Authentication Registration and its Issues with Privacy

Introduction
In today’s world, there always seem to be news about breach/loss of privacy and identity theft. In recent news, it was announced that personal data on over 25 million people have been lost (BBC News, 2007). Which means anyone could have hold of this information and use it for a variety of attacks. So even if the Government does not seem capable of keeping personal/private data secure, how can we trust a company/organisation on protecting our personal data?
A recent finding even discovered that even if these information were recovered, an attacker, who could have had a copy of the information, might decide to make use of it months or even years from now, which means damages can still be carried out on personal information

Most companies advertise their patented products, to prove to consumers, amongst other reasons that they have their systems secure, thereby having consumer’s data secure.
A patent can be said to be a grant or rights issued by the federal government, giving an inventor the sole right to use/and or sell an invention for a fixed period of time. Patenting a product or invention gives an inventor rights over the invention. This invention could be an idea, a new finding or discovery. These rights issued to the inventor prevent others from ‘stealing’ or making use of this invention. Therefore, the owner of the patent can sue anyone who infringes the patent without authorization (Pressman, 2006, p.11).

Most companies file a lot of patents for its products. One of the reasons for this is because, a wide range of technology is often used to implement each product, therefore, each sub-category of a system will need to be patented to protect it from infringers.

AssureTec Systems inc. and Authernative inc. are examples of two companies that file a series of patents for their products. Both companies are manufacturers of authentication systems used to validate users’ identity.

AssureTec Systems inc. is the maker of ID authentication system for most identity documents, e.g. Passports, Drivers Licence, Birth Certificate etc. According to the AssureTec website (AssureTec, 2007a), the system is capable of identifying over 1600(and growing) Identity documents. This Identity validation technology is being used worldwide in airports, seaports, immigration counters, car rental companies, companies, etc. to verify the identity of its claimants.
The AssureTec authentication system is known as AssureID, which when purchased, comes with an AssureID-capable document capture device. Although the software could have used a series of document capture devices in the market (e.g. the ID-1, ID-2 etc.), it was thought that manufacturing its own document capture device was more efficient has the other document capture devices were “(i) not optimized for capturing images for forensic document examination through digital imaging techniques; or (ii) not optimized for speedy or easy processing to keep lines moving” (AssureTec, 2007b).

Authernative inc. is the manufacturer of the software AuthGuard. The company helps to provide security solutions to a series of organisations ranging from financial institutions to health institutions, by providing secure access to resources and information needed within the organisation (Authernative, 2007a).
AuthGuard is an authentication server, which securely authenticates users within a network. AuthGuard offers range of authentication methods and options that allows one-factor, layered or multi-factor authentication (Authernative, 2007b).

Authentication Methods used by both Systems

AssureID authentication method
The AssureID software allows for the correct identification of any identity document of any kind. The software is capable is performing necessary forensic and integrity checks (AssureTec, 2007c), to check the legitimacy of the document presented.
The system includes a document authentication library, which contains all the ‘knowledge’ (verification and authentication criteria) necessary for checking various attributes of an identification material.
AssureID emphasises the ability to verify any document, even if the method of verification is different for each of them. Below is a sample picture of various attributes of an identity card that can be verified.

sample_asid

The sample picture above shows the various built-in security attributes of a claimant’s identity that can be verified. AssureID is capable of checking for the integrity of each of these methods, and even other methods, as it has its documentation library updated regularly.
A typical procedure on how a document would be verified using AssureID software with a document capture device is shown below.

process2_assureid

The AssureID system is mostly based on Human authentication factors. As a claimant will need to present a form of identification before nay form of verification can take place within the system, it means the claimant presents ‘something they have’, which could be a passport, drivers licence, National Insurance card etc. Also, the claimant might be asked a series of questions to identify the truth of the presented document, therefore, the claimant is also presenting ‘something they know’, for example, with passport identification, the claimant might be asked to confirm their date of birth, place of birth etc. The use of this two-factor authentication system increases the accuracy level of the verification process.

AuthGuard
As stated with the AssureID system, the use of a multi-factor authentication system increases the level of security of the system. However, with the AuthGuard system, this multi-factor authentication method is seen as a disadvantage. Multi-factor authentication becomes a disadvantage when the ease of use of the system is to be considered, as well as the cost to purchase most of these multi-factor authentication systems, and how the system can be managed effectively. However, the main key challenge that Authernative inc. addresses is the fact that with most multi-factor authentication systems, they do not provide enough flexible authentication options for different businesses and user requirements (Authernative, 2007b).
AuthGuard is capable of providing multiple authentication methods, which means an organisation could employ the use of different forms of authentication, and change its form of authentication when it needs to.
AuthGuard makes use of different authentication methods which include:
• The use of passwords
• Use of enhanced password (which could be encrypted passwords, which would require decrypting)
• The use of patented one-time challenge one –time response (also known as challenge-response scheme)
• Use of next-generation out-of-band
• Mutual authentication

All the methods listed above can be used alone or in combination with each other. This allows the use of both single-factored authentication method and multi-factored authentication method.

AuthGuard_logo

How the Patents support the Authentication Methods
As stated earlier in the article, both AssureTec inc. and Authernative inc. file various patents for their systems.
For the AssureID system, there are 3 main patents that have been issued to AssureTec inc. they include:
• Validation and verification apparatus and system
• Document and bearer verification method
• Apparatus and method for document reading and authentication
The concept behind these patents is quite similar to each other; therefore, only one of them will be used in this analysis. The Document and bearer verification method patent will be used. A summary of this patent is that it is an apparatus and a method are disclosed for verifying the identity of applicants applying for documents, validating authenticity of issued documents, and the identity of bearers of documents by obtaining information including biometric information from the applicants, the documents and / or their bearers, identifying which of a plurality of secure, remote databases contain information needed to verify the obtained information, comparing the obtained information with information stored in the identified database(s) to verifying the obtained information without disclosing database information to any persons, and providing an indication whether or not the obtained information matches the information from the identified database(s). This is called trust authority verification which will be the paradigm chosen as biometrics and authentication become routine because of the privacy protection afforded to the bearer and to the data in the trust authority database (AssureTec, 2007d). A clearer analysis of this patent will be given later in the article.

As the AuthGuard system makes use of various authentication methods, a series of patents are filed concerning each protocol involved. One of the most recent patents that have just been issued to Authernative inc. is a US patent for a key conversion method for communication session encryption and authentication system. An abstract of what the patent entails it is an interactive mutual authentication protocol, which does not allow shared secrets to pass through untrusted communication media, integrates an encryption key management system into the authentication protocol. The server encrypts a particular data random key by first veiling the particular data random key using a first conversion array seeded by a shared secret, and then encrypting the veiled particular data random key. The client decrypts and unveils the particular data random key using the shared secret, and returns a similarly veiled version of the particular data random key using a second conversion array seeded by a shared secret. Access to the shared secret indicates authenticity of the stations. The procedure may be repeated for a second shared secret for strong authentication, without allowing shared secrets to pass via untrusted media (United States Patent, 2007a).

With the issue of patents for these products, it means that the technology and principles involved with the implementation of the systems are somewhat protected, however this also means that the organisations have disclosed information about the system, thereby making the system vulnerable to security risks and attacks. Therefore, it is important that the patent addresses all potential security risks to the system, and is able to give the owner rights to sue anyone who trespasses on the patent.

The main authentication methods used by the AssureID system is ‘something you have’ and ‘something you know’. The first claim of the patent describes a method for verifying biometric and/or other information obtained from the claimant and the documents they presented for verification of the claimant’s identity and validity of the documents presented. It also includes the fact that the privacy of the claimant is protected in this process, as the database used during this verification process is not revealed to any other individual.
Another claim in the patent is that information presented by the claimant is directly compared to a database which is directly linked to the source related to that of the information presented (United States Patent, 2007b). For example, if a birth certificate is submitted, the verification process would involve comparing the details given on the certificate (e.g. date of birth) with the national birth records to check for validity.
Although this might seem like a weak authentication process, other factors within the document presented are validated. This other methods of verification are presented in the other patents filed for the system. For example, in the Apparatus and Method for document reading and Authentication patent, it claims the use of a partitioning the document into smaller segments containing pixels, therefore, the amount of correlation on each segment is checked to detect any form of forgery or imitation. (Google Patent Search, 2004). This form of verification outlines the stronger authentication part of the system, which means that getting away with the usage of a false document under this system is very unlikely.

AuthGuard makes use of a series of authentication methods; however, the patent chosen for analysis focuses more on the mutual authentication method.
Mutual authentication involves two parties authenticating each other. In the case of the AuthGuard system, the client authenticates itself to the server, while the server does the same to the client.
In the patent, the two parties are referred to as two stations (as the parties could be a client to server, server to server, or client to client etc.). According to the claim, the authentication process happens in stages (United States patent, 2007a);
At the first station;
A random data key is provided, which is disassembled and veiled (by forming a first conversion array seeded by a shared secret). This first conversion array is then encrypted to produce the first set of data, where the authenticity of the first station is determined by access to the shared secret. A message is then sent to the second station alongside the encrypted data key.
At the second station;
The data set is decrypted, then disassembles and unveils the data key (thereby forming a second conversion array seeded by the shared secret). Then the second conversion array is encrypted to produce the second set of encrypted data, and a message is sent to the first station alongside the second data set and the authenticity of the second station is determined by access to the shared secret.
This process is then repeated again at the first station; however, the version of the random data key is compared to see if it matches an expected version.
These processes are then continuously repeated.
This claim supports the fact that both ‘stations’ are constantly authenticating each other to verify each others’ identity.

In the patent, there is also a claim that the system will involve the use of a data processing unit which will include a processor, a communication interface and memory for storing instructions for execution purposes. This means that as complicated as the authentication method (mutual authentication in this case) might appear to be, the ‘ingredients’ needed to perform the operations are provided.

In order to be able to compare how the patent supports the authentication methods used by the system; then all the patents concerning each product will have to be looked at, as different patents are filed for various aspects of the system. However, if a brief overview of the patents was taken, the AssureID patent appears to give a brief summary of how a document is authenticated, while the AuthGuard patent gives a detailed description of how the system will go about verifying the identity of a third party. This detailed and in-depth approach that AuthGuard took, could serve as an advantage, as it means that it has more aspects or ‘corners’ of its system protected in the patent, whereas with AssureID, it means there are possible loopholes within the patent that an infringer or any other inventor might adopt for their authentication system.
Although this could also serve as an advantage for AssureID, as it means that it has not fully disclosed how the system carries out its authentication and verification process. This could mean that it is quite difficult for an infringer or third party to imitate or steal the invention.

Architecture of both Systems
The architecture of a product helps to give a clearer view of how the product works. Most inventors often include a diagram of the architecture of their idea in the patent application to help the patent examiner understand the system better.

The architecture of the AssureID system is shown below. Although from the patent of the AssureID , it is easy to assume that the system uses a centralised architecture.

assureID_arch

However, from the architecture shown above, it could be said that the system makes use of a distributed architecture. Although it could easily use a centralised architecture, as the library, and other applications within the system could be on a central server. The use of the distributed architecture combines the use of both hierarchical and centralised architecture, which means it combines the advantages of both architectural types. The use of a distributed architecture means the workload across the system is shared, thereby reducing processing time for each task.
According to a demo on the system,

assureID_demo1

It only takes a matter of seconds for the system to identify the type of document it is verifying.
Although the use of a distributed architecture has its advantages, it could also pose some possible privacy threats to the system. As different parts of the system are distributed across a network, although, a faulty part of the network might not completely stop the system from working; it could cause a wrong verification of a document. For example, if there is a problem with the algorithms entered for the customer specific application (i.e. where the user can alter the product to suit it to their needs), then the document verification process (which will still act like it’s verifying a document) may not correctly verify a document. This could lead to potential issues like issuing visa to wrong applicants, or even renting a car (in the case of a car hire company) to someone with fake ID.
Also, as the document verification process often involves comparing a document with a prototype, or comparing details on a document with a database. If an attack occurred during transit of this verification to the specific database, then personal data could fall into the wrong hands.

The architecture of the AuthGuard system is shown below. It uses a centralised architecture. The use of this architecture type means that every activity taking place in the network can be monitored from one single computer system (or location). This centralised architecture also means that data resources can be distributed across the network from one single location.

authguard_arch

Although from the architecture, it does not clearly show a centralized architecture as there are different servers in the network, but it looks like they are all grouped together to work as part of a system. The centralised architecture also allows easier maintenance of security measures within the system, and to perform updates/upgrades to the system.
However, if the central server is attacked, it means the whole system is in jeopardy, which can prove a very dangerous attack even if a back up on the system have been made. Since once personal and sensitive information have been in the wrong hands, then any form of damage can be done.

Marketing Strategy
A wide range of marketing strategies are used by businesses to attract consumers. An organisation often tries to determine, what the consumer will be looking for, and try to assume what the major problem in the consumer world is, and thereby try to market their product to appeal to the end user.

With the AssureID system, AssureTec believes that there is a major issue with Identity fraud/forgery; therefore, the release of system that can verify the validity of a document/ID will be able to solve the problem.
The company does not just stop with advertising the system; it goes further into giving a reason as to why the system is better than having trained human professional authenticating an ID. It gives a study carried out by the United States Government accountability office to test the system between trained and qualified inspectors and the AssureTec system, and according to the investigation, 18 out of 18 fake IDs were not recognisable by the inspectors; however the AssureTec system was able to identify all fake IDs (AssureTec, 2007a).

With the AuthGuard system, it believes that the growing expansion of technologies available in the society today, it has caused pressure on how privacy issues and concerns might arise, and increased attacks on systems (Authernative inc. 2007c).

expansion_auth1

This is the reason as to why the system uses a wide range of authentication methods to cater for a wide range of businesses, and to ensure adequate protection of a system.

Both systems, in the marketing strategy, stress to the consumer about their patented technologies, not only to prove to the consumer that their system is protected, but to give the consumers the reassurance that their (consumer’s) privacy and personal data is also protected.

Identifying the Flaws
A lot of information about an individual will be needed in the database used for comparison.
A patent does not always fully implement all the claims made by the patent, but this claim is still protected until the patent expires, which might be an advantage for the inventor, but not necessarily an advantage for other inventors wishing to implement a similar idea. However, there are ways other inventors could go about it; they could reach an agreement with the patent owner, either to form a sort of partnership with the organisation, or buy the patent, or the patent owner could be kind enough to issue the other party with permission to make use of the invention.
With the AssureID system, it is not easy to identify a potential flaw of the system due to the various tests and claims made by AssureTec. However, a potential flaw on the system was discovered in the demo version, which the way a document has been placed on the reader could affect how the system reads and verifies the document.
Also if there is a wear and tear of the document being presented, the system can wrongly verify the document.

assureid_demo2

With the AuthGuard system, as it uses a wide range of authentication methods, flaws within the system is not easily identifiable. Although for aspects of the system that uses passwords (or single-factor authentication mode), issues like shoulder snooping, forgetting the passwords etc.
Its two-way strong mutual authentication also protects the system from issues like phishing attacks.
With the AuthGuard system, it seems every possible way the system could be attacked has been addressed and resolved; however, some of their solutions are still patent-pending (which means there is a loophole present), for example, its out-of-band authentication technology..

Conclusion
The use of patents is to protect an idea or invention; however, as mentioned earlier in the article, a patented product does not always mean the idea or invention is protected, as it means revealing fundamental information about parts of the system, which means that; another inventor could imitate the idea for their invention (this can be done by waiting for the patent on the said product to run out), or an attacker could use substantial information about the invention to find loopholes and flaws within the system, and use this as a primary target or foundation to attack the system.

The question that still remains is, although we are continuously trying to protect sensitive information about us, and even a lot of companies like AssureTec inc. and Authernative inc. claim that they can help protect and secure our private and sensitive data; if the government has managed to ‘misplace’ sensitive and very crucial data concerning over 25 million of us, is there really any point in protecting our so-called personal data anymore?, as anyone could be withholding this data for malicious use at any time. Also, patent or no-patent, how sure can we be that our data is as protected as it ought to be?
.

REFERENCES

Answers.com. (2007). Patent. [Electronic version]. Retrieved 23rd November 2007 from:
http://www.answers.com/patent&r=67

AssureTec. (2007a). Home at AssureTec Automated ID Document Authentication and Verification Systems. Retrieved 23rd November 2007 from:
http://www. AssureTec.com

AssureTec. (2007b). AssureTec Hardware. Retrieved 24th November 2007 from:
http://www. AssureTec.com/index.php/products/hardware-new/

AssureTec . (2007c). AssureTec Software. Retrieved 25th November 2007 from:
http://www. Assuretec.com/index.php/products/software/

AssureTec . (2007d). Intellectual Property. Retrieved 26th November 2007 from:
http://www.Assuretec.com/index.php/about/patents/

Authernative Inc. (2007a). Solutions Overview. Retrieved 24th November 2007 from:
http://www.authernative.com/SolutionsOverview.shtml

Authernative Inc. (2007b). AuthGuard. Retrieved 24th November 2007 from:
http://www.authernative.com/AuthGuard.shtml

Authernative Inc. (2007c). Market Trends. Retrieved 26th November 2007 from:
http://www.authernative.com/MarketTrends.shtml

Find Biometrics. (2005). Benchmark Technology Group Introduces a New ID Reader Option for the AssureID Document Authentication Solution. Retrieved 25th November 2007 from:
http://www.findbiometrics.com/viewnews.php?id=2761

Google Patent Search. (2004). Apparatus and Method for Document Reading and Authentication. Retrieved 26th November 2007 from;
http://www.google.co.uk/patents?id=i0wSAAAAEBAJ&dq=““AssureTec”“

Jaffe, A.B, Tratjenberg, M, Henderson, R. (2002). Geographic Localization of Knowledge Spillovers as Evidenced by Patent Citations. In Patents, Citations and Innovation: A Window on the Knowledge Economy (pp. 155-158). Massachusetts: MIT press

Patent storm. (2004). Apparatus and method for document reading and authentication. Retrieved 25th November from:
http://www.patentstorm.us/patents/6785405-description.html

Pressman, D. (2006). Nolo’s Patents for Beginners (5th edition). [Electronic version]. California: Nolo.

Six more data discs are missing. (2007). Retrieved 25th November from the BBC news website:
http://news.bbc.co.uk/1/hi/uk_politics/7111056.stm

Stim, R. (2007). Patent, Copyright & Trademark: An Intellectual Property Desk Reference (9th ed.). USA: NOLO.

United States Patent. (2007a). Key conversion method for communication session encryption and authentication system. Retrieved 26th November 2007 from:
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=mizrah.INNM.&OS=IN/mizrah&RS=IN/mizrah

United States Patent. (2007b). Document and Bearer Verification System. Retrieved 26th November 2007 from:
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=7003669.PN.&OS=PN/7003669&RS=PN/7003669