Technology Exploration Project – M591
Patents and Authentication : Does revealing the authentication process make it less secure?
This article aims to review and dissect two different authentication solutions which are commercially available, and to look in detail at the patented theories, hardware and software that drives them. These products are
AuthGuard created by Authernative, and
BioPassword Enterprise Edition created by
BioPassword. Before these products and their patents may be explored, it must first be clarified what a patent actually is, and why people apply for them.
Overview of patents.
In basic terms, a patent exclusively binds a unique process, machine, article of manufacture or composition of matter to an individual or company (Wikipedia, 2007). This means that if a patent has been issued on one of the above factors, only the owner of the patent is allowed to use, create or follow the methods covered by the patent. Owners of patents are backed up by the law, and will almost certainly be able to successfully sue anyone who blatantly ‘copies’ ideas included in the patent. Patents only last for a set amount of time depending of their type, this is usually 20 years (Wikipedia, 2007). It does cost money to apply for and maintain a patent, however compared to the cost of rival companies being able to copy and sell your products, it can be a relatively small fee.
At a glance patents seem ideal for anyone who wishes to protect their inventions from the public, however in this sense there is a major and almost ironic drawback. Any successful patent is freely available for the public to view. This includes in depth descriptions of the ideas and methods used in the protected invention. This is a problem in terms of authentication systems, as it gives potential attackers an insight on how the system works, and may highlight potential weaknesses.
In broad terms,
AuthGuard is a range of different authentication protocols all combined into one. The
AuthGuard authentication solution was the first to pioneer a Versatile Authentication Server (or VAS) (Finextra, 2007a). This VAS includes many different open source and privately owned authentication methods such as passwords, enhanced passwords, patented one-time challenge, one-time response, out of band and strong mutual authentication (Authernative, 2007). With such a range of different authentication methods supported, the VAS allows for many different levels of security. This could be a simple password to allow a user to view non important data, or layered multi-factor authentication for a system admin.
Advanced Authentication
AuthGuard tries to bypass the two main problems with standard passwords, the need to remember them, and their low security levels. It achieves this by not using the standard blank text box to enter a password into. Instead virtual menus are displayed on screen, as is a virtual keyboard and shared secret images are also used (Authernative, 2007). These are all devices to help the user remember their password. Furthermore, instead of asking for the whole shared secret, or password, the system only ever asks for a random, session only subset (Authernative, 2007).
Out of Band Authentication
Authernative currently have a patent pending for their out of band authentication procedure. The simple idea is that authentication information is split and carried over multiple different communication mediums or protocols (Authernative, 2007).
Back End Encryption
Each time a user successfully logs on via
AuthGuard, they receive a random, one session only symmetric encryption key. This key encrypts and decrypts any information sent or received by the user. Once the session has ended the key is discarded (Authernative, 2007).
EP1434408: Authentication System and Method Based upon Random Partial Pattern Recognition
Patent EP1434408 is based on only using parts of a password or shared secret to authenticate a user (Finextra, 2007a), and is very closely linked with
AuthGuard’s previously mentioned “advanced authentication”. Partial password recognition has been around for a while, many online banks use it as a secondary authentication method, asking for certain letters or numbers of a password. It is the various algorithms behind Authernative’s partial pattern recognition that secured the patent, but a simple example can be used to explain the basic idea. A user trying to log on to a system could be displayed with a photograph containing three people they knew. The user would be asked to name the person in the middle. If successfully named the user is logged in and can use the system as required. However, next time they log in they may be asked to name the person on the right. This would require a different answer, yet it is still using the same shared secret (the photograph).
The main feature of the patent is the new algorithm for Random Partial Digitized Path Recognition (RPDPR) (
PatentStorm, 2006). To gain access to a system, the user first identifies who they are, this can be in many forms whether it is a simple user name or a biometric scan of some sort. Once the system knows which user is trying to gain access, it supplies them with a hint. The user then enters the information required, using the hint to help them.
The full shared secret consists of a set of data fields, which store parameters that specify a digitized path on a reference grid for recognition. A random subset of this shared secret is used for each log on (
PatentStorm, 2006). The VAS stores an ordered set of these data fields. The contents of these fields contain coordinates of points on a digitized path on a frame of reference (
PatentStorm, 2006). The server asks for a user input, relating to the given clue. The contents displayed on the log on screen will aid the user in remembering the required input.
Security Features This Adds to AuthGuard
The patent is an authentication method that is basically an alternative to a standard username and password log in, as such the added security features will be compared to one.
Firstly the patent involves mutual authentication. Mutual authentication is where the user authenticates with the system, but the system also authenticates to the user. This occurs in the patent as the server supplies clues in various graphical and text formats. These clues are related to the shared secret between the user and the server. As only the server and user know these clues, it makes phishing far more difficult as someone impersonating the server will not know which clues to give out. Phishing with a standard user name and password log in is relatively simple as the user has little or no proof that they are talking to the log in server, and not someone impersonating the server.
Brute force and dictionary attacks are also useless against the patented authentication system. There are two main features of
AuthGuard which prevent this. Firstly shared secret information is not always entered into the system via a standard keyboard/textbox input. There are different graphical inputs and virtual menus displayed on screen. It would be extremely difficult to create a program to analyse what type of input is required, and to then take a guess at the shared secret. Furthermore it is a random portion of the shared secret that is required each time. This makes the system virtually immune to dictionary and brute force attacks. Standard passwords on the other hand are extremely vulnerable to these types of attack. People have a tendency to pick simple passwords as they are easy to remember, this in turn makes them easier to crack.
Another attack that this patent helps fight is shoulder surfing (Patentstorm, 2006). This is where an attacker literally watches a user enter their information into a pc. Traditional password systems fail here as once a password is compromised, it is useless.
AuthGuard however, has a certain immunity to shoulder surfing. This again is due to only a portion of the shared secret being required. Even if an attacker managed to successfully acquire all information of a user logging in, they would require the server asking for exactly the same portion of the shared secret.
Key logging is also a large problem for traditional passwords. Key loggers come in two main forms, hardware and software. Hardware key loggers are small devices that can be physically attached between a keyboard and a PC. Software key loggers are programs that can be installed on a system manually, or by a virus. Both forms of key loggers record what keyboard inputs are made. These logs can then be analysed and passwords picked out. Key loggers bypass encryption problems as they are looking directly at keyboard inputs.
AuthGuard protects against this as many of the inputs required are not entered via a keyboard. Onscreen virtual menus and keyboards mean that monitoring the keyboard its self to access information before encryption will be useless.
The weaknesses and threats of AuthGuard.
It is extremely tough to list the weaknesses and threats of the
AuthGuard authentication system. This is primarily because
AuthGuard utilises many different protocols, each of which protects against the threats and weaknesses of the others.
AuthGuard is also being continually updated with many patents pending. A new patent was granted, #7,299,356, on November 26th, 2007 (Finextra, 2007b) which further enhances the single-session symmetric key protocol which
AuthGuard utilises.
AuthGuard is aimed primarily at large scale businesses and organisations. Authernative have realised that no single authentication method is completely secure. As such they have combined many open source and private authentication methods into a single authentication server. They have aimed to create great flexability to allow any balance of security and usability required.
BioPassword aims to increase the standard username and password log in by adding an additional factor, keystroke analysis. The username and password are authenticated as usual, but keystroke dynamics are also recorded. The keystroke dynamics used by
BioPassword are the dwell time and the flight time. This is the amount of time a key is held down for, and the amount of time it takes the user to press certain keys (
BioPassword, 2007b).
Initially a template is created from the users typing habits, once finished this template is stored on the server along with the user’s password. Each time a user tries to log in, both the password and keystroke template are checked. If the keystroke template is not within a reasonable error margin, the user is not authenticated (
BioPassword, 2007a).
BioPassword adds an additional authentication factor without adding further complexity from the user’s point of view.
4,805,222: Method and apparatus for verifying an individual's identity.
Patent 4,805,222 is used as the backbone for
BioPassword. This patent is relatively simple when compared to the Authernative patent explained above. However, it’s simplicity is one of the benefits. The patent simply records keystroke timings taken when a user types a passage of text on a keyboard, and then compares it to a known template (
PatentStorm, 1989).
Security features this adds to BioPassword
The first obvious security benefit over standard passwords is that a second factor is taken into consideration. This makes brute force and dictionary attacks useless as keystroke dynamics are not emulated with those attacks. The keystroke analysis also makes shoulder surfing redundant as the attacker will only gain the password factor of the authentication. The Keystroke analysis will be able to decipher between the genuine user, and an attacker who knows the user’s log in information.
Threats to the patent, and BioPassword as a whole authentication system.
Relatively few people questioned were able to think of any threats that could defeat the patented system. These people were however general members of the public. It is highly likely that a potential imposter would have at least a basic knowledge of various authentication bypasses.
There are two main threats which the patent and indeed whole software package does not protect against. The first of these is key loggers. As previously mentioned in this article, key loggers can be software or hardware devices that record keystrokes. The more advanced key loggers can also record the timings between keystrokes and the duration which certain keys are held down for. This means that a key logger alone could render the whole authentication system useless.
Secondly there is no mutual authentication and as such, no protection against phishing attacks. A user could be tricked into logging onto a fake server. The user would send their password and keystroke timings to the impersonating server, allowing the imposter to view and re-send the data to the real server.
Weaknesses of the patent, and BioPassword as a whole authentication system.
BioPassword is very accurate. I was unable to match any of the demo profiles given by
BioPassword, nor were any of the people who were questioned. In fact out of the 12292 people who have tested the online profile, 0% were a perfect match, 3% were suspect, which in turn would alert an administrator.
There is one blindingly obvious weakness with the patent and system as whole, which 88% of people who took part in the questionnaire immediately established. The weakness is not being able to re-create your normal keystroke dynamics. For general usage it has been found that the system is very accurate, allowing genuine users to log on first time without having to re-type their password. Hand injuries can greatly change the way a user types. If this is a long lasting injury then the user’s profile can just be updated and slowly merged back to their original profile as their hand returns to normal condition. However, just a small cut on a finger can drastically change the way a user types, and only for a very short period of time. It would not be feasible to create a new keystroke profile each time a user sustained a paper cut.
BioPassword also fails to counter the problem of simple passwords. People generally pick simple, easy to remember passwords, or write complex passwords down. Both of these situations greatly compromise one of the authentication protocols which
BioPassword impliments. In the event of this happening,
BioPassword becomes a single factor authentication system.
BioPassword Enterprise Edition, as its name suggests, aims itself toward any organisation or business which utilises a computer network of any form and size. However, due to threats and weaknesses mentioned in this article I would not expect any large scale organisation to purchase the
BioPassword authentication solution. The more people there are that log into a Biopassword protected server, the greater the chance there is of a user being unable to replicate their usual typing habits. It would require large scale administration and regular alterations to ensure all legitimate users could authenticate securely. This combined with its weakness to multiple threats make the product only feasible for small scale organisations which are protecting relatively ‘cheap’ and impersonal data.
Conclusion
Now that patents in general, the products, and their authentication processes have been described, the title of this article may be answered. The question was “Does revealing the authentication process make it less secure?” and the basic one word answer is yes. The more a person knows about an authentication system, the more they will be able to try and expand on potential weaknesses. However the ideal authentication system should be secure even if the workings and processes are fully known. It is likely that any serious attackers will personally analyse and dissect authentication protocols to exploit certain weaknesses. Furthermore the patents registered in the area of authentication are generally methods and processes, rather than an entire program. The commercially sold programs analysed in this article utilise the patents listed, but consist of far more interior processes and workings which are not patented and freely available. Understanding the workings of a patented idea does not mean the attacker fully understands how the program as a whole works.
The fact that publicly available information slightly increases a products weaknesses, leads to further question, why do companies patent their authentication methods if it decreases their effectiveness? The simple answer is money. Patents restrict other companies from using known ideas and selling them with their own products. If this happens, rival companies have a chance of taking a share of the market which would be un-accessible if the idea was patented.
With the need for global networking ever increasing, secure authentication is an extremely valuable research area. Companies spend millions of pounds on researching new theories and protocols. As such, they do not wish other companies to be able to utilise their expensive research for free.
References
Information used to generate this article was referenced from the list below.
Authernative. (2007).
AuthGuard. Retrieved November 24th, 2007, from
http://www.authernative.com/AuthGuard.shtml
BioPassword. (2007a).
Enterprise and network authentication. Retrieved November 24th, 2007, from
http://www.biopassword.com/network-authentication-definition.php
BioPassword. (2007b).
Keystroke dynamics science and technology from BioPassword. Retrieved November 24th, 2007, from
http://www.biopassword.com/keystroke-dynamics-science.php
Finextra. (2007a).
Authernative receives European patent for authentication method. Retrieved November 24th, 2007, from
http://www.finextra.com/fullpr.asp?id=13300
Finextra. (2007b).
Authernative gets US patent for key conversion method for encryption and authentication. Retrieved November 26th, 2007, from
http://www.finextra.com/fullpr.asp?id=18621
PatentStorm. (2006).
Authentication system and method based upon random partial digitized path recognition. Retrieved November 25th, 2007, from
http://www.patentstorm.us/patents/7073067-description.html
PatentStorm. (1989).
Method and apparatus for verifying an individual’s identity. Retrieved November 25th, 2007, from
http://www.patentstorm.us/patents/4805222-description.html
Wikipedia. (2007).
Patent. Retrieved November 24th, 2007, from
http://en.wikipedia.org/wiki/Patent
Appendix
A simple questionnaire was carried out to find out peoples knowledge and view on patents and authentication systems.
Number of people who took part: 24
This was an interesting result. It seems that most people believe that a single, highly secure authentication protocol will be better than multiple ones. This is only true if looking at the problem from a usability point of view.
Most people immediately saw a problem with hand injuries directly affecting typing patterns.
Few people knew about keyloggers. However it is likely that an attacker would know of these tools.
The following graphs show my attempts at matching someone else’s
BioPassword profile.
This is my initial attempt. The accepted typing pattern is shown by the thick yellow line. My typing pattern is shown by the red line.
Even after viewing the accepted pattern, this was the best I could achieve.
This graph shows that 3% of users manage to vaguely match a profile, where as 0% have managed to match a profile yes. This is out of over 12000 people.
