Ultimately, the success of any security service hinges on authentication (see this classic post on authentication).

If everything that you depend upon uses some form of authentication to control who may use them, what may they do, where may they do so, etc., then the trivial level of effort to crack passwords affects everything from your email to online banking to any service that you use.  All these undoubtedly have usage controls, which may rely only on passwords for such controls.  As you walk around looking at what others are doing, at the services you rely on, at the tools/software that you use, consider how passwords may be at work in them. Imagine what harm could be done if a criminal controlled these things around you, that serve you, that may even have some control over you.  You’d see why there are so many cyber criminals: because there are so many easy ways to get ahead.

When passwords are required, everyone ought to be using passPHRASES instead, sprinkled with a few odd characters and/or numbers. Government Computer News (GCN) recently published an article on how ordinary video cards are empowering hackers. Combine the article with the notion of a botnet (thousands) of these computers and you thus see the state of the art.

As a ‘high assurance’ security vendor, as opposed to one that just plays one on ‘marketing content’, nearly all uses of authentication in our products are PKI-based. Those of you concerned with HSPD-12 must know PKI: public key infrastructure. It is the strongest form of authentication commercially available. And when employed in a mandatory, mutual manner, it is essentially uncrackable.  Contrast this with one-time pass code authentication (e.g., keyfob that displays six characters), which is only one-way (i.e., authenticates client for server but does not authenticate server for client) and subject to man-in-the-middle attacks.  Arguably, these things do more harm than good with their false sense of security.

At Blue Ridge, we practice what we preach.  The management plane of all our products is secured by PKI. Our remote access VPN and our new EdgeGuard product line are PKI based. The key exchange process for our VPN technology is enveloped within PKI. Even our enterprise software designed to stop zero-day malware attacks that your antivirus cannot…uses PKI to secure policy updates and event logs. Everything we develop is PKI based.

The real value in designing PKI based authentication into tools and workflow processes from the very beginning is how little end-users actually have to see anything PKI. The best security remains convenient and easily understood despite being highly effective. And when customers that have used our products say they didn’t realize our products used PKI, we’re deeply gratified.

Walk away point: look for PKI in all you need. Anything worth stealing that relies solely on passwords is probably cracked already.

Authentication – WHO’s who?

With flawed authentication:
• Authorization systems effectively become indiscriminate,
• Privacy services are pointless when the encryption key is available to anyone
• Integrity services (i.e., has ‘this’ been altered?) can be subverted
• Audit services capture events attributed to no one in particular and for events that may not have actually occurred.

BEST PRACTICE: Employ two-factor, mandatory, mutual PKI authentication whenever practical.

Authorization – WHO can access it?

A flawed authorization system can allow Bob to access and modify resources that only Alice may, also violating privacy and integrity. If your Active Directory, other LDAP, or some standalone server application cannot effectively distinguish between one user and another, then its ability to regulate who may access what is undermined.

BEST PRACTICE: Employ two-factor, mandatory, mutual PKI authentication whenever practical.

Privacy – WHO can see it?

Privacy, though a more general term, is frequently equated with encryption. Encryption is a commodity, generally. Any vendor’s implementation is usually as good as another’s. Administrators should always select an AES setting. In many circumstances, AES 256 adds little to no additional overhead as compared with AES 128 or AES 192. Nonetheless, weak authentication devalues strong encryption.

BEST PRACTICE: Employ two-factor, mandatory, mutual PKI authentication whenever practical.

Integrity – WHO can change it?

Cryptographic mechanisms enable a recipient of delivered electronic data to determine if it has been altered since it left the sender. If the ‘receive’ does not credibly know the data came from the ‘sender’. What’s the point of testing for data integrity?

BEST PRACTICE: Employ two-factor, mandatory, mutual PKI authentication whenever practical.

Audit – WHO did it?

Without assurance that data is unaltered, audit records are useless because the events they capture have no credible association with who did what.
Organizations are driven to meticulously audit activities due to regulatory requirements and security best practices.

BEST PRACTICE: Employ two-factor, mandatory, mutual PKI authentication whenever practical.

Why two-factor?

Endpoints, such as desktops and laptops, can be compromised with malware. Over 20% of malware found on endpoints is designed to steal user name and password credentials. A digital identity that resides within a second, physical device that prevents any copying or spoofing of that data ensures that one can rely on assertions that Alice is indeed Alice.

Why mutual authentication?

Most authentication deployments support the server (a.k.a., its administrator) authenticate any user that approaches it. But, how does the end-user authenticate the server or site? If this is untrustworthy, then all other security measures can be compromised. That is why half the email or junk mail any end-user receives points to fake websites.

Why PKI?

One-time pass code authentication schemes are generally one-way, authenticating the end-user only. PKI facilitates mutual authentication. It also provides for non-repudiation and other useful security services.