computer
may travel through many communications circuits. The increasing
level of interconnection between computer systems has made it
possible to distribute and process information far more easily
than in the past. However, it has also become significantly more
difficult to identify system users based on physical location,
since the pathway between a user and the computing resources
accessed by that user may be impossible to trace.
Attackers often take advantage of the anonymity provided by
communications networks when attempting to break into a target
machine. A significant amount of effort is usually required to
locate and prosecute these attackers, primarily because of the
difficulty of tracing an attacker's access routes through
communications networks which may span international boundaries.
Networking not only makes it more difficult to identify system
users, it also increases the opportunities for unauthorized
parties to intercept authentication data passing through the
network during the course of a legitimate session between a user
and a remote host computer. User passwords are sometimes
transmitted through a network in plaintext form. If an attacker
is able to monitor the user's session, the attacker may be able
to record the user's password or other critical authentication
data. This would allow the attacker to pose as a valid user by
initiating a login on the remote host and submitting the user's
authentication data when the host requests it. Software is
readily available for monitoring network traffic, primarily for
the purpose of performance management and problem diagnosis.
Unfortunately, the same software is often quite effective at
capturing passwords as they are transmitted through a network.
Some systems apply a cryptographic algorithm to scramble
(encrypt) passwords before they are transmitted, so that the
plaintext password is not exposed. However, an attacker may still
be able to record the encrypted password, and gain access to the
host computer by submitting the encrypted value. In either case,
the host computer will be unable to distinguish between the
attacker and a valid user, and will grant access to the attacker.
In a modern automated information system, processes running on
one computer may interact with other computers in order to
transfer information or access common resources. These
interactions may take place across networks and involve machines
which are not located in the same facility. For example, many
electronic mail protocols require the transfer and routing of
information through computers which are heterogeneous in terms of
ownership and physical location. It is therefore necessary to
consider situations where one computer needs to verify the
identity of another computer, with or without intervention from a
human user. It is usually desirable in these cases to implement
some form of mutual authentication, whereby the identity
of each computer is verified simultaneously. Fortunately,
computers are capable of implementing cryptographic
authentication protocols which provide an efficient and secure
means for performing mutual authentication (Section 7).
Human users often access multiple services on multiple host
computers in modern automated information systems. Separate
authentication events may be required for each service a user
wishes to access, particularly if these services are resident on
separate host machines. Users might, for example, be required to
demonstrate possession of a physical authentication token for
each service. In some cases, services or host computers may even
use different authentication techniques which would, for example,
force users to memorize passwords for some services and carry
tokens or provide biometric scans for others. This situation
quickly becomes an unreasonable burden for users, and can lead to
poor security practices.
To address the problems described above, logon authentication
schemes have been developed that only require users to
authenticate once during a session. These approaches are commonly
referred to as unitary logon or single sign-on. Unitary logon is
generally a two-step process, in which the user first
authenticates to a principal. The principal may be the user's
workstation, a physical authentication token, or some other
device. Then, as the user requests access to various services,
the principal is responsible for authenticating the user to each
service. Conceptually, the principal acts as a proxy for the user
in conveying the original authentication event and automates
subsequent authentications with little or no intervention from
the user. These subsequent authentications are usually based on
strong cryptographic protocols which are secure across
communications networks. It should be noted that each service
accessed by a user must understand the protocol for interacting
with the principal responsible for authenticating the user. Also,
the principal must be responsible for determining the point at
which a given user's current authentication terminates. This
termination point is often tied to the end of a user's login
session.
3. PASSWORD BASED AUTHENTICATION
3.1 Overview
The traditional method for authenticating users has been to
provide them with a secret password, which they must submit when
requesting access to a particular system. The majority of
computer systems in use today rely on passwords for
authentication. The primary advantage of password-only
authentication is that it can be implemented entirely in
software, thus avoiding the cost of special purpose
authentication hardware. However, password systems have a number
of disadvantages in practice which restrict their use to
applications with minimal security requirements, or situations
where password management can be strictly controlled. Password
based authentication is most effective when combined with other
authentication techniques.
3.2 Factors Affecting Password Security
Passwords may be chosen as the sole means of authentication, or
may be combined with other authentication methods for improved
security. A number of factors affect the security of a system
which relies on passwords for authentication. These factors
include the composition, length, lifetime, source, ownership,
distribution, storage, entry, transmission, and authentication
period of the passwords. Federal Information Processing
Standards Publication 112 [3] describes these factors in detail,
and so they will be discussed only briefly in this document.
3.2.1 Composition
The composition of a password refers to the range of values from
which each character of the password may be chosen. For example,
a particular implementation might allow each character of a
password to be chosen from the set of letters in the alphabet.
This would yield 26 possible values for each character, assuming
case insensitivity. For the purposes of this example, assume
that the host system allocates eight bits, or one byte, of
storage for each character. One byte can represent any of 256
possible values, which is approximately ten times the number of
letters in the alphabet. By restricting the range of possible
values for each character to the 26 letters of the alphabet, the
security of the password system is decreased. Exhaustive attacks
involve the submission of as many different password values as
possible in the hopes of finding one or more which are valid.
The work factor for someone attempting an exhaustive attack is
directly related to the number of possible values which must be
tried for each character of the password. However, it is often
necessary to restrict the range of allowable values for practical
reasons. Many keyboards do not allow the user to enter all
possible values for a character. Numeric keypads are often used
for the entry of Personal Identification Numbers (PINs), which
are passwords composed only of numeric characters. These keypads
are typically found in automated teller machines used by the
banking industry, but are also used in a variety of other access
control applications. A numeric keypad usually allows for the
entry of decimal digits 0 through 9, thus restricting the range
of each character of a PIN to ten possibilities.
It may also be necessary to restrict the range of allowable
password characters for mnemonic reasons. If password characters
are chosen at random from the full range of possible values,
users will find it difficult to remember these passwords.
Random combinations of characters are difficult to
remember since human users will interpret many of them as
nonsense. In such cases, users are much more likely to write
passwords down because they cannot be memorized easily.
Automated systems may use a password generator which produces
pronounceable non-word combinations of characters. For example,
passwords produced by this type of system might be of the form
consonant- vowel- consonant- consonant- vowel- consonant,
excluding words which appear in a dictionary. This approach
eliminates the threat of dictionary attacks, where words are
chosen in sequence from a dictionary for submission as passwords.
Users should be able to remember pronounceable non-words more
easily than totally random combinations of characters, reducing
the likelihood that passwords will be written down. Password
generation schemes are often a compromise between the security of
random password generation and the need to produce passwords
which users can remember.
3.2.2 Length
The length of a password refers to the total number of characters
which make up the password. In combination with the range of
values allowed for each character, the length determines the
total number of possible password values. A password system
which uses the decimal digits zero through nine with a length of
four would have a range of ten to the fourth power, or ten
thousand possible password values. As the length and/or
composition parameters are increased, the number of possible
password values increases proportionally. Increasing these
parameters should have a positive effect on the overall security
of the system, since exhaustive attacks become more difficult.
However, system users will have more trouble remembering their
passwords as the length and composition are increased.
3.2.3 Lifetime
If user passwords are not changed at reasonable intervals, it
becomes more likely that passwords could be compromised by
exhaustive search techniques. The lifetime of a password
determines the amount of time which an attacker can use to
attempt to compromise the password through exhaustive search or
other techniques. If an attacker manages to guess a password
which has been replaced with a new password, the attacker has
gained nothing.
This scenario assumes that the new password value bears no
relationship to the old password, as would be the case if new
passwords were generated randomly. In cases where users are
allowed to choose their own passwords, however, they frequently
choose values which are a variation on old password values. For
example, a user may choose the password "bbcdef" if the user's
previous password was "abcdef". The new password is easier to
remember, since it only differs from the old password by one
letter. This situation increases the risk that an attacker could
guess the new password value, since knowing the old password
would provide some information about the possible values of the
new password.
The password lifetime chosen for an application should balance
the apparent security of a short lifetime against the burden
placed on users when passwords are changed too often. Users may
become frustrated when required to constantly change and memorize
new passwords, making it more likely that trivial passwords will
be chosen.
3.2.4 Source
The source which generates new passwords in a system has a major
impact on the security of that system. If passwords are
generated by an automated system, that system component will be
responsible for ensuring the security of password values.
Automated password generators will, by definition, know the value
of each new password in the system. Care must be taken in the
design and operation of password generators to ensure that they
can be trusted, since an access control system would be rendered
useless if the password generation process were not secure. NIST
has developed a standard for automated password generation [4].
Users may be allowed to choose their own passwords, rather than
having them chosen by an automated system. In these situations,
the passwords chosen by users should be checked by automated
means to ensure that weak passwords are rejected. For example,
the security policy of a system might set the following
requirements: user-chosen passwords must be at least six
characters in length, they must not appear in a dictionary of
English words, and they must differ from the user's previous
password by at least two characters. Any user-chosen passwords
not meeting these requirements would be rejected and the user
would be asked to choose another password.
3.2.5 Distribution
Passwords which are generated automatically must be distributed
to system users. The communications lines which carry new
passwords from the host system to users should be protected from
attempts to intercept passwords. This can be difficult when
passwords must travel through networks which span organizational
and geographic boundaries. Encryption can be used to scramble
passwords which must travel through unprotected networks, so that
they become unintelligible to an attacker. In the case where
users choose their own passwords, the passwords must be sent to
the host system after they have been selected by the users.
Whether passwords are distributed in hardcopy form,
electronically, or through other means, the distribution process
should provide protection against disclosure. Sealed envelopes
with tamper-evident features are often used for distribution of
hardcopy passwords. If an unauthorized party intercepts a
tamper-evident envelope and opens it to read the password, the
envelope cannot be resealed and sent to the intended recipient
without evidence of tampering. This approach relies on the system
users to recognize and report suspected disclosure of hardcopy
passwords. If a password is compromised in this fashion, there
may be a short period of time before the legitimate user detects
and reports the compromise. An attacker may be able to use the
password to gain access to the system during this time, because
the password is considered valid until the user reports that it
has been compromised.
3.2.6 Storage
In addition to the generation and distribution of passwords, a
system must store passwords for use in the authentication
process. When a user attempts to login to the system, the user
will submit a password which must be compared to the stored
password, or some one-way mapping thereof, which the system knows
to be valid for that user. Protection can be provided for
passwords by storing them in a physically separate area which can
only be accessed by authorized system components. Stored
passwords may also be protected by encryption or through the
application of a one-way mapping function before storage. Data
encryption is described in Section 7.1.
3.2.7 Entry and Transmission
Users must submit passwords to the host system during a login,
and possibly at other times during a normal session. A user's
password may be subject to disclosure while the user is entering
the password. The terminal should not display the password as
the user enters it, so that others cannot read the password from
the user's display. Users should be allowed more than one
attempt to enter a password during a login, since the user may
accidently mistype the password. However, there should be a
limit to the number of incorrect password entry attempts to
protect against exhaustive search attacks, as described in
Section 3.2.1. Many systems allow three password entry attempts
before locking a user out. The user is then required to notify a
system administrator or security officer in order to obtain a new
password.
After the password has been entered, the user's terminal
transmits it to the host system unless the user is accessing the
host via a main system console. As the password travels from the
user's terminal to the host, it is subject to disclosure if the
line between the terminal and the host is not secure. The risk
of exposure during transmission of the password from the user's
terminal increases as a function of the complexity of the network
which connects the terminal to the host. Networks vary in
complexity depending on the number of access points, the number
of sessions which can be carried simultaneously, the degree of
physical protection provided for data on the network, and a
variety of other factors. Encryption of passwords prior to
transmission or the use of a cryptographic authentication
protocol which does not rely on transmission of plaintext
passwords can reduce or eliminate this risk. However, encryption
alone does not protect against replay because an attacker may be
able to record the encrypted password and play it back in
encrypted form to gain access. Inclusion of a time variant
parameter in the encrypted password message can protect against
replay attacks.
3.3 Problems with Password-Only Authentication
Policies and procedures have been developed for the management of
password-only authentication techniques. However, these
techniques are sometimes difficult to implement effectively in
real-world situations. Some of the factors which influence the
security of a password system may be beyond the control of those
responsible for managing the system. During the development of a
computer system, it is common practice for the system developers
to use master passwords which provide total control over the
system for debugging purposes. These passwords are sometimes left
in the product, either inadvertently or intentionally, when the
system goes into production. When this is done intentionally, it
provides the developer with a convenient "back door" entry into
the customer's system which facilitates product support and
maintenance. However, this is a dangerous practice because an
intruder may be able to gain complete control over the system by
learning the developer's password. In addition, the customer may
not wish to trust the manufacturer with this level of control
over a system after it is installed at the customer's site.
Customers should verify that passwords used by the manufacturer
during system development and installation have been removed
before the system is used.
The password problem is multiplied when users access remote
computing resources through a network. Because it is difficult
to control physical access to remote terminals, it is possible
for an attacker to make repeated attempts to guess passwords on
host computers connected to the network. In addition, passwords
are often transmitted to a remote computer to authenticate the
user. Transmitting static passwords over a network in plaintext
form can drastically increase the opportunities for an attacker
to capture them directly from the communications line, or from a
computer which is acting as an intermediate node in the
transmission process. There have been numerous well-publicized
cases of intruders breaking into computer systems by guessing or
stealing passwords.
Authentication which relies solely on passwords has often failed
to provide adequate protection for computer systems for a number
of reasons. If users are allowed to make up their own passwords,
they tend to choose ones which are easy to remember, and
therefore easy to guess. If passwords are generated from a
random combination of characters, users often write them down
because they are difficult to remember. Systems which use only
passwords for authentication should provide strong mechanisms for
controlling the generation, distribution, and use of system
passwords. Password systems can be effective if managed
properly, but this is seldom the case. Advances in security
technology provide a number of alternative authentication methods
which can be used alone or in combination with passwords to
improve the security of an access control system.
3.4 Example
A hypothetical system will be used to illustrate the application
of good password management techniques in an access control
system. This system consists of a number of host computers, or
servers, interconnected by a local area network. Users access
the services provided by the host computers through intelligent
workstations which may in some cases also serve as hosts for
other users. Only unclassified information is stored on and
processed by the system. A security officer is assigned for each
host, and in most cases also plays the role of system
administrator for that machine. Host systems rely entirely on
passwords to verify the identity of users requesting services.
This scenario is typical of many networked computer systems.
The security policy for all host computers in this hypothetical
network dictates certain rules for the generation, distribution,
and management of user passwords. Some of the processes required
by the security policy involve cryptographic techniques which are
described more fully in Section 7. The requirement for
cryptographic protection of passwords as they pass through the
network increases overall security. However, the use of
cryptography also complicates the authentication architecture. In
particular, protocols for the generation, distribution, and
management of cryptographic keys must be included. Certain
aspects of the security policy are enforced by the operating
system or special applications programs executing on the host
systems. For example, password length and composition are checked
automatically each time a user's password is changed. This check
is performed by the same software which is responsible for
managing changes to the password database. A simple set of rules
for password management in this system follows:
1. Passwords are composed of the characters available on
a standard computer keyboard, i.e., letters of the
alphabet, numeric digits, and punctuation. When passwords
are created, the system performs a series of checks to
make sure that the passwords chosen are not weak.
2. Passwords are at least six characters in length.
3. Passwords must be changed every four months. Users
are notified by the system when individual passwords
have reached the four month expiration date. The system
prompts individual users for new passwords, and does not allow
further access until a user's password has been properly
updated.
4. Passwords are distributed to users through personal
interaction with security officers, or through
delivery by a trusted courier in a sealed tamper-
evident envelope. Passwords are never distributed
through routine interoffice mail services.
5. Passwords are stored on host systems for comparison
purposes. Before storage, passwords are scrambled
using a one-way mapping algorithm to provide
protection for the stored values. The original
password values cannot be recovered from the
scrambled values, so when a user submits a password
for authentication purposes the system must one-way
map the password and compare the result to the scrambled
value originally stored for that user. Even if the
stored value is compromised, the plaintext password
must still be derived by exhaustive search.
6. When a user wishes to access services on a host
system, the user must submit a password. The
password is entered at the user's workstation, and
must often be transmitted to the host system via the
local area network. While the user is typing the
password, the workstation does not echo it to the
display. The workstation then encrypts the password
and a time-variant parameter, and transmits the result
to the host system. The host system decrypts the
password, recovering the original form of the password
entered by the user. The one-way mapping algorithm
is then applied to encrypt the password, and this
encrypted form is compared to the encrypted password
value in the password database for this user.
Encryption provides protection for the password as it
is transmitted through the network from the user's
workstation to the host system.
7. Users are not allowed to write down passwords, or to
share them with other users. Users are made aware of
this requirement before they are given access to the
system, and are also made aware of any corrective
actions which will be taken if this rule is
violated.
The requirement for encryption in item 6 contributes to the
security of the system, because passwords are not exposed in
plaintext form during transmission. The system design must
include workstations which have cryptographic capability, and a
protocol for managing the cryptographic keys which must be shared
between workstations and host computers. In addition, the
generation and verification of time-variant parameters requires
time synchronization between appropriate system components. These
requirements complicate the system design to a certain extent,
but the corresponding increase in security often justifies the
additional complexity in design.
An alternative approach would be to one-way map the password and
time-variant parameter before transmission over the network. The
host system one-way maps the plaintext password from secure
memory and compares the result to the received value. If the two
values are equal the user is authenticated, otherwise the
authentication attempt fails. This alternative does not require
the distribution of cryptographic keys, however it does require
secure storage of plaintext passwords at host computers.
Plaintext passwords could be encrypted under a secret storage
key for additional protection.
4. TOKEN BASED AUTHENTICATION
4.1 Overview
The identity of a human user can be proven by requiring the user
to demonstrate possession of a physical object which is unique to
that user, or to a group of users. Objects used for this purpose
are known as authentication tokens. For example, a driver's
license would be considered an authentication token because it
can be used to prove the identity of its owner. Tokens designed
for use with automated authentication systems are encoded with
information which is used in performing the authentication
protocol required by the host system in order to verify the
identity of the token's owner [5]. Since the uniqueness of the
information stored on an authentication token is responsible for
proving the identity of its bearer to the host system, the
information must be protected against duplication or theft.
Advanced tokens usually contain a microprocessor and
semiconductor memory, and support sophisticated authentication
protocols which provide a high level of security.
4.2 Form Factor
Authentication tokens are currently available in a variety of
physical forms. The size, shape, and physical materials from
which a token is manufactured are referred to collectively as the
token's form factor. These parameters affect the durability,
portability, security, and convenience for a given type of token.
For example, some tokens have electrical contacts mounted on the
outer surface of the token's casing. The electrical contacts are
connected to an integrated circuit embedded in the token. When
an electrostatic discharge of sufficient potential is applied to
the contacts, the integrated circuit may be damaged. Care must
be taken in the design of tokens with electrical contacts to
minimize the risk of damage from static discharges, since the
human body can accumulate a significant static charge in dry
weather. To compensate for this, some types of tokens have
contacts which are recessed in a conductive plastic casing [6].
This type of token is less susceptible to damage from stray
static discharges, because the casing of the token absorbs the
charge before it reaches the contacts. Other varieties of tokens
have no electrical contacts, further reducing the risk of static
damage. Each form factor involves trade-offs which must be
evaluated for a specific application. Tokens with recessed
contacts usually require a thicker casing than those with
surface-mounted contacts, which can make the token more difficult
to carry in a pocket. Customers can sometimes select from a
number of different form factors with the same functionality,
making it possible to choose the form factor which is best suited
to a particular application.
4.3 Workstation Interface
Most authentication tokens require an electronic interface in
order to communicate with the workstation during the
authentication process. This interface is commonly known as a
reader/writer, because it reads data from and writes data to the
token. Reader/writers may be built directly into terminals or
workstations, or they may be separate devices which are connected
to a standard communications port or special purpose interface on
the workstation [7,8]. Reader/writers which are built into
workstations can provide a higher level of physical protection
for the communications path between the workstation and the
token, because there is no external cable which could be
monitored by an attacker. However, this type of reader/writer is
designed to work with the hardware of a specific host system and
may not be compatible with other types of computers. If it is
necessary to move reader/writers from one computer to another
frequently, an external reader/writer which connects to a
standard communications port will be more convenient.
Reader/writers vary in complexity and cost. Tokens which do not
have a microprocessor are essentially data storage devices which
contain the information required by a host system to verify the
identity of the token's owner. Reader/writers designed for use
with this type of token are usually microprocessor based, because
the reader/writer must be able to perform a fairly complicated
series of operations. In a typical implementation, the
reader/writer reads authentication data from the token, and then
uses this data to perform the authentication protocol required by
the host system. Since these intelligent reader/writers have
significant processing capabilities, they tend to be more
expensive. However, the additional capabilities of intelligent
reader/writers can be used to offload some of the processing
burden from the host system. Some types of intelligent
reader/writers can be programmed to work with a variety of host
communications protocols, or to work with several different
tokens.
Tokens which contain a microprocessor are often referred to as
intelligent or smart tokens. Most smart tokens can perform
communications functions such as data formatting, flow control,
and error detection and recovery. Smart token reader/writers can
be very simple, because the token typically requires only
hardware-level support from the reader/writer in order to
communicate with the host system. Since these reader/writers
require fewer components than an intelligent reader/writer, they
are often less expensive. Smart tokens can also work with
microprocessor based reader/writers, in applications where the
additional capabilities of an intelligent reader/writer are
required. The use of intelligent reader/writers usually adds to
the cost of the system, but this may be acceptable if the
additional functionality provided by the reader/writer is needed.
For a specific application, the expected ratio of tokens to
reader/writers is a major factor in determining the most
effective overall cost distribution for equipment.
In a situation where many low cost tokens will be used with a
relatively small number of reader/writers, the higher cost of
intelligent reader/writers is usually offset by the lower cost of
the tokens.
Some tokens do not need a reader/writer, because the user acts as
the communications link between the token and the host system.
This type of token usually has an integral keypad and display for
communications with the user. The user is required to manually
transfer authentication data between the token and the user's
terminal. Since these tokens operate without a physical
connection to the terminal or workstation, they can be used in a
variety of environments regardless of the type of terminal
available. However, the user may have to repeat the manual
authentication process each time the user logs on to a different
host on the network, since host computers cannot communicate
directly with the tokens. Tokens which use a reader/writer
interface can automate the authentication process so that the
user only needs to be involved in the initial authentication at
the beginning of a session. Subsequent authentications can be
performed automatically by the token as the user accesses
different host machines.
4.3.1 Contact Interfaces
The types of interfaces between tokens and computers can be
broadly classified as either contact or non-contact. The
majority of tokens need to make actual physical contact with the
reader/writer to perform data transfer. For example, magnetic
stripe tokens (the kind used in automated teller machines) are
inserted into a reader/writer so that the magnetic stripe makes
contact with an electromagnetic sensing device. Most integrated
circuit tokens require an interface in which electrical contacts
located on the token physically touch matching contacts on the
reader/writer in order to supply such functions as power, ground,
and data signals. The physical arrangement and functional
definition of these contacts has an impact on the
interoperability of tokens and reader/writers, since these
devices cannot communicate unless the contacts are defined in the
same way.
No significant standards addressing the contact arrangement of
authentication tokens existed until 1990. Token manufacturers
relied on de facto standards, or developed their own proprietary
specifications. This made it difficult in many cases to use
tokens made by one vendor with reader/writers manufactured by
another vendor. In 1990, the International Organization for
Standardization (ISO) developed a standard for the dimensions and
location of contacts on integrated circuit cards, known as ISO
7816-2 [9]. Integrated circuit cards are commonly known as
smartcards. The ISO standard does not address contact
specifications for other types of tokens. The majority of
commercially available smartcards follow this standard, allowing
for some degree of interoperability between the products of
different manufacturers.
ISO 7816-2 specifies eight electrical contacts arranged in
two parallel rows of four contacts each. The contacts are
labelled C1 through C8, with the following assignments:
C1 - Supply voltage C5 - Ground
C2 - Reset C6 - Programming voltage
C3 - Clock C7 - Data input/output
C4 - Reserved C8 - Reserved