What Is Electronic Authentication - Essay Example

Introduction Authentication has become an integral part of our lives. Our existence in society has become dependent on proving our credentials, our identity and our right of access to a certain set of resources. Whereas, authentication in computer science as Schellekens (2004, pg. 60) defines “the means of gaining confidence that remote people or things are who or what they claim to be” is a simple and practical definition. In all such instances, one is supposed too furnish a requisite identity to the concerned authorities that would establish our eligibility to access that resource. Authentication procedures in the modern day rely extensively on electronic methods. A single sign-on solution allows end-users a secured authentication for access and usage of desktops, enterprise applications, electronic communications, administrative and operational tasks (“SECUDE IT Security,” 2008). Electronic authentication is the receiver of an electronic data message or data transaction that can assess and determine whether to accept or deny the user’s request. Preconfigured systems can force users to verify their authenticity prior to gaining access to the system or providing an electronic data transaction to another system. Electronic authentication assures confidence that user identities are processed safely, securely and reliably for the procedures of electronic communications to information systems (Burr, Dodson & Polk, 2006). What is E-Authentication? Electronic authentication (E-authentication) presents an immense challenge in several scenarios, as the subsequent sections of this research will highlight. The process of electronic authentication is known to require several proof measures depending on the relative assurance of safety of the transaction, the reliability on the technology and the approach used, the legalities associated with the authentication parameters as well as the value of the transaction being made. Burr, Dodson & Polk (2006) best describes electronic authentication, Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network, for the purpose of electronic government and commerce. Electronic authentication is still an emerging field that is witnessing the growth of newer and stronger authentication protocols aimed at outwitting the attempts of potential attackers. The increasingly remote use of authentication over a network such as the Internet adds to the magnitude of the risk posed to unauthorized security breaches. As such, with the growth of new techniques to improve authentication, newer challenges arise calling for a need to tackle all such vulnerabilities and implement guidance. What is the process to use E-Authentication? Electronic authentication is used to access resources by entities of varying size, relevance and importance. For the purpose of this paper, the possible entities that will be concentrated upon shall be the individual, academic organization and government. It can be sensed here that the electronic authentication can also assume national importance in the context of a governmental entity. Additionally, issues such as the integrity of the communication and non repudiation also gain extreme significance. It is best confirmed by the description within the National Institute of Standards and Technology (NIST) guidelines that states (2006, pg. 2), While this technical guidance does, in many cases, establish requirements that Federal IT systems and service providers participating in authentication protocols be authenticated to subscribers, it does not specifically address machine-to-machine (such as router-to-router) authentication, nor does this guidance establish specific requirements for issuing authentication credentials and tokens to machines and servers when they are used in e-authentication protocols with people. The current paper is an attempt at outlining several key issues associated with selecting various methods of electronic authentication and the impact on a resource when such a mechanism is compromised. This is believed to provide a firm foundation for the development of better technologies as well as improve upon the existing legalities surrounding such uses. Electronic authentication is used in several domains such as financial, billing, online banking, human resources, email and EDI (Electronic Data Interchange) (APEC, 2002). The question shall be answered by segregating authentication into four basic forms of exchange namely shared secrets, biometrics, asymmetric cryptography and all other forms of authentication that cannot be placed in any of these groups. By segregating the various forms of authentication into these four groups, the issues associated with such federated identity models shall be analyzed in various ways. Public Key Cryptography Public Key Cryptography (PKC) or Asymmetric cryptograph is one of the most extensively used methods of electronic authentication. It is widely used in e-commerce and is achieved though a set of technologies that works in coordination with each other. As the name suggests, PKC works through a public key that are used by digital signatures to provide integrity, non-repudiation and authentication (Anderson, 2001). Public key cryptography is implemented and used through the provision of a public key infrastructure (PKI), which is a framework that supports that process of authentication using the Public Key (PK). What is a Public Key Cryptography? The PKC can be achieved in two ways depending on the requirement. In the first case, digital signatures are used to allow the users to authenticate themselves through the public key token. In the second case, a symmetric key exchange mechanism is brought to use while passing on the public key to the authenticating mechanism in order to secure the data from any eavesdropping. In fact, PKC is the most widely used form of authentication across the internet, which poses a threat for all government and military sites that are accessible through the net. Public key is used in a variety of flavors such that it suits the purpose it is being used for. All of us are aware of the Secure Socket Layer (SSL) that is used to secure the communication between a web server and a client browser against anonymous access. Additional secure MIME or S/MIME is used for preventing unauthorized access to mail traffic and attachments. Employees access corporate networks through VPNs (Virtual Private Networks) through secure socket shells (Raysman, Pisacreta, Adler, & Ostrow, 1999). What is the process to authenticate Public Key Cryptography? The vast range of services and applications that rely on the use of Public key cryptography has raised several questions and exposed numerous vulnerabilities on several fronts that need to be addressed by governments. PKC, in simple words, is the exchange of digitally signed messages. At the national level, the government performs its operations through the collaboration and collective work of several departments and agencies. Given the range of devices and platforms that can be used to send and receive such messages at all such places, interoperability becomes a key issue for governments (Burr, 2006). When digitally signed messages are sent across, the receiver needs to validate the request by using a digital certificate. Validating the authenticity of these certificates is an important task with respect to the associated public key infrastructure. It is also important to ascertain the personnel who are allowed to manage these certificates. In the lack of a proper procedure in such validation, certificates may be compromised by internal entities and may as well be outsmarted by external attack without proper and regular overview. Reasons for using Electronic authentication A weak identity validation usually emanates from the lower levels due to deficiencies at the technological level of the electronic infrastructure. Several agencies within governments have resorted to developing indigenous algorithms for cryptographic and hashing requirements out of lack of satisfaction of trust is existing solutions. However, several such implementations have shown wider inconsistencies when used across numerous devices pointing to issues with interoperability. It is therefore not advised to rely on proprietary protocols as it regularly prevents the proper recognition of digital signatures (Sneddon, 2000). Cryptography Protocols All cryptographic protocols, public key infrastructures and digital signatures are implemented through a set of APIs (Application programming interfaces). These APIs are a set of functional procedures that collectively provide a library of tools that can be used to create any component required for establishing a digital authentication procedure. APIs also provide features to perform the exchange of data as a series of requests and responses. An example of an API used for implementing the RSA encryption algorithm is the Public Key Cryptography Standards (PKCS). A PKI can be developed by embedding the authentication protocol in an electronic chip (hardcoded) or may be provided as a software application (Aalberts & Van der Hof, 2000). In both cases, the logical vulnerabilities in the API and the corresponding deficiencies with the implemented logic (program code) add to the existing deficiencies in electronic authentication. For instance, the technique of stack overflow and buffer overflow is a proven and tested technique aimed at gaining unauthorized entry to a program or for reading inaccessible portions of program memory (Smith, 2001). In both forms, it is possible to obtain sensitive information or render the attacked resource useless. As such, there is an increasing need for organizations involved in developing secure solutions to actively determine the correct choice of API that can be used to provide maximum security. Financial Organizational usage of Electronic authentication Financial systems are increasingly becoming centralized and transactions are usually carried out using a single form of identity. We use credit cards to pay our bills, pay for traveling expenses and buy commodities online. In all such cases, information pertaining to the card holder are retrieved and stored amongst several other transactions in data stores. There are several concerns over these ‘Digital footprints’ that is causing a widespread concern among consumers (Grewlich, 1999). This is because a single card used for a variety of purposes, which is stored in a central data warehouse runs the potential risk of compromise from attacks. Despite such data being secured through several mechanisms that includes electronic authentication to store the transaction data itself, the potential likelihood of impersonation of authentication credentials poses great threat to a large set of transactional records. In such a backdrop, the level concentration of an individual’s details must be scattered across several data stores, each of which is safely secured from the rest, thus helping in minimizing any intrusion. Governmental guidance for Electronic authentication Additionally, there is a wide range of responsibility on the part of the government to ensure the privacy of users through adequate policies. Several problems have been encountered in recent times over a wide range of issues. firstly, in the event of a breach of authentication, the government must have the necessary resources to be able to track down the elements responsible. This calls for the presence of proven track and detect mechanisms within electronic authentication systems. Due to the dynamic nature of the Internet, Electronic systems also find it very difficult to monitor details of incoming messages such as IP addresses in order to determine black lists of potential intruders. Governments must also look into the possibility of smart card companies trying to sell details of card holders to third parties. Such a possibility would put the policy mechanism of the state machinery to test. Existing standards for Smart Cards have been known to be stable only at the mechanical and electrical levels (Shinkōkai & Gijutsubu, 1998). Growing dependency and usage for Electronic Data Communications One of the predominant reasons for the popularity of the World Wide Web has been the possibility to exchanging data in different formats. X.509 is the most widely used standard that allows and authenticates the use of customized extensions. Despite its range, many commercial applications have not been able to implement the standard in totality. In such situations, applications freeze or crash when they have to deal with such data. The challenge before a government depends on the very applications that it uses for performing the authentication. If the proper industry standards are not strictly adhered to, then there exists a potential possibility for causing the authentication modules to crash thereby denying service to other legitimate users. Understanding the importance and purpose for Electronic authentication While there is a good overall understanding over public key cryptography infrastructure, it seems that there is a lack of clear understanding over the intricacies of the details involved in the entire process. Additionally, the focal point of governments has always been to secure assets of national importance resulting in total negligence over the issues of interoperability and communication across an international scale. Even in cases where some initiatives have been taken in this regard, the results are yet to reflect with conformity over domestic systems, which call for the need to act towards unifying and normalizing systems across all levels. Several policy measures have been suggested to bring systems under such control such as the minimal regulation model, mandatory licensing model and the optional root accreditation model. Under the minimal regulation model, the government may decide to leave the entire authentication open by ensuring security only within its agencies and leaving the rest at the disposal of private entities. The optional root accreditation model makes way for the establishment of a central level authority that oversees the authentication and interoperability issues amongst several organizations. The mandatory licensing model makes way for the licensing of such authentication mechanisms to be provided by a centrally appointed authority that would ensure uniformity at all levels within the country. Biometrics Biometrics is a new authentication technology that has grown popular with several governments especially in the developed world. It is the process by which several physiological and behavioral parameters allow the identification of the identity of the person trying to gain access. It is synonymous both within physical and electronic aspects. Biometrics is used through several modes such as fingerprints, the retina of the eye or facial recognition. The science has been in use for over a hundred years and has been used predominantly in high security areas that require physical access. The lower costs involved in implementing biometric authentication has been a popular source of motivation for allowing them to be installed in installations of national importance. While there is a high degree of trust within a biometric system, it is important to understand that the logic behind its working is highly dependent on samples, such as a store of the fingerprints of all authentic individuals who may be given access. Additionally, samples also store data for a fingerprint based on a few authenticators. For example, a fingerprint may be uniquely identified by examining whether it has a ridge at a particular place or if it has a depression at any other particular point. As such, the more the quantity of such samples taken, the lesser is the probability of two persons returning the same match leading to greater security. However, this is an issue of probability and would mean that such logic can be compromised over a period of time by careful examination (Mann, Eckert, & Knight, 2000). There have also been issues over the assurance between the technique used to establish the identity as well as the matching process between the supplied sample and the template against which it is compared. As such, the manner in which the biometric system has been implemented also determines the quality of the system’s integrity and security. One of the most significant threats associated with a biometric system is the issue of false acceptance and false rejection. Such errors are mutually exclusive and the inherent trust level needs to coincide with the risk model and requirements of an organization. In this context, the security of the sample and its transmission to the area of comparison are other major causes for concern. In normal approaches, the entire process is encrypted and the samples are stored in an encrypted format. However, the process of authentication is in itself not authenticated and is therefore a case of hybrid security. Also, one way authentication is used to prevent a template from reconstruction apart from several other approaches that are used to secure biometric samples (Ibrahim, 2000). As can be seen from the previous arguments, the major emphasis is on the security of templates and samples in biometric authentication given the unique nature of the authentication mechanism and the inherent effort required to replace the existing samples with samples and methods of authentication. If a sample is captured in such a way that reproducing it is possible owing to an inefficient storage approach, the such an method can be reproduced easily and used to compromise the system. However, one of the most long standing issues with biometric methods is the higher cost involved in using alternative approach to authentication and the re-fabrication of encryption keys and passwords (OECD, 2003). As biometric authentication is predominantly a physical process, there is a potential liability over issues arising from the vulnerability in protecting a secret component of the security system. In the case of the biometric systems, the vulnerability lies in the security of samples. In the case of asymmetric techniques, the vulnerability lies in issues associated with interoperability, publicly accepted methods as also the strength of the authentication and encryption algorithms. It is possible for a sample to be intercepted in transit and reconstructed for unauthorized use (OECD, 1999). There is an increasing threat for security systems to adapt to newer forms of attacks and to try and detect newer viruses that seem to be on the loose in a bid to attack security systems for various unscrupulous means. As such, adequate security measures are needed to reduce the intensity of all such possible risks. Conclusion The primary role for government is to establish the necessary technological, infrastructural and government policies that will allow them to support various forms of electronic authentication requisite at the places of implementation (Burr, Dodson & Polk, 2006). Banks have been using electronic authentication frameworks for years to secure resources, such as the Automatic Teller Machine (ATM), which provides affective user protections. Schellekens (2004) explains that, “a bank is a registering authority for the public keys of its customers and subsequently relies on the signatures of its customers based on the registered public keys” (pg. 125). Much of the government infrastructure consists of closed systems except in places that need the involvement of the citizens. Eggers (2007, pg. 213) best describes this idealism, Close the windows, shut the doors, lock the gates, put a fence around the yard, and don’t give out too many keys. The first step is to lock down the computer systems—making sure that no government computer is linked to the Net until it meets minimum-security standards and all holes in the software systems have been plugged. In this scenario, care should be taken to draw a firm line between such closed and public systems and ensure that no user is able to use public access for securing closed resources in an unauthorized manner. Only then can government ensure that the nation stays safe from potential perpetrators of various kinds. References Aalberts, B. & Van der Hof, S. (2000), Digital Signature Blindness: Analysis of legislative approaches toward electronic authentication. LondoN: Kluwer. Anderson, R. (2001), Security Engineering: A guide to building dependable distributed systems. University of Michigan. APEC (2002), Electronic Authentication: Issues relating to its selection and use. Singapore: Asia Pacific Economic Cooperation (Organization). Burr, W. E. (2006), Electronic authentication guideline recommendations of the national institute of standards and technology. National Institute of Standards & Technology. Eggers, W. D. (2007). Government 2.0: Using technology to improve education, cut red tape, reduce gridlock, and enhance democracy. Lanham, Maryland: The Rowman & Littlefield Publishing Group, Inc. Grewlich, K. W. (1999), Governance in "cyberspace": Access and public interest in global communications. New York: Kluwer Law International. Ibrahim, M. (2000). Database and Expert Systems Applications: 11th International Conference : DEXA 2000. University of Michigan. Mann, C. L., Eckert, S. E. & Knight, S. C. (2000), Global Electronic Commerce: A policy primer. Boston: Peterson Institute. OECD (1999), Joint OECD-Private Sector Workshop on Electronic Authentication: Stanford and Menlo Park, California 2-4 June 1999. Organisation for Economic Co-operation and Development. OECD (2003), Privacy Online: OECD Guidance on policy and practice. Organization for Economic Co-operation and Development. Raysman, R., Pisacreta, E. A., Adler, K. A. & Ostrow, S. H. (1999), Intellectual Property Licensing: Forms and analysis. New York: Law Journal Press. Schellekens, M. (2004), Electronic Signatures: Authentication technology from a legal perspective. Cambridge University Press. SECUDE IT Security (2008). Retrieved February 5, 2008, from http://secude.com/htm/811/en/White_Paper%3A_Enterprise_SSO.htm Shinkōkai, N. B. & Gijutsubu, K. (1998), New Technology Japan. University of California. Smith, B. W. (2001), E-commerce: Financial products and services. New York: Law Journal Press. Sneddon, M. (2000), Legal Liability and E-transactions: A scoping study for the national electronic authentication council. Sydney: National Office for the Information Economy. Read More