Home
Search
Login
<mosaic.cnfolio.com>

Portfolio of research articles


Article 1


Membership Cards
Many clubs and organisations use some form of membership card, this can be as complicated or simple as possible. The simplest form is an issued card from the organisation which has the holders name written on it, this may be suitable for small clubs where you know most/all of the members and can easily recognise them.
Larger clubs and organisations may use a more complex card, with a card number, the holders name and local club location.

Along with some form of membership card, a database will be used to store and track all members and contain further details that are not present on the card itself. This simplifies the administration of the users, allowing any alterations or queries to be carried out in a short time and with relative ease.
Without a database, the process could result in a more work to alter a members details.

Focusing on a membership card with a card number, holders name and club location.
Here the database becomes more important than the data, the need to share the data between locations and query the data from any of the locations is far more important then the data itself.
Here the member benefits from being able to use his card in any location associated with the club or organisation, but ultimately the club or organisation benefits the most. By allowing its members to use the card and attend at any location it is associated with.

A number of attributes are available for comparison, which is used depends on the query. Should the holder want to verify they are a member, the membership card number can be checked in the database. This makes the number the most useful to both the club or organisation and the card holder.
Yet you could want to verify the card holder is who they say they are, at this point information that isn't present on the card is most useful. Using further information present in the database to verify against the name/number on the card. At this point the card information becomes the least important.


National Insurance number
The national insurance card uses a persons name and a unique identifier, the national insurance number, to correctly collect National Insurance payments for that person. It holds little information and is not known as a form of “identity” to most card holders, as stated on the back of the national insurance card.

The persons name and the unique identifier are required when entering a job, allowing the employer to set up all relative tax and national insurance payments for the new employee.

This is in the main benefit of the government, allowing them to collect the contributions from the person in question. However it may be argued that the employer or the employee is in benefit of such identification, both have good merits to requiring the identification to proceed. The employer needs to ensure a legal workforce and the employee is likely to be considering his/her future and value of their state pension. It could be that all the parties involved are equally benefitted from the use of the national insurance number, the government can collect taxes and national insurance contributions against a unique identifier, the employer can rest assured that they are hiring a legal employee and the employee can have the peace of mind that they are paying into their state pension fund.



These are two very different forms of identity, the national insurance card is issued by the government and its use is for a few situations while the membership card is very specific to an organisation/group. As such different data is required and different security required to manage the data. The national insurance number links a person to a tax and national insurance payment, this requires very strict rules on what data can be accessed by whom and under what circumstances. While a club membership might just require the persons name and has no link to personal or sensitive data.
Another issue is in how the forms of identification are issued, a person may refuse to provide the details that a club asks for but have no control over the national insurance number. This is because the government already deal with other data that the person is connected with and as such already hold all the required details to issue the national insurance number.

Article 2


RSA SecurID
Being a commercial license and provided in a number of forms, RSA SecurID provides a very popular solution.
Using a hardware token and known information to implement the authentication has its advantages, at no point can someone access the system with just 1 item and the system isn’t reliant on a single method.

The cost of the RSA SecurID is the disadvantage, such security comes at a high cost. A large corporation would have to consider where it would be required and to what extent.
Should everyone in the office require a hardware token for daily work, or would it be only required for laptop use off-site to provide access to the data and a virtual private network. These 2 situations both lead to a different suggested end product/solution, obviously if security is that much of a concern the cost of outfitting each employee with a hardware token may be acceptable. But for a large employee base, this would get very expensive and may not be required. Insisting instead on the use of hardwired desktop computers with internal only working over access to the internet may provide a smaller number of required hardware tokens.

Although these may not actually be exploited, some theoretical vulnerabilities are described on a wikipedia article for the RSA SecurID page.
Man-in-the-middle attacks are possible, as the device will protect against password replay attacks but not always intervention of a third party. Where access of the third party is gained to manipulate the authentication data flow between user and server. Should this user continue and stop the RSA SecureID user from authenticating with the server by the time the next token code is valid, the third party will be able to access the server and login.

Although knowing the required details and being in a position to acquire the SecurID device is also a very effective method of attack on this system. Here it relies on human nature of misplacing devices and searching for them before reporting them missing, given the attacker a window of a few hours and possibly up to a day to access the system.

This device is likely to appeal to many companies looking for an affordable way of allowing staff to use sensitive data while remaining mobile. Although it can also be used as a general security measure, it is more cost effective and allows normal staff access to computer facilities without the token.
Although it will not appeal to companies who only require software based authentication, as this particular solution uses a hardware based token. Other options are available which are software only but come with a reduced security rating as it has more chance of being attacked successfully.


OpenID
A faster and more efficient way to login and access websites.

Recently adopted by the US Government, this shows that some form of integrity and trust are within the service, as shown on the OpenID website. Although as a whole the idea seems insecure. Using a single sign-on identity to access your email, social network and interests could easily be used against you. As it stands many websites use your email address as a username and as many people use the same or similar passwords the process is currently insecure. The use of OpenID will not actually change the security, but may give more opportunities for attacks to take place or larger consequences when attacks are successful.

Many people may already have an OpenID, through using yahoo, google, flickr, livejournal, orange, myspace, wordpress.com, blogger.com and other popular websites.
From the end user the service makes using several websites quick and easy, login on to 1 service and the others work or using only 1 set of details to login. This is very useful with google and its products and services (blogger.com, youtube, google mail/documents/groups/iGoogle, etc...), as is similar with yahoo and flickr. All of this from a users point of view makes the process of using the websites easier and more convenient.

Cost of setup is likely to be very small although it is specific to content management systems or third party providers services, unless you are willing to browse the OpenID library and setup the requirements for your website. Coding the login to work with OpenID may not appeal to everything so a solution exists if you wish to use the service but are not willing to implement it personally, a third party provider “JanRain.com” provides a free basic OpenID service or some paid for and technically supported services. The cost is fixed for setup and continuation of service for the Basic (free) and Plus ($10/month or $100/year). The Pro starts at $500/year and I would imagine would increase as required with added complexities and size of the website and user base.

A number of attacks exist for the OpenID authentication method.
Due to the nature of this service, all that is required is a connection to a data store with the OpenID identifiers and a successful attack would gain access to over 500million OpenIDs with access to over 27000 websites using the service. An attack on Facebook with successful access to the user account details would result in about 350million user accounts, a somewhat smaller user base to exploit. Not to mention an attack on facebook only gives access to facebook, not multiple websites as the OpenID does.
Although the above is not the easiest attack and is a possible risk for any website storing user information. The most likely and prevalent attack on an OpenID user would be a man-in-the-middle phising attack.
Using a bogus website with the OpenID logo and form, users can be forwarded to a bogus identify provider authentication page which will be used to collect data from the end user. Giving the malicious party access to that users OpenID and any services they use, along with registering them with other services.

No service of this nature could be risk free to the user, each OpenID website has potential access to the other OpenID websites associated with an users OpenID.
Privacy and OpenID is a relatively open area, the OpenID service provides details of the users to the service providers as required. By logging into an OpenID enabled website, that website could have access to your complete OpenID account detail and would have acquired access without breaking the law.

It is worthy to mention that the OpenID foundation’s board of directors has 8 community and 7 corporate board members. The community members are from JanRain, Facebook, Plaxo, Nomura Research Institue, OpenID Europe and Yahoo!, although more importantly is the impact of the corporate members, Facebook, Google, IBM, Microsoft, PayPal, VeriSign and Yahoo!.
This indicates that the use of OpenID and its interests are very important and broad, it allows small websites to give easy access for users while allowing large corporations to give access to all its services through a single identifier.
Having such a variety of corporate involvement and yet keeping the service free should attract any organisation, wether as small as a new band website or as important as the White House website.


References

RSA SecurID - http://www.rsa.com/node.aspx?id=1156
SecurID - Wikipedia, the free encyclopedia - http://en.wikipedia.org/wiki/SecurID
OpenID - Wikipedia, the free encyclopedia - http://en.wikipedia.org/wiki/Openid
OpenID – A Security Story | GNUCITIZEN - http://www.gnucitizen.org/blog/openid-a-security-story/
JanRain.com - Products - Rpx_buy - http://www.janrain.com/products/rpx_buy
JanRain.com - Home - http://www.janrain.com/
OpenID Foundation website - http://openid.net/
Page revised 2010-02-08 21:37 • ©2012 University of Portsmouth • This website uses wikkawiki.org software.