Remembering all the logins and passwords to all the services and systems you’ve got access to is pretty hard to do nowadays. Many people use the same login and password for multiple sites and systems. That won’t improve security. One of the IT buzzwords is SSO (Single Sign-on). Most SSO systems are hard to setup and will only provide SSO to the systems of one company. It is possible to easily provide worldwide single sing-on.What is authentication?
Authentications is the act of figuring out who the person is that tries to access a system, an application or a website. Authentication is not authorization. Authorization is controlling access based on who tries to access the object. And often also at what time access is allowed and what is required to get access. Authentication is generally required for authorization.
How authentication is done today.
Most websites will store a username, password and email of every user. Everyone who has access to that mailbox or who knows the username and password is identified as a valid user. Some sites started to use email addresses as loginnames, to reduce the things a user has to remember. (Who would forget his/her own email address?)
A better way to identify people on the net
The industry standard for assuring that a website is authentic is SSL (Secure Socket Layer). It is available in almost every browser. SSL is also used to sign email and to encrypt email. SSL emails certificates are freely available from CAcert and Thawte. Both CAcert and Thawte do have an assurance program to verify the real identity of a person.
The solution
So using SSL you can prove that you’re the owner of your mailbox and that your real identity is verified. It is easily possible to use the same certificate which is used to sign your mail to prove to a website that you are who you say you are. The only problem is that hardly any websites uses that information.
The old scenario
- go to example.com
- click sign-up
- enter you’re email address, loginname and password
- reply the email which is send to verify your email address
- login using that loginname and password
The new scenario
- go to example.com
- click login
- you’re prompted to enter the password for your private key
No sign-up?
There is no sing-up needed in the new scenario because with your certificate you provide an email address which is also you’re username. And a password is not needed. The same certificate can also be used for other services like LDAP. You don’t have to worry that some sneaky admin will read your password, because it isn’t stored or send to that server.
Benefits
It’s obvious that the new scenario is much better than the old scenario from the user perspective. But from the server admin perspective it’s also better. No need to store passwords, the only thing which is stored is the email address. No more fake identities either. If an SSL certificate is stolen or found to be fake it can be revoked, passwords can’t be revoked.
Drawbacks
There are some drawbacks.
- No Anonymity. You’re not anonymous anymore. Allowing logins/passwords will solve this problem.
- People need to get an SSL certificate. It’s free, but for ultimate security it the identity of a person should be verified face to face. This problem could also be solved by also providing username/password logins
- People need to carry their SSL keys with them. Smartcards could be a solution to this.
- You need to trust the CA’s or be your own CA (in the latter case people do need to sign up again)
Some minor problems
Websites do have to store a list with CA’s (Certificate Authorities) which they trust. The root certificate from CAcert is not yet shrink-wrapped with browsers and other software, so it has to be added manually.
Most Linux programs use their own certificate store. (cert8.db, key3.db and secmod.db) This is really bad. It can be easily solved by symlinking all those files to ~/.sslcert/key3.db and such.
Example:
user1@node1:~$ find . -name key3.db ./.gnome2/epiphany/mozilla/epiphany/key3.db ./.mozilla/default/jv480jgt.slt/key3.db ./.mozilla/firefox/default.1fm/key3.db ./.evolution/key3.db
Conclusion
Client authentication using SSL can really improve the situation in which someone has to remember a loginname and password for many websites, email and lots of other services. However, SSL logins won’t completely replace password logins.
About the Author
Daniel van Eeden is a 21 year old student living in the Netherlands. He also works on the the Dutch translation of GNOME. His homepage is http://compukid.no-ip.org/.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
SSO is a Good Thing (TM) for the corporate infrastructure where you have a trusted certificate source, and many many different interconnected systems.
It is possible to easily provide worldwide single sing-on. made me think of the Band Aid release….
I thought we already tried and discarded this idea 10 years ago. I note the author is working on Gnome, the same organization that pulled the each-folder-is-a-window metaphor (conveniently renamed to “spatial navigation”) from the heap of tried and discarded ideas.
IIRC, the reason this certificate idea was ultimately discarded was because even though there was a certificate authority (Verisign) involved, the identity of the user wasn’t really known for 100% certain.
but, could this ever work in the real world? Lets face it, companies can’t agree upon anything, vhs-betamax, dvdrw types, drm formats. The only way this can work is if it is led by the consumer and presented to companies. Microsoft tried with their .net signin system but people just don’t trust it, or want to use it. This includes developers which is why very few websites use it (I can only think of microsofts own site and ebay).
I also think it would be very hard to migrate people to the new system, sites would have to support two methods of registration until they could be sure everyone was moved to the new single sign on system for fear of losing customers. The new system would also have to be just as simple to use as the current one, carrying a smart card will just not work with everyday users. Now, perhaps if this smart card was tied into your drivers licience or national insurance card then people carry those around anyway.
The last but most important point is privacy, I don’t think I would feel comfortable with one central database knowing all of my movements on the internet.
Just my tupeence….
What is authentication? Authentications is the act of figuring out who the person is that tries to access a system, an application or a website.
This sounds slightly wrong to my ears. Authentication means to verify that a person is who he claims to be, not to figure out what account he’s trying to login with.
Check out SAML, Security Assertions Markup Language, by OASIS! It aims to achieve exactly this.
Old computer world article explaining the consept can be found here:
http://www.computerworld.com/developmenttopics/development/webdev/s…
SAML 2.0 is about to be released soon.
http://xml.coverpages.org/ni2004-07-15-a.html
From the description SAML looks to be an open passport ID system. Where your authentication carries over to “affiliate” sites. The tech may see limited deployment but does not really impact my sufing habbits.
PS. I agree spatial navigation is a horrible idea stolen from win95.
… and the Australia Taxation Office is using client certificates to authenticate businesses. See http://ato.gov.au/onlineservices/content.asp?doc=/content/36219.htm…
The ATO issues its own certificates to customers, which is how they can be trusted.
The problem with PKI is that CA’s do not do their job, which is to verify the identity of persons or businesses they issue certificates to. Just ask for a certificate, no question asked, just take the money and spit out a spanking new certificate that’s been generated in 20 milliseconds flat.
They are just happy to have their CA integrated into the main browsers so that no funny dialog pops up and the little padlock shows up.
The only service that is provided is encryption without authentication whatsoever.
For this, SSL with anonymous ciphers are more than enough, no need for a CA.
Sorry if slightly off-topic, but I had to vent this out. CA is such a shady business imho.
Now if there were a CA that did its job, then SSO would be closer to reality.
I think the Plan 9 authentication system gets too little attention. AFAICS, it can solve a lot of things.
Can you elaborate, please?
you can see more at:
http://cm.bell-labs.com/plan9dist/factotum.html
i use it daily to connect to pop3 and imap accounts, other plan9 fileserver, ssh accounts, ftp accounts, and more, i don’t need to remember my passwords so i can set up long and difficult to remember passwords, i store those pass in secstored
, and recover it with factotum.
Factotum deals with auth protocols of each service.
MICROSOFT PASSPORT
😀
(laugh, it’s funny)
A website can have it’s own internal CA, and when someone request an account, a PKCS#12 certificate is issued by the website CA and is delivered to the user by email. The user load its certificate and it’s CA in it’s browser, and it’s ok.
Technically, with OpenSSl&Apache, it’s easy. And PKCS is supported by Mozilla AND Internet Explorer (and few others, i think, Konqueror, Opera…).
I like the idea but people’s distrust in the IT industry to keep promises on the security front makes any similar idea very unlikely to succeed except if governments agree on a common compulsory standard.
Unfortunately this article only deals with the easy parts of Public Key Infrastructure.
If it was this simple, it would have been deployed a long time ago.
Good security in the end is dependant on how the system behaves under failure.
When PKI fails, it fails completely.
the same organization that pulled the each-folder-is-a-window metaphor (conveniently renamed to “spatial navigation”) from the heap of tried and discarded ideas.
Nice cheapshot – you manage to disparage spatial file managers without actually giving any reason why it’s a bad idea. Bravo.
For any interested, I suggest you check into the Shibboleth project. Shib uses SAML, and provides high levels of privacy assurance and federated authorization. The “Liberty Alliance” and “Passport” projects are similar in nature. It seems Shib and Liberty Alliance may converge to some degree with the introduction of SAML 2.0.
http://shibboleth.internet2.edu/
for a basic website login,
we may able to use the one provided by Drupal.
http://drupal.org/
Spread Firefox website also use this.
Once you have an account with any drupal site,
you can use that account with other drupal sites.
I call it a Windows Domain using PKI certificates, with Services for Unix. Possibly an NDS connector here and there.
Uh, the so-called spatial navigation idea precedes Win95 by a long time. The very first Amiga OS had it, for example.
Personally I think it’s the best metaphor to use if you want an easy to understand, visual system.
What do you, or anyone else, think is wrong with it? If you think single window system’s better explain *why*. They don’t afford drag’n’drop, for a start, one of the easiest to understand systems available for file manipulation on the modern desktop.
If you’re saying out of some desire to appear “leeter than thou” then I think you’re in the wrong place. I don’t use drag’n’drop for anything but I don’t insist my parents should do everything from a shell if that’s not what they’re comfortable with.
.net passport and that sun project (dont recall the name) comes to mind.
while single sign-on is nice, it only realy works in a enviroment like a company lan useing cerberos or similar.
maybe with tcpa in place this could work however as then atleast one could have the login info after the first login stored on the chip so that as long as your working from the same computer your good to go. basicly a dont trust a software solution for this as, like so many worms have shown, it’s all to easy to steal key files and so on…
When I worked at Northwest airlines, for example, I needed sign-ons for:
Windows NT Workstation and (perhaps?) Novell
MacOS Fileserver
Multiple Unisys TIP/HVTIP mainframe transaction systems
Multiple Unisys OS2200 mainframe demand sessions
TSO (IBM Mainframe)
PROFS/VM (IBM mainframe)
PARS session (IBM mainframe)
Multiple Solaris sign-ons
AIX sign-on for intranet web site I maintained
Problem Tracking System (in-house Mac application)
Dial-in system for remote support
I’m sure there are a few I’m forgetting.
Some of these had case-sensitive passwords, some didn’t. Some required passwords that were 7+ characters in length, some maxed out at six. Many were logins on legacy systems that were controlled by software which was completely local (and proprietary) to that system.
Standardizing all of those passwords would be a *tremendous* undertaking.
Yes, some form of standard user verification for various web sites and other TCP/IP-centric systems would be very useful, but for some it would only cover a very small percentage of the systems being accessed…
Not be OS X fanboy here.. but OS X implementation of keychains seems to accomplish same thing. I have 3 ‘keychains’ each with different passwords and timeout settings that store user/password for my POP/IMAP accounts, a variety of websites, SMB and AFP shares, and secure encrypted notes to myself. The system is well integrated with the OS and an App can easily tie into the system. Is this kinda what you mean?
sorry didn’t read who thing.. not same thing
…the identity thief’s best friend.
I use AIRoboform… I thought it was spyware at first
packaged with Maxthon browser, but tryed it out and
it works great. You can set it up so you have
a master password, which unlocks a single click
to log onto any sites you have saved, also keeps
notes and stuff. Has a feature for loading
onto a usb key for when you’re out and about.
This of course means I’m a Windows user )-;
(at least until I get fed up w/ windows again
and switch back)
Daniel, you did a great job on writing this article!
I have felt for some time now that PKI is the answer to the current authentication (and privacy, and spam-control) woes. You are right on with your argument. The crux of the problem is designating a trusted party or set of parties to issue certs and verify identities. The current system of CAs won’t suffice. There needs to be oversight, and the function needs to live outside of the IT industry. Possibly banking, possibly a government agency. The peanut gallery crows at such a suggestion, but relatively speaking, these are trusted entities, and there are significant controls placed on them to validate that trust.
To allow for anonymity in some situations, merchants et al. should be allowed to employ a lower trust level (e.g. simple username and password) as they wish. On the other hand, if a business is extremely paranoid over staff authentication, they can employ a higher trust level through an in-house SSO system.
I haven’t read enough about Shibboleth (mentioned earlier) to have formed an opinion on it, but at a glance it seems to be aimed at smaller trust circles.
I’m sorry but this is at best no more secure and at worst less secure. In order to percieve this as an improvement one needs to look at it from the perspective that the article seems to be written from.
1. All users have a static physical location.
2. All users have only one device they use to access data and information.
3. All users are using exactly the same software setup that the author is.
4. For a mobile user all devices moved to have the ability to use exactly the same variant of Smart Card.
5. Smart Cards cannot be lost/traced or otherwise used by an unauthorized individual. (Here, use my smart card the password for it is 123456789, sorry its so long but the company requires a 9 digit password.)
6. All Sites the user ever goes to will always use the exact same scheme (“Why have you got so many jump keys?” “Oh this one is for my company, this one is the company I’m contracted to on tues and thurs, This one is for home, this one is for the company I go to once or twice a month ……. “)
7. Security won’t be enhanced by disallowing individuals to bring into the company “Non Authorized” jump keys. (Smart Card devices) Which is why the gal in #6 had so many different ones. Which she then had to mark with company name so she wouldn’t bring in the wrong one!
8. This assumes that SSL certs cannot be copied.
9. This assumes that a mechanism exists for ensuring that a user cannot login more than once from multiple locations. Preventing a stolen key from being used unknown to a user. (“Excuse me sir, I need to go home, I accidentally left my computer logged into the company web mail and no one is home to log me out. So I have to log out the box so I can get the mail here at the office containing the contract from “Acme Inc.”)
10. This assumes that the method of creating the SSL Certs is secure. (“Human factor again”)
No, the poster in the first comment was right. This is one of those old ideas that just won’t die. Reminds me though of a story my Grandfather told me. He did building Maintenance at a bank (Not a janitor.) He was up at a VP’s office going through about 200 keys looking for the right one to unlock the office door.
V.P. ” Don’t you just have a master key”
GP ” Yes but that requires a singed letter from the Bank President to use.”
V.P. ” Why does it have to be so hard just to get my door opened and a new key made.”
GP ” If it was easy people would be losing their keys all the time, instead of making sure they don’t get lost.”
There is an applicable wisdom to that exchange. If you make it too, easy then it’s value decreases.
> I’m sorry but this is at best no more secure and at worst
> less secure. In order to percieve this as an improvement
> one needs to look at it from the perspective that the
> article seems to be written from.
>
> 1. All users have a static physical location.
> 2. All users have only one device they use to access data
> and information.
No, they should take their private key with them. This isn’t needed if a password/username style login is also alowed.
> 3. All users are using exactly the same software setup
> that the author is.
Why?
> 4. For a mobile user all devices moved to have the ability
> to use exactly the same variant of Smart Card.
Why? they could use cryptofs on an usb stick.
> 5. Smart Cards cannot be lost/traced or otherwise used by > an unauthorized individual. (Here, use my smart card the
> password for it is 123456789, sorry its so long but the
> company requires a 9 digit password.)
Not different to any other authentication system (execpt biometric systems)
> 6. All Sites the user ever goes to will always use the
> exact same scheme (“Why have you got so many jump keys?”
> “Oh this one is for my company, this one is the company
> I’m contracted to on tues and thurs, This one is for home,
> this one is for the company I go to once or twice a month > ……. “)
This is not how it should be used.
> 7. Security won’t be enhanced by disallowing individuals
> to bring into the company “Non Authorized” jump keys.
> (Smart Card devices) Which is why the gal in #6 had so
> many different ones. Which she then had to mark with
> company name so she wouldn’t bring in the wrong one!
A prive key shouldn’t be company specific.
> 8. This assumes that SSL certs cannot be copied.
That’s why they invented CRL’s
> 9. This assumes that a mechanism exists for ensuring that
> a user cannot login more than once from multiple
> locations. Preventing a stolen key from being used unknown
> to a user.
The system shouldn’t restrict the number of logins. But a notice or such whould be nice.
> 10. This assumes that the method of creating the SSL Certs > is secure. (“Human factor again”)
That’s the core business of the CA’s…
I agree 100%!
SSO can be emulated by using the same UN and PW for every place you go (if applicable). If you had your account info in one spot and it got hacked, what difference would it make if you used the same account info all around? Only “they” may not know what sites you have accounts at.
The “lost password?” link is my friend.
I constantly make up new passowrds and forget what they were becuase fire fox stores them for me.
In general Daniel’s article isn’t anything new. Security people have been talking about this nearly as long as PKI has been around.
> No, they should take their private key with them. This isn’t
> needed if a password/username style login is also alowed.
If allowing a password/username login is a valid alternative then you need to read up more on security as that would weaken the whole approach! It is much more secure for there to be “something you have” as well as “something you know” (one of the other principles is “something you are”, but until there’s biometric scanners on everyone’s PC we can ignore that for now). Something you have would be the private key. Both must be non-negotiable – allowing the option of just one dilutes the whole scheme.
But it would be a point of weakness if you have to transfer a private key around between machines. Smartcards are indeed about the only way this could be resolved. In fact on the theme about this being nothing new, have a read of http://www.theregister.co.uk/2004/11/22/bill_gates_password_protect… which also places on emphasis on biometrics. (Although, mistakenly, it seems to advocate replacing password security with keys and/or biometrics, as opposed to augmenting password security with them). But this certainly means having ubiquitous smart card readers on all computers – quite a hurdle to overcome in itself.
The main issue with single sign on (not sing-on!) is the single point of failure. Especially given how unfortunately a lot of people have been shown to be susceptible to social engineering and phishing etc. to reveal access, and virus writers keep compromising (primarily Windows) PCs allowing the ability to read any private keys and install keystroke loggers.
See http://www.theregister.co.uk/2004/11/26/social_engineering_security… That’s why having keys just sitting on PCs will never be the foundation of a secure single sign-on system. Single sign-on means placing so much trust in the system that a solution without a smartcard seems improbable.
If a hacker compromises that single system, then they have access to not just all bank accounts, but all manner of things that would allow identity theft. That’s also one of the big concerns people have about identity cards in the UK – too much trust will be placed in a system that can never be 100% reliable. Cracking the system means “winner takes all”.
Personally for SSH, I use different private keys on different systems. That also means if one ever got compromised, I don’t have to resecure every account I have.
> If an SSL certificate is stolen or found to be fake it can > be revoked, passwords can’t be revoked.
Of course passwords can just as easily be revoked, given a suitable centralized infrastructure.
Nice cheapshot – you manage to disparage spatial file managers without actually giving any reason why it’s a bad idea.
And is that needed? No one cares to explain why the Win32 API is awful, either.
>No, they should take their private key with them. This isn’t needed if a password/username style login is also alowed.
This then exchanges multiple poor quality passwords (that are probably Identical) for a single poor quality one.
>> 3. All users are using exactly the same software setup
>> that the author is.
>Why?
Too many systems and software programs out there that just flat can’t do this. You’d be amazed just how many companies are running huge databases written in the mid to late 70’s (And the run very well too!) This is just one example. Given time I could come up with a lot more.
>> 4. For a mobile user all devices moved to have the ability
>> to use exactly the same variant of Smart Card.
>Why? they could use cryptofs on an usb stick.
This assumes the following.
1. The box / computer system to be accessed has usb.
2. The organization will allow you to take a usb key into it. Or out of it. I’ve worked in too many places where taking even a floppy into the company is a no no. Then there is the Government. (Paranoia is an amazing thing.)
>> I’m contracted to on tues and thurs, This one is for home,
>> this one is for the company I go to once or twice a month >> ……. “)
>This is not how it should be used.
We should use the password, password either but it’s one of the most common. Just because it’s not what you intended doesn’t mean it won’t happen. I didn’t intend users to write their password on a sticky not on the bottom of their keyboard either. But danged if I didn’t find a whole bunch of them. Remember the Murphy axiom, “Anything not intended or planned for is the most likely event to occur.”
>> company name so she wouldn’t bring in the wrong one!
> A prive key shouldn’t be company specific.
If it isn’t then you run into a trust problem. Do I trust that someone here has a key, sufficiently reliable in the quality of it’s formation that I can trust it. (John has a 48bit key Mary has a 64bit key they have 128bit ones and others have 256 and 1024 …. arrrghhh.) Then if Mary looses here key. (The usb jump key died, she didn’t have a backup …. happens) Who replaces it? Who generates it? Does she pay hundreds to Verisign?
>> 8. This assumes that SSL certs cannot be copied.
>That’s why they invented CRL’s
Which helps …. but doesn’t guarantee.
>> 10. This assumes that the method of creating the SSL Certs
>> is secure. (“Human factor again”)
>That’s the core business of the CA’s…
Let’s see Cisco has about, oh well for round numbers 50,000 employee’s at say a discount to 50 dollars a cert that is 2.5 million, The with a 10% turnover rate… lost keys…. corrupt or compromised keys figure another 500K annually to maintain….. plus having to hire an additional 3 admins (one per shift) just to maintain the infrastucture, at 70K a piece…. no wait … I’ve got 16 networks/Citys … so more admins… Nope. The companies large will do their own due to cost … the companies small will do their own because they can’t meet the cost (they won’t get the discounts) and the middle size companies.. some will some won’t use the CA’s …. Individuals. Hey I don’t have 250 bucks to waste. (What do you mean you copied your MP3’s onto the jump drive! ) Don’t think users will be constantly mucking up the drive. Then I have a true story about a Unix based video survaliance system. A board security gaurd who liked games, and a win98 install CD. (Never put CD-Roms in that kind of comp, no matter what marketing says.)
Don’t get me wrong I love the concept. I love the benifits. I don’t feel comfortable that it can be deployed in a way that offers security enhancement. I see it masking security problems. I hope I’m wrong. I fear I’m not. We’ll know it doesn’t work if the government starts using it.
What about a system where each website doesn’t store any personal information instead subscribes to that information from the users.
Lets say I have an internet persona “john @ milsson . nu”. this is my agent in my online transactions. To login to a site i enter my persona id and the site requsts authorization information from my personal information server. If I’m at home I can have a popup window requesting a password, or a software agent handling that so I don’t have to enter any password. If I’m at a frieds house I will use my cellphone instead to athorize the transaction.
Now this only ensures safe transaction between me and other parties but no identiy trust. In comes the web of trust. This particulare persona (john @ milsson . nu) might be signed by various credit card companies, banks or other high profile entities so that my identity can be reasonably trusted.
… enough ranting, this is an old idea and some of it has dimnished in my memory, sorry for that. If this is a reiteration of other ideas it’s because I wanted to post this before the thread dies.