Authentication of the Modern Generation - Term Paper Example

Emerging Technologies Universal Authentication Universal Authentication is the next generation of authentication, identifying yourself to electronic services. Universal authentication is a network identity-verification method that allows users to move from site to site securely without having to enter identifying information multiple times. Authentication in contrast to authorization is the process of determining whether or not an entity attempting to access a network or site is actually who or what it claims to be. With universal authentication, a subscriber enters one set of parameters such as a username and password at the start of every network session. The authentication data for any site visited thereafter is automatically generated for the duration of that session. The e-business revolution is fundamentally changing the world around us. We communicate with colleagues and friends by e-mail, conduct our personal banking on-line, go shopping without ever leaving our homes, renew drivers' licenses and submit tax returns without ever having to stand in line. As customers, we have been given the power of self-service, to conduct our own transactions, on our own terms, and at a time that suits our schedule, unconstrained by the limitations of physical operations. Universal authentication reflect the continuing struggle to keep the digital world accessible and secure. It must be able to positively identify and authenticate the people that are eligible for its services. It must be able to understand each person's role and status and be able to track those attributes as they change over time. Requirements in the previous two sentences imply the requirement for robust directory, authentication and authorization systems. More and more on-line self-service applications and an increasingly complex learning environment require such systems to be based on a single ID and password. This is not simply a matter of convenience. While each person's e-Business life is made substantially easier, the security of the institution and its vital information depends on the ability to responsibly manage the underlying technology in a coherent manner. One of the biggest problems with Internet security is the fact that every Web site has its own authentication system. A typical Internet user, who has two or three Web-based e-mail addresses and frequents half a dozen online vendors to buy or sell things, must memorize several usernames and passwords. This can be difficult unless the authentication data is written down or stored as a text file, which then becomes a security issue. Universal authentication can eliminate this problem without compromising security or privacy. Universal authentication systems, which allow users to log in once and then hop between Web sites, may just be the answer for those who are unable to remember the various user names and passwords that they have established to access different sites on the 'Net. However, remembering different passwords and user names may just be the safer bet - for now anyway. For a universal authentication system to work, much stronger authentication - and possibly the introduction of biometrics as an extra layer of authentication - would have to be considered. As rightly quoted by David. M in ''IT Tech' Magazine, "Such a system would have to be designed and configured to provide multiple layers of authentication between various institutions, and would definitely have to encompass very powerful encryption (AES). "Without these, universal password authentication poses some obvious security risks," 1 There is really no such thing as a 100% secure environment, just those that have yet to be compromised. Incidents of identity theft and fraud are already on the rise, and the nature of the threat has changed from being purely malicious to being revenue-driven. Primary concern is that should a user's single login or authentication be compromised, the hacker would have access to everything, from banking details, to e-mail and online retail accounts. While signing in once to access various sites may be more convenient for users, it will also make the work of dubious and ever-evolving crackers so much easier. The full co-operation between various institutions, such as banks and retailers, would also be necessary for the system to be truly universal. At the same time, universal password authentication is an exciting concept. "The concept, in its infancy at this stage, definitely warrants further research and development. I believe that universal authentication systems could eventually become the standard, if not globally, then certainly within select markets." However, remembering 1 'Emerging Technologies' I T Tech. Magazine, 2006 different passwords and user names may just be the safer bet - for now anyway. This is the opinion of Dries Morris, director of specialist IT security management and consulting company, Securicom. A universal system would require us to create only one user ID and password for everything an individual do online, at work and at home. There are lots of online identity-verifying systems out there, and some experts see the sheer number and diversity of those systems as a big part of the Internet's fraud and security problems. Universal Authentication if implemented, it will give secure, but password-less logins for web based services. Even better then single sign-on ideas like Passport.net or Liberty Alliance. Problems do arise when we want to login from any other terminal that doesn't have our private keys installed. This can be solved by introducing relays. When the browser doesn't know how to authenticate to this website, it can ask the user if it knows any relay service. The relay will respond on behalf of the browser, but it will require a username or password to work. The relay can be done over http or https and can use Basic or Digest authentication, with an addition header: Relay-Authenticate. If the relay finds the credentials given valid, it will respond to the challenge with the right header in Relay-Authorization. Then the browser can forward this to the webserver. Note that a relay can be a mobile device with WLAN capabilities, or a personal server reachable over the internet included in your home broadband-router for instance, a service provided by your boss, or any public server that you trust with your private key. The point is, your personal data is not on Microsofts Passport service, or any other companies server that you might not like, and no-one has a single point of control. Advantages of Universal Authentication 1. You don't give passwords to servers anymore, meaning no more passwords to remember. 2. Single sign-on's without a single point of control like Password. 3. The authentication is potentially stronger then can be reached with six to eight char passwords. 4. You can always use a relay, which could be something you have with you always (like your mobile!), or your home router. 5. You can have multiple key-pairs, some you treat with less paranoia then others. And maybe you can register more then one public key for a single account on a web service. Disadvantages of Universal Authentication 1. Switching users should be easy enough, logouts from Basic or Digest has always been difficult inside browsers. 2. Browsers need to support the new scheme, plus implement the key management. 3. Public / private key systems are not well understood by common users. 4. Public / private key pairs need to be exported and imported into other browsers (on multiple computers) too, which makes it less save. 5. There should be a way to retract the validness of public keys, which complicates the whole for web services implementing this. Though, note that you cannot retract passwords either. 6. Over unencrypted http, this scheme has the same drawbacks as Digest has. (Anyone can listen to the traffic.) Relevant Technologies Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. Many free and commercial SSO or reduced sign-on solutions are currently available. A partial list follows: The JA-SIG Central Authentication Service (CAS) The JA-SIG Central Authentication Service (CAS) is an open single sign-on service (originally developed by Yale University) that allows web applications the ability to defer all authentication to a trusted central server or servers. Numerous clients are freely available, including clients for Java, .Net, PHP, Perl, Apache, uPortal, Liferay and others. CoSign CoSign, an open-source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. CoSign authenticates users on the web server and then provides an environment variable for the users' name. When the users access a part of the site that requires authentication, the presence of that variable allows access without having to sign-on again. Cosign is part of the National Science Foundation Middleware Initiative (NMI) software release. Enterprise single sign-on (E-SSO) Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping." Web single sign-on (Web-SSO) Web single sign-on (Web-SSO), also called Web access management (Web-AM), works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource. Kerberos Kerberos is a popular mechanism for applications to externalize authentication entirely. Users sign into the Kerberos server, and are issued a ticket, which their client software presents to servers that they attempt to access. Kerberos is available on Unix, Windows and mainframe platforms, but requires extensive modification of client/server application code, and is consequently not used by many legacy applications. Federation Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Federation. Light-Weight Identity and OpenID Light-Weight Identity and OpenID, under the YADIS umbrella, offer distributed and decentralized SSO, where identity is tied to an easily-processed URL which can be verified by any server using one of the participating protocols. JOSSO or Java Open Single Sign-On JOSSO or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. It uses web services for asserting user identity, allowing the integration of non-Java applications (i.e: PHP, Microsoft ASP, etc.) to the Single Sign-On Service using the SOAP over HTTP protocol. The term enterprise reduced sign-on is preferred by some authors because they believe single sign-on to be a misnomer: no one can achieve it without an homogeneous IT infrastructure. In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where user database is centralized, single sign-on is a visible benefit. All users in this infrastructure would have one or single authentication credentials. e.g. say in an organization stores its user database in a LDAP database. All Information processing systems can use such a LDAP database for user authentication and authorization, which in turn means single sign-on has been achieved organization wide. Conclusion Throuhgt the 20th Century, the pace of technological advancement has increased dramatically. The Computer revolution, now upon us, is expected to take giant strides in the coming decades. The basic challenge of coming decade is how to make already aviliable technologies as useful and friendly to the common man. The research and development in Universal Authentication will definitely result in improving the betterment of an individual's assess to this secure e-world. References "Definition of Universal Authentication." Wikipedia.com. retrieved on December 09, 2006. [http://www.wikipedia.com/ua/] 'Emerging Technologies' I T Tech. Magazine, New Delhi. 2006 Okin J. R, "The Internet Revolution: The Not-for-Dummies Guide to the History, Technology, and Use of the Internet" Ironbound Press Edition. 2005 'The Technological Advance in 21st Century'; The Tech column. The Hindu - The Daily. April 20, 2006. [www.hinduonnet.com] Universal Authentication. Techtarget.com 22 Apr 2006. Retrieved on December 11, 2006. [http://whatis.techtarget.com/loginMembersOnly/ 1,289498,sid9_gci 1184055,00.html] Universal Authentication. Technologyreview.com. Retrieved on December 10, 2006 [http://www.technologyreview.com/article/16474/page2/] UA.White Paper. Cs.ucsb.edu. Retrieved on December 10, 2006 [http://www.cs.ucsb.edu/htzheng/media/MITTR06/] Read More