Feeds

The difficulty of validating systems and users

How to do it accurately?

Beginner's guide to SSL certificates

One of the issues plaguing identity management and online authentication systems is how to accurately validate the identity of the system or user connecting to a service.

One possible means for identification that has attracted attention recently is finding and identifying a "MachineID", some form of unique identifier that is specific to a particular physical system and which is difficult to reliably fake. This might take the form of tracking internal network IP addresses, end user system patch levels and browser configuration, and even tracking of end user system hardware configuration.

A problem that is then encountered is how to reliably identify when more than one user is using an authenticated system - how is the mechanism to handle seemingly identical requests that originate from distinct users.

If the authentication system to be used is to be installed alongside other software then this is a problem that has already been solved and dismissed from all but casual usage.

Many anti-copying software and hardware efforts come in such a format - additional code that forms part of an installed product, for the purpose of ensuring only legitimate copies of the software are in use.

These methods could have modified key software based on how the system identified itself, required the use of a hardware "dongle" for authentication, looked for the presence of hidden system files or the physical presence of removable media, or even looked for the presence of intentionally-corrupted space on original installation media.

With every effort to prevent people from copying or using software in any way they want to comes a dedicated effort to overcome and neutralise the above listed means of preventing non-authorised usage. Going back to the first concept raised in this article - the development and introduction of some equivalent system for use online, the motivation to bypass or trick it increases rapidly alongside the financial incentive to break it, and the increased anonymity afforded to those trying to bypass the authentication.

Even when there is little obvious financial benefit to bypassing the system, it can fail on its own. The problems encountered by legitimate system users when Windows Genuine Advantage and the Windows XP activation tools fail to properly work have been well documented. If the system can fail completely without user interaction, what benefit is it to those it is trying to protect?

Introducing this sort of mechanism into the online environment is much more difficult than merely allowing it to exist on the end user's system. Developers and administrators need to be cogniscent of the problems posed by a stateless protocol that can serve consecutive requests from seemingly different sources as well as the wide variety of end systems that might be in use to reach the online service, not only in terms of different operating system types, but also the use of screen readers, mobile phones, kiosks, and any other of internet-capable devices.

MAC addresses and hard drive serial numbers can provide information to local applications, but they are more difficult to reach via networked systems. Use of platform-dependent technology like ActiveX can simplify this process, but it then leads to security concerns and problems for users of other platforms (OS X and Linux).

There are a number of methods available for basic authentication and tracking of state across a site, but these all have drawbacks and issues that become apparent when systems are scaled up and spread across load balancing and the use of caching proxies.

Even the current "best of breed" solutions have critical flaws where users can force the system to a "fallback" position and force it into a remedial mode where the level of added security and authentication is negligible (back to a simple question in some cases).

Some of the theories being put forward for implementation of one of these systems include browser identification, username in use, system patch levels, though each can be spoofed or hidden from the networked application. At the end of the day, these approaches don?t really tie down to a specific system in use.

Part of the difficulty comes in creating a system that is rigid enough to identify and alert to changes in hardware or end user system configuration, yet flexible enough to allow and identify multiple users from the same machine or a reasonable level of system changes, such as those that might occur from replacing a hard drive, applying system patches, or other routine changes. As a result, many of the systems that come close to achieving these goals don't really add much overall to the security situation faced by the application or primary system.

From a holistic viewpoint, addition of a system designed to identify specific systems can cause problems by actually weakening overall security (thus highlighting problems exist in the overall system design).

There are solutions, however.

One of the products in our testing lab is a platform independent mechanism for attaining this goal. With nothing to install on the user side, complete platform and system independence, it appears that Nabu (the product under testing) is close to achieving the goal of allowing users to safely interact with online services (and vice versa) even when end systems and the joining network are completely compromised. If using a web kiosk or heavily infected system could be made as safe for online account interaction as a heavily locked down readonly system, it would go a long way towards addressing one of the key problems facing Information Security researchers today.

This article originally appeared at Sûnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sûnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sûnnet Beskerming provides global reach with a local touch.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.