For data protection, actions may speak louder than words.
Information security researchers at George Washington University are studying new ways to strengthen identification authentication processes while keeping transactions as simple as possible. The techniques involve deliberate perturbations of traditional authentication processes and can be applied to password, token and biometric systems alike.
Automated systems for restricting access or validating identity traditionally have been based on specific information provided by the authorized user. This information could include a password, data recorded on transportable media such as a credit card, or biometric information that is associated with some immutable physical trait such as a fingerprint. Authentication transactions are often based on a combination of these, for example, an automatic teller machine card paired with a personal identification number. Voice print and signature recognition systems introduce the concept of behavior into the authentication transaction. Natural, learned or passive behavior often is treated as biometric data.
Authentication system acceptability as perceived by the user is viewed in the context of the potential for user embarrassment and privacy concerns. While embarrassment is not likely to be an issue for password-based authentication systems, systems based on voice or face recognition may be a source of embarrassment for individuals who are not comfortable with their appearance or the sound of their voice. Authentication systems that provide a positive, one-to-one relationship between the user’s account and the individual user are sometimes perceived as violations of privacy and bring about fears that the authentication information could be used to track movements and activities.
Traditional password systems are subject to specific attacks on their underlying technologies. In addition, selecting poor passwords, reusing passwords, writing down passwords then keeping them near workstations and leaving computers unattended create security risks. These security system workarounds have been referred to as human-factor vulnerabilities. One challenge that authentication system engineers face is how to supply the greatest technical authentication security possible without compounding vulnerabilities caused by users.
Research in authentication emerging from the George Washington University information security program (GWU-InfoSec), Washington, D.C., analyzes authentication systems in terms of cost, usability, acceptability and effectiveness. In particular, researchers have studied the effects of deliberate behavior patterns, such as imparting a purposeful rhythm to an entered password or incorporating timing and/or ordering constraints into token or biometric processes.
While active-behavior-based authentication is similar to passive-behavior systems in the sensing equipment used, how the two types of behavior distinguish a user is completely different. For example, while users of a passive-behavior system would be differentiated based on the natural variation inherent in the way they type, speak or write, these natural behaviors are only a small subset of all the possible ways that a person could type, speak, sing or otherwise emit sounds.
In theory, active-behavior-based authentication effectively maps authentication methods into a much larger space that is not governed by the variation of natural habits, but governed instead by time, imagination, human capabilities or the technical limits of the sensing apparatus. Based on the set/subset relationship between the active- and passive-behavior authentication spaces, if the user of an active-behavior system does not use imagination during the authentication processes, the authentication space collapses to that of the corresponding passive-behavior system.
One of many active-behavior-enhanced systems that GWU-InfoSec researchers have studied is time domain sensitive password protection (TDSPP), an active-behavior password system prototype. TDSPP has shown promise in protecting systems from various forms of attack, reducing vulnerabilities derived from human factors and enlarging the authentication space. According to researchers, the improvements that TDSPP offers over simple password systems have been realized without affecting user acceptability and with costs that are acceptable for many applications. “I can see applications for TDSPP in the high-security sector,” Edmund Brown, network specialist, Accounting Machine Systems Incorporated, Frederick, Maryland, says. Deepak Shrestha, vice president, Universolutions LLC, Springfield, Virginia, observes, “This [TDSPP] system could be used on a large scale if the time domain feature could be made selective or optional by the administrator.”
GWU-InfoSec researchers consider authentication system effectiveness in terms of vulnerabilities to specific attacks, effects on human-factor vulnerabilities and effects on authentication entropy. Entropy is an information theory that is a measure of the theoretical uncertainty associated with guessing a password or otherwise reproducing an authentication sequence. Authentication entropy is a measure of the size of the authentication space where, for example, all possible passwords, fingerprint patterns or signatures reside. Active-behavior techniques address the potential for expansion of the authentication space while maintaining good usability and acceptability characteristics.
Deliberate or active-behavior-enhanced authentication is almost inevitably associated with additional constraints on usability from the end user’s perspective, however. The added requirements of remembering and executing a time-sensitive authentication sequence increase the likelihood that a valid user will fail to be recognized unless the allowable margin for error is raised. Consequently, the usability characteristics of an authentication system are a tradeoff with the increase in security provided by the system.
Usability, from both an organizational management perspective and a system administrator perspective, also is an important consideration. System administration costs, including help-desk functions, may be affected when adopting any new authentication system. GWU-InfoSec researchers are studying active-behavior-enhanced authentication systems in terms of usability from the user, system administrator and organizational manager perspective.
The widespread adoption of low-cost authentication password systems has heightened interest in ways to make password authentication transactions more resilient to “cracker” attacks and other forms of technical compromise. GWU-InfoSec researchers maintain that the incorporation of deliberate keystroke rhythms during the password entry process reduces the likelihood of system compromise from offline password-cracking attacks because the attacker must capture the password registries governing both the textual and rhythmic components of the time-domain-sensitive passwords for each user. Furthermore, the technique offers a defense against keyboard logger attacks, where keystrokes are surreptitiously recorded by malicious code resident on the target computer. Sniffer attacks, where a data line is monitored for authentication sequences that are then recorded and replayed by an attacker, can be repelled in two separate ways using the specialized technique.
With respect to human-factor password vulnerabilities, researchers report that, although theoretically the entropy associated with poorly selected passwords can be increased by an order of tens of thousands, in practice individuals do not employ keystroke rhythms that are sufficiently creative to realize much of the added security from increased entropy. The test results of more than 100 subjects indicated that people tend to default to their natural typing patterns, which can be effectively guessed given an average of 50 attempts in some cases.
Various means for bringing the practical entropy of the system closer to the theoretical limits are under consideration. Research into the potential for human-factor workarounds revealed that individuals would not be likely to write down the rhythm of how they type their passwords, but they would use the same time-domain-sensitive passwords on more than one system. Dr. Irmak Renda-Tanali, an independent researcher and expert in risk assessment and management states, “The new system appears to be able to deliver some additional security to networks and information services that currently depend on password-controlled access.”
In all test cases, the active-behavior password variant was considered acceptable in terms of social comfort and privacy. The system has the advantage shared by traditional password systems in that it can be implemented completely by software, and additional sensing devices are not required.
Token systems, including machine-readable cards and keys, lend themselves to a different kind of active-behavior method. GWU-InfoSec researchers investigated systems that are based on rhythmic repetitive swipes or ordered swipes of multiple machine-readable strips. Conceivably, an authentication system could support a personal identification number functionality without being equipped with a keypad entry device.
Differences between conventional token systems and active-behavior-enhanced ones are completely manifest in software and could be implemented at essentially the same cost as conventional systems. Test subjects report no additional concerns with respect to acceptability of the token-based active-behavior variants over those associated with the conventional token systems.
Active-behavior enhancements can be overlaid on authentication systems based on fingerprints, the bone structure of the hand, facial recognition or imaging of the iris or retina. GWU-InfoSec researchers suggest fingerprint-reading systems where specific fingers must be scanned in a designated order for authentication to be successful or systems based on the bone structure of the hand that are designed to detect deliberate changes in finger or hand pressure or movements during the authentication process. In addition, facial recognition systems could be designed to be sensitive to facial expressions or head, mouth and eye movements in a way that the variations could make up an extended authentication sequence. Finally, ocular imaging systems could be designed to be sensitive to blinks or eye movements so that the movements could make up a deliberate timed or sequenced pattern that could supplement the authentication process.
The effect of incorporating active-behavior-based sequences in the conventional biometric-based processes is one of multiplying the entropy associated with the conventional method by the entropy associated with the active-behavior method. In each case, the hybrid system defaults to the conventional system if no deliberate behaviors are introduced into the authentication process.
Research into computer system authentication is only one of many aspects of information security being studied at universities and commercial institutions. Innovative approaches to securing electronic transactions and resources may provide an important key to protecting information systems.
Christopher Hekimian is an electronics and systems engineer and consultant. Sue Adamkiewicz is a certified information systems security professional and an information security engineer.