Tuesday, September 27, 2011

A Small Token Of Trust

One of the more difficult issues with the internet and access to computer systems in general is accurate identification and reliable authentication of people. To properly govern the use of any system or the data it contains, we must know a person's identity. Based on who you are we can allow or refuse access to portions or all of the information. But beyond knowing the identity presented, we must authenticate you. In other words, we need a way to know you are really you and not just someone simply claiming to be you.

In the real world we have physical evidence of our identity. To cash a check we may have to show a valid drivers license while at the airport we might have to produce a passport. These are documents issued by trusted authorities which serve as acceptable evidence of who we are. Our fingerprints, retinal image or other biometrics can provide near irrefutable proof.

Computers, on the other hand, typically rely on user accounts and passwords to indicate who is using the system. For more secure systems additional methods of authentication may be brought in to play. E*Trade, for example, once issued physical tokens to all its brokerage customers. These devices displayed a continuously changing code in an LCD window which had to be entered when you signed in. You, in sole possession of the token, were the only person who would have access to this code at the time of sign on. Even if someone learned your account and password, they would lack this extra key needed to successfully get in.

Most of the methods, even the most sophisticated, still leave systems vulnerable to attack. Every attempt to access a computer system across a network relies upon a standard of communication called Internet Protocol or IP. IP is the postal system for computers. Something called a TCP packet is like the envelope in which you place your message. Unfortunately the bad guys know how intercept these packets and sneak a peek at what's inside. Encryption of the content is encouraged for this reason. If the message in the packet is all in code it is no use to anyone except the sender and receiver with their secret decoder rings.

This leaves one hole in the fortress. The very first packet which carries the credentials to the server can be identified and compromised. Moreover, there is an all out attack called a denial of service attack where the bad guys just want to flood the server with packets to overwhelm it and cause it to slow down or fail altogether.

One vendor has addressed this weakness brilliantly. At a recent Cresting Wave Technology Showcase I had the opportunity to discuss security with Eric Bucher, senior security engineer with BlackRidge Technology, who described an elegantly simple but totally effective solution to the problem.

Adding their special client software to each computer authorized to communicate with a server allows a unique token to be inserted into the header of the TCP packet before it is sent on its way. The token is randomized and time dependent. When the packet arrives at the server this token lets the server know it came from a known and trusted source. Packets that arrive without this special token are simply ignored.

This assures a secure connection with the server and, even better, renders denial of service attacks ineffective. DOS depends on the fact that the server has to acknowledge and respond to every packet, even if only to reject a bad attempt to sign in. But with the BlackRidge Technology, packets that lack a valid token are simply thrown away. Bad guys hammering the server with repeated guesses at passwords or even pinging, a technique to measure how long it takes to get a reply from a server, will have no impact. There will be no reply issued, effectively cloaking the server and imposing no additional load.

No doubt, this new technology will be welcomed and integrated into many commercial software solutions.

Captain Joe

Follow me on Twitter @JPuglisiLLC

By the way, if you find all this technology too confusing, feel free to give me a call.


No comments:

Post a Comment