Tokens replace passwords for website access - Technology Information

Communications News, April, 2001

Banks and financial institutions look for new ways to protect online services.

Nearly all current network environments rely only on passwords, which do not provide adequate security for today's applications. Managing passwords has become the single largest time-sink for most help desks, and users are beginning to rebel against even lax password security policies.

In the rush to get B2C services to market, online banking, healthcare and other systems have been deployed with inadequate password-only security.

Some European online banking systems (e.g., Handel's Bank), government information systems (Canadian, Australian and U.S.) and corporate networks have started using tokens rather than passwords in enterprise, B2B and B2C. In some cases, the funds transfer, account management and other applications were already serviced by password-generator tokens implementing to the X9.26 standard, the financial institution sign-on authentication standard, developed by the American National Standards Institute.

X9.26 advises the use of a token to authenticate users rather than a password alone, because it recognizes that the use of a password to authenticate a user can be compromised in many ways (e.g., easily guessed, openly displayed, poorly selected, stolen or given away).

Some of the major customers of QIC System Corp., a Taiwan-based, network-based security company, are banks and financial institutions. The company implemented several solutions for the greater China market using shared-secret tokens rather than passwords, aimed at accelerating the adoption of online banking and accessing online financial services for banks and other financial institutions throughout the Asia Pacific Rim.

Password-generator tokens are calculator-like devices that generate dynamic passwords that the user types in. A token is a physical device capable of storing a secret value, and processing that secret value with a cryptographic function in accordance with a challenge-response protocol. The value of such a design is that there is no way of deducing the secret value. Even malicious software running in the machine to which the token is connected cannot determine the secret value.

Although new systems are often designed around public key infrastructure (PKI), these have been successful in high-assurance applications where user convenience and cost are lower priorities, but have not been successful in large-scale B2B or B2C deployments.

QIC chose Rainbow's Technologies' iKey, a USB token, because of its ergonomic and security advantages over passwords. This smart key plugs into the USB port, making it simple for users, yet more secure than passwords. Model 1000-3DES implements the same standard, allowing it to be integrated with no changes to the back-end authentication infrastructure. There are many cases where a Web or other Internet front-end is being placed on an existing back-end system. Although passwords are no longer adequate when legacy systems are extended out to the open Internet, replacing the entire authentication infrastructure is often not an option either.

For its used-car website, QIC issued iKeys to dealers participating in the system in order that they could access the site with a standard Web browser. Participating dealers can now manage their inventories, adjust pricing and view activity logs. In this scenario, any user in possession of an authorized iKey is permitted. In other applications, (including legally binding digital signatures) a PIN number may also be required in order to use the token.

QIC's innovative strategy was to marry the iKey with existing authentication and authorization servers. When a visitor accesses the "dealer only" portion of the QIC website, the Web server sends an applet to the client Web browser in order for it to communicate with the iKey. The applet forwards a random challenge value to the iKey and returns the response to the Web server. The iKey generates the response in accordance with the X9.26 protocol, using the 3DES algorithm.

The Web server then calls to a standard RADIUS server, which computes the same challenge-response value; if the two match, then the user's identity is authenticated. The RADIUS server contains a hardware security module (HSM) card that holds the secret values and performs calculations so that--even if the server is compromised--the user secrets cannot be obtained. The HSM card also contains a true random-number generator, which is used to generate the secret values placed in each iKey at registration time.

QIC was able to integrate convenient, low-cost USB tokens into existing systems, making its extension onto the Internet easy.

www.rainbow.com

Circle 268 for more information from Rainbow Technologies