| Identifying Users In Hostile Environments |
|
| Computers
identify users in order to: control user access to the computer;
Remote user identification can be particularly
challenging when the user is in a potentially hostile environment
working from a potentially hostile workstation. As an example,
consider an enterprise employee who must access an enterprise server
remotely from a public computer (e.g., in a hotel business center or at
an Internet Cafe). Obviously it would be preferable for the
enterprise to issue the employee a laptop computer that can be
trusted and via which a secure remote link can be established (e.g.,
via a VPN). However, this is not always practical and sometimes
laptops break. How then can an enterprise remotely identify users
from potentially hostile remote computers?mediate access to assets stored on the computer, and to achieve individual accountability. A typical means of authenticating the identity of individuals is the use of passwords. Stronger authentication can be achieved via things like smart-card readers or biometric scanners, however hotel and cafe computers are not likely to include these. If just a password is used to identify the remote user, the password might be captured by a key logger or other mechanism. Use of encryption protocols such as SSL can prevent the password from appearing in clear text on the potentially hostile network, but that does not prevent the password from being captured on the hostile workstation itself. A common approach to this problem is to let the password be captured, but to invalidate the password upon each use. In other words, a mechanism is used to effectively change the password on each use. Some systems use physical tokens that users carry with them. These tokens periodically generate new passwords (e.g,. every thirty seconds), and they are synchronized with the enterprise authentication server. The same password is never used more than once, so even if an attacker manages to capture a password, it cannot be re-used. Users must protect these tokens from theft. Sometimes an enterprise might combine the one-time password with a password that only the user knows.. Use of one-time password generators does not prevent malicious software on hostile computers from capturing the actual data as the user works (e.g., a Trojan horse in a browser could capture data retrieved via web enabled applications. However, for many enterprises, the threat of someone happening to capture the data is a lot less than the threat of someone getting remote access to the server itself. Similarly, the threat of a Trojan horse on a hostile workstation subverting the server (e.g., by exploiting a flaw in a web server) can be mitigated somewhat through good patch management. Of course if the motive is high enough, the enterprise might assume the web server has been subverted anyway. While it is not practical to fully trust a potentially hostile remote computer, moderately secure user identification can be achieved through use of one-time passwords. |