| Previous | Table of Contents | Next |
The first improvement to I&A is to depend upon one-time passwords instead of reusable passwords. In practice, this approach requires the use of cryptography, although one can easily envision a simpler case. For example, two people could decide to sequentially use all words from an encyclopedia as the authenticating values for communicating. Each time authentication is needed, the originator sends the next word in the encyclopedia as the authenticator value. The recipient merely checks the value against another copy of this readily available code book if the authentication is unilateral. For bilateral authentication, the originator sends the next available encyclopedia word, and this word’s successor is sent as a response by the recipient.
Several problems exist with the encyclopedia protocol as described. The universe of passwords is easily cracked if an adversary determines which volume of the encyclopedia is serving as the code book. Also, it is recommended that a more complex algorithm than the successor function be used to authenticate the recipient. For example, the second party in the conversation could begin choosing passwords for the return messages by working backwards from the last page of the encyclopedia. Of course, both parties would need to know this variation in the protocol.
Still another problem is that you must assume that the communication channel between the originator and the recipient is not secure. If an adversary can capture and modify the message in transit, authentication will not be reliable. Attempts by an attacker to replay a previously used password are not a threat because each password is unique and used only once.
The basic idea is that the two parties share a secret, or secrets, chosen from a predetermined universe of values. Each secret is used only for a single authentication. If a secret were to be reused, a number of confounding issues would be introduced, such as the need for an expiration time on a secret The strength of one-time passwords depends on the secrecy of the password generator and naturally on the secrecy of the storage device for the passwords. Cryptography is preferred when deriving or using one-time passwords because cryptography is more resistant to a variety of attacks.
Rather than transmitting the secret value itself, whether in unilateral or mutual (bilateral) authentication, strong authentication prescribes that an entity only prove knowledge of the secret. In other words, strong authentication involves demonstrating that you know a secret without actually revealing the secret. Obviously, login passwords are not a form of strong authentication because you must actually enter your password to authenticate to a system.
Imagine a modified UNIX I&A procedure in which you do not enter your usual password. When the system prompts you for the password, you provide a value that is derived from your password. For example, assume that your password is an integer or that the password can be converted into an integer value. In response to the password prompt, you multiply your integer password by a predetermined constant value, such as the integer 4, and key in the result. In this way, you are not revealing the secret you share with the system. Unfortunately, this simple approach is not much stronger than relying on reusable passwords because the example algorithm is too simple. Again, cryptographic techniques commonly underlie commercial implementations of strong authentication.
The strongest cryptographic protection comes from using one-time pads. A onetime pad is a randomly generated string of characters to be used as the key for encrypting plaintext. For the moment, think of the plaintext and the one-time pad as binary strings. Encryption is accomplished by XORing the plaintext with the key. Each bit in the one-time pad key is used to encrypt a single bit in the plaintext, and each bit in the key is used exactly one time. Reusing any portion of the key reduces the strength of the cipher. Therefore, bits of the key are discarded after they are used. The accomplice receives the ciphertext and reverses the operation using the same one-time pad. Both parties must have agreed on the contents of the one-time pad in advance. Additionally, if either party loses synchronization with the other, the message will not be decrypted correctly.
Spies have long relied upon one-time pads, actual printed sheets with keys, to exchange small amounts of super-secret information. Unless the pad used to encrypt the message cannot be found, deciphering the message is computationally infeasible. Although no formal proof exists for guaranteeing that a cryptographic algorithm is unbreakable, intuitively the one-time pad is the most secure method because any string of 1s and 0s is an equally probable key. The search space is practically infinite.
Because the key length must be identical to the message length, one-time pads are impractical for general cryptographic communications. Also, the approach is only as safe as the technique used to generate the random numbers of the key. In practice, random-number generation has often been the weakest component in a security product. The random-number generator of an early Netscape product was cracked not long after Netscape offered a reward for doing so. For a thorough treatment of randomness in computing see Luby (1996).
A one-time password is similar to a one-time pad in that the password is used only once for authentication. After the user or other entity is authenticated, the password is discarded.
Recall that authentication can be proven by demonstrating something you know, something you have, or something you are. Combining any two of these to form two-factor authentication markedly adds to the security of the authentication system. For example, if you must know a secret key sequence and if you are required to possess a badge to access a secured area, this method is better than relying on only one of the two values. The Security Dynamics Inc. (SDI) ACE/Server was one of the first commercial products to combine one-time passwords with token devices.
| Previous | Table of Contents | Next |