Technology Exploration Project – M591
A Comparison of Grid Data Security and Defiance Data Protection
Introduction
The technologies involved with data security are constantly evolving and being improved upon. Two of these technologies that have received patents will be discussed in this article. The first of the two products using the patents are Grid from Grid Data Security Inc., this is a one time password system that provides the user with a clickable user interface to enter their one time password (Patent number: 7143440) (
Grid Data Security, n.d.). The second is Defiance Data Protection System from Protegrity, the patent used in this product is the use of a combination of hardware and software methods to encrypt databases (Patent number: 6963980) (
Encryption - Protegrity, n.d.). In the following paragraphs I will discuss the patents used in each system, and they way they are used; any known attacks on the system; the known and potential effects on personal privacy if one of the systems is attacked successfully; and the commercial strategy that each company use to sell their systems.
The Patents
The patent that is relevant for Grid is titled "User authentication system and method" (Patent number: 7143440). It is an adaptation and development of the ever more popular One Time Password (OTP) method, where a user uses a different password each time they log in. Most of the currently available OTP systems use a similar or even identical protocol. As a part of the login process, the server sends the user a "challenge", which may be in the form of a randomly generated number, or may even be something significantly more complicated. When the user receives this "challenge" they enter it into the corresponding OTP generator, which may be a physical hand held device, or a piece of software which generates the returnable OTP. the server follows the same process and compares the entered password to the one generated server side and if they match, the user is authenticated (
RFC 2290 - A One-Time Password System, 1998). To complicate or improve the method slightly, in the cases where the same password generation method is used for all users, some users are given a seperate key to further encrypt/decrypt the password. This key is known by the server also and is associated with the specific user to allow for the server to fully authenticate a transaction. The way that Grid alters this is that it provides the user with an interface that allows them to disguise their currently used passwords that aren't already used in OTP systems. It does this by showing the user a graphical keyboard with numbers in each of the four corners of the key (
Grid Data Security, n.d.).
Upon configuration, the user can select the sensitive region of the key.
When the user enters their password, they click on the letters of the password in the correct order. The software then enters the number that is in the sensitive region of the key. The user can also type this number in or use the provided keypad for even more security.
The numbers in the corner of the keys are randomly generated and the software decodes these each time to produce the password to the application it is required for.
In the case of Protegrity's Defiance Data Security suite, the patent used is titled " Combined hardware and software based encryption of databases " (Patent number: 6963980), and as the title suggests, it uses a combination of hardware and software to encrypt information stored in a database. To protect information stored within a database, a commonly used method is to store the sensitive data encrypted in the database. To access said data, it needs to be decrypted, and to do so requires knowledge of the encryption algorithm used. The most efficient method to encrypt data in a database is known as a granular method, which means that only specifically sensitive data is encrypted, rather than the whole content (
Encryption - Protegrity, n.d.). Most commonly used method of deciding where to used encryption is based upon basic factors such as the column the data resides in within the database. This also makes it possible to encrypt different columns with a different algorithm, allowing for different levels of access within the same system. To carry out these encryption methods, the encryption process is performed within tamper-proof hardware which protects the algorithms and keys and results in a strong encryption. However, when encrypting small blocks of data, the hardware may experience performance issues due to the amount of overhead required for processing each individual encryption (
Encryption - Protegrity, n.d.).
Defiance counters this problem by providing a method and a system for improving the required flexibility and improving the overall performance in encrypting data in a database. It does this by allowing the user to apply a different method of encryption (software or hardware) based upon the required performance, security and access level of the data being encrypted. The hardware device would provide strong encryption without exposing the key to anything external of the device used, but it lacks the performance when it encounters many small pieces of data. This is resolved by using software in these cases, which provides higher performance encryption/decryption, but at the expense of lower level security.
The system allows the user to specify which elements of the database they wish to use with each method, and allows them to change it based on possible threats and weaknesses.
Since these patents are in slightly different fields, there is not much comparison that can be made between them. However, both offer the user different levels of security over their encryption methods. Grid allows the user to select an optional modifier to further "muddle" the password and make it harder for an attacker to distinguish the password. Defiance however offers the user the option of hardware or software encryption, and then a choice of algorithm (for the software) for different sensitivities of data. This allows the user some freedom as to which method they will use, and which method they feel is safest for their purpose.
Possible Attacks on Each System
Any system where authentication exists involves a risk of attack, some may not be quite as obvious as others, but they definitely exist.
Because Grid is a variation of a OTP method, it is considered to be impervious to attacks that can be carried out on reusable password systems, such as brute force, dictionary attack, monitoring network traffic, "shoulder surfing" (looking over a user's shoulder during login), key logging (storing or conveying a user's keystrokes during login), etc. However, the claim that it is immune to shoulder surfing is not necessarily true. If an attacker was knowledgeable about the way Grid operates, and was looking over the shoulder of a user, they could possibly determine the password and sensitive region of the key (by watching what letters the user clicks and seeing the number outcome). One type of attack that OTP systems are susceptible to are known as race attacks. It is possible for attackers to listen to the majority of a one time password, then guess the remainder, and race the user to complete the authentication. For example, if the challenge is six characters, and the attacker gains knowledge of the first 5, if the attacker gets the chance to try multiple combinations, it is possible they will successfully guess the correct one. One possible defense against this type of attack to to prevent a user from starting multiple sessions with the authenticating service. This also requires that a time out is implemented to eliminate the possibility of Denial of Service (
DoS) attacks. As far as I have been made aware, this is not taken into consideration for Grid, and if an attacker could remotely gain access to the software on the user's computer, they could theoretically guess the rest of the password.
Defiance's encryption hardware algorithms are protected within the tamper proof hardware that is used to implement the encryption. However, its software algorithms are accessible to anyone who has the software part of the package. This means that the software encryption could be broken without the need for any brute force attacks.
These attacks differ in method, but both have the same property of finding a way to access the information that was trying to be hidden, the sole purpose of using these products.
How Can Breaches Effect Personal Privacy?
Privacy issues are fundamental to data security systems. A user must feel comfortable with using the product and trust that their data is safe. In the case of regular password systems (not OTP systems) if an attacker gains access to the password of the user, then its game over for the user's privacy, the attacker has access to the data they were trying to protect with that specific password. Another problem with passwords is that humans have a forgetful nature, and tend to use the same, or similar, password for almost all of their authentication needs. This is paradise for an attacker, because gaining one password grants them access to anything it can identify the user as having used. For OTP systems, this is not an issue, if the attacker gains the user's password for that session, there is no way that it can be used for further attempts to compromise the security of the system, or any other for that matter. This is because the one time password is exactly that, one use only, and next time it is completely different. In the case of Grid, this difference isn't quite as prominent due to the fact that the password is associated with some numbers that are displayed on the user interface. If it is breached and the password that the user is using to identify the correct combination of numbers to input, it is only a matter of time before the privacy of the user's data is compromised as the attacker can try each of the four combinations (bottom/top, left/right) with the password and once one works, he has access to the authentication method set up by the user. Also an issue from the user's point of view, is that if they forget one of the components of their password generator (either the sensitive region of the key or the password itself) they have no way of recovering the lost information.
In the case of Defiance, it has quite a significant to personal privacy in the event of a breach in the system. If an encryption algorithm is found by an attacker, they can access the elements that are encrypted within the database, and these elements are encrypted for a reason, they are sensitive and private pieces of data, often pertaining to the identity of a customer or supplier. Encryption algorithms are often also relatively easy to break by using brute force methods, trying every possible combination for a key of known length and character set. Also, if the hardware component of the database encryption becomes faulty, the data recovery process may not be able to recover it all, if at all, and therefore data will be lost and unrecoverable.
All data security systems have issues that effect personal privacy, it is by nature a part of the system. Some information is required to be gathered for authentication purposes, and this is unavoidable or there would be no way to authenticate a user.
Selling Strategy
Currently, Grid is in development and is not a complete product, and thus the company has not approached a sales strategy yet. However, they are marketing the product through magazines and data security websites, building up interest in the product and providing users with insight into how the product will look and function when it comes to release. They have also separated Grid into several different specialisations:
GridPro™ /
GridGov™,
GridGuard™,
GridLock™,
GridGo™ and
GridCert™. Each of the specialisations offer different functions, types and levels of security and authentication at different prices and availability. It seems that Grid Data Security Inc. are using the method of waiting for the users to come to them. This is more beneficial than going out to try and find buyers as it seems that the more general use for this product will be for home or small business use, and use with portable or public systems (
Grid Data Security, n.d.).
Defiance however is a complete product, and Protegrity is using a different sales strategy. They are targeting large enterprises and organisations due to the nature of their product. They offer Defiance as a stand alone product, or as part of a suite of products, including Defiance Threat Management and Enterprise Security Reporter. They are also appearing at conferences worldwide and selling their products through that medium. They do not sell to home users as the uses for them are rather limited and the cost would be excessive to the user. Protegrity are taking the stance of trying to find their potential users and making sales pitches to them, rather than waiting for the customers to come to them looking for a product of its nature (
Encryption - Protegrity, n.d.).
Existing Methods Adapted for More Security
Both of the products compared have similar traits, but nothing is more similar than the fact that they take existing methods of providing data security and adapt them to make a stronger or more usable version of it. In Grid's case, it adapts the ever more common place OTP method and adds the spin of the user being able to generate the code to enter via a graphical keyboard. Without explicit knowledge of the system and the methods it uses, it is extremely hard, if not impossible to obtain information about the user through gaining access to their password. In the case of Defiance, it adapts usual encryption methods, and concatenates the two different methods (hardware and software) to provide a product with variable levels of performance and data security. Overall, both products would be a good investment for an end user, and the cost of losing private data is far more substantial than the cost of these products.
References
- Byte and Switch. (November 2005). Protegrity Wins Patent. Retrieved November 25th 2007, from http://www.byteandswitch.com/document.asp?doc_id=85004
- Grid Data Security Inc. (n.d.). Grid Data Security. Retrieved November 25th 2007, from http://www.syferlock.com/
- Halor, N., Metz, C., Nesser, P., Straw, M. (February 1998). RFC 2290 - A One-Time Password System. Internet RFC/STD/FYI/BCP Archives. Retrieved November 25th 2007, from http://www.faqs.org/rfcs/rfc2289.html
- Protegrity. (n.d.). Encryption - Protegrity. Retrieved November 25th 2007, from http://www.protegrity.com/defiance-dps.htm
- Stelvio, C., Gamassi, M., Piuri, V., Sassi, R., Scotti, F. (2006). Privact Issues in Biometric Authentication. Retrieved November 25th, from http://www.touchbriefings.com/pdf/2259/cimato.pdf
- US Patents Offics. (n.d.). Patent Full Text and Full Page Image Database. Retrieved November 25th 2007, from http://www.uspto.gov/patft/
