1 Digital identity: Toward more convenient, more secure online authentication For more than four decades, the familiar username/password method has been the basis for authentication when accessing computer-based services. It s a practical approach that provides an acceptable level of security when accessing a closed system, but today s online activities have evolved beyond what the username/ password format can effectively protect. A study, done by Microsoft more than five years ago, showed that the average American user had 25 online accounts secured using 6.5 passwords. It s reasonable to assume that those numbers have increased in recent years, and this raises serious questions about quality issues regarding passwords and the risks associated with insufficient security. The recent hack of 6.5 million LinkedIn user passwords illustrates the limits of username/password authentication techniques, especially when securing today s online services and protecting transactions of increasing value. Recent initiatives, such as the US National Strategy for Trusted Identity in Cyberspace, show government commitment to enforce cyber security. As stated in the National Security Strategy 1) in 2010, The Internet and e-commerce are keys to our economic competitiveness. This white paper introduces the concerns behind user authentication for online services. It describes various concepts and solutions for digital identity, high-security authentication methods, and digital signatures. 1) National Security Strategy, May 2010, The White House
2 Problems to solve To start with, let s go through a simple example, where we will identify the various steps that must be taken to initiate and utilize online service, and the risks that apply to these steps. Our example begins with Bob, who wants to join a club that will provide him with a wealth of online services, chat rooms, online storage and sharing, instant messaging, mail, localized information, and booking services. Bob has many friends who are already members of the club and he looks forward to sharing messages, information, and pictures with them and the other people he meets online. The first step for Bob is online registration to the club. He s asked to provide his real name or his online nickname, his age (or at least a verification that he is over the minimum required age for participation), and other pieces of information required by the service provider to fulfill their service provision and legal obligations. Based on the information Bob provides, the service provider then issues a token and a credential binding the token to Bob s identity. Bob starts using the service as soon as the registration process is complete. He securely authenticates presenting his token, which is used together with the credential to verify his identity. With the authentication process complete, the service provider grants Bob access so he can start enjoying his subscription services. The service provider offers a directory search function that lets subscribers see if their friends are also connected to the service. Bob uses the directory to look for and connect with his friends. Bob also sees that one of his favorite actresses, Alice, is also online, so he subscribes to get updates on her daily life. As Bob continues to use the service, the opportunities for theft continue to appear. For example, when Bob sees that a good friend has just received a promotion at work, he uses one of the club s localization services to send a celebratory bouquet of flowers from a nearby florist. The club asks Bob to sign his order in such a way that he can t pretend, at a later stage, that he was unaware of his responsibility to the florist or deny that he conveyed the transaction. It is essential that everyone involved in this example service -- Bob, his friends, the celebrities he follows, the shop owners he deals with -- remain protected from fraud and identity theft. Even in the few steps that we ve described, there have been several opportunities where security could fail. To begin, threats can occur at the registration process, especially if subscribers don t have to prove their real identities. Next, during the authentication process, the token or credential could be stolen or hacked from the service provider s server. Similar threats are present when Bob uses the clubs various services, such as ordering a delivery from a local florist. Fortunately, there are ways to reduce these threats and minimize the risk of identity theft. In the next sections, we look at various solutions, including a signature process that can be used with a non-repudiation feature when conducting online transactions. Registration Without appropriate controls, the registration process can t perform strong user authentication. At the same time, the user should only provide the identity attributes and traits required for the service provision, and these need to be treated confidentially to protect privacy. When service access is not anonymous, the registration process should involve an identity verification mechanism, but these mechanisms are not in widespread use. Services that require users to reveal their identity may use an identity verification mechanism during the registration process. In a purely online process, identity verification can be performed using credential guaranteed by a third party, a so-called credentialbroker. For instance, the service might ask the user to prove his identity with an electronic national identity card and a secret, or his bank card hosting a special application. The service provider can then use a third party for the identity check, and issue credentials based on this trusted verification.
3 In our example, Bob filled in all the details, with his identity attributes and traits, using a secured session on the service provider s web site, and proved his identity by using his identity card and PIN. Once Bob s genuine identity was confirmed by the authentication service associated with his identity card, the service provider issued the credential. The security checks used in the registration step have to be balanced against several factors. This typically includes the user s perceived security requirements (the user may not accept going through intensive background checks to register for a social network), the legal requirements (the minimum set of attributes that local laws require be collected), and service requirements. It s also important to note that a seamless, purely electronic registration process is likely to be perceived as more convenient than a system that uses the exchange of paper by mail, and this can increase the rate of registration completion. Authentication The authentication step lets the service provider assert that the user is who he pretends to be, and to grant or deny access to the service under that identity. A stronger authentication process increases the user s confidence in the service. For example, Bob will be more likely to use and promote the club if he is confident that his personal details and data, and the services he gained access to, are well protected. The user authentication process involves presenting an identity (name, nickname, certificate), and proof that a secret is shared between the user and the service provider. The authentication may be more or less secure depending on how the secret is protected. The proof exchanged between the parties may not be the secret (a password), but the result of a mathematical operation using the secret (in this case the secret may be called a key). In addition, the secret can be complemented by other factors, such as something that the user must have in his possession or something that authentically defines or belongs to the user (an identity trait). The authentication strength, that is, the confidence level that the user is who he claims to be, grows with the number of used factors. Single factor vs. multi-factor There are several authentication factors to consider: What the user knows: the secret (password, passphrase, PIN code, etc.) What the user owns: a token, PC, smartphone, etc. What the user is: the user s identity traits (fingerprints, voice, DNA, face, iris, vein network, etc.)
4 The very basic username/password authentication method uses only a what the user knows factor: it is a single-factor authentication method. A method based on a certificate (stored in a USB key or on a PC, for instance) and no password uses only a what the user owns factor: it is also a single-factor authentication method. A method based on a certificate but requires a password or a PIN code from the user is based on what the user owns and what the user knows factors: it is called a multi-factor authentication method. Multi-factor authentication is also called strong authentication. Strong authentication does not preclude the resistance or strength of the factors: A password can be weak, when susceptible to attacks using a dictionary or publicly known information about the user, or can be stronger when based on a long character suite that includes uppercase, lowercase, numeric, and symbol characters A key can be of varying length; the longer it is the more secure it is A certificate can be tamper-protected by smartcard hardware security, or stored on a PC or USB key where it is susceptible to duplication or tampering However, the overall security and access protection depends on the factor strength. This point needs to be taken into consideration when designing the system. Ownership factor The ownership factor ( what the user has ) needs to be deemed genuine by the service provider. Therefore, it is usually issued by the service provider at the registration step and consists of a certificate, comprising at a minimum of a user identifier digitally signed. When logging in to the service, the certificate is presented and the provider verifies the signature to assess its authenticity. In addition to being genuine, the ownership factor should be copy protected, to avoid duplication without the user knowledge. Knowledge factors As mentioned earlier, these are passwords, PIN codes, and other secrets that the user should present to prove his identity. As this information is confidential, it should not be exposed in any way. It makes sense to implement mechanisms where the secret is either verified locally in the terminal or at least used in such a way that it is not transferred as-is to the service provider. Inherence factors These who the user is factors are unambiguous and/or immutable data that identify a person. Biometrics data are among the inherence factors. Regardless of the location where this information is stored, it should be protected against modification, to insure they describe the right individual, and against unauthorized access, as they contain privacy critical information. Privacy Privacy of user identification data, as well as non-traceability of the services used is a key feature of the authentication service. To return to the Bob example, assume he s decided to use his club s credential to subscribe to another service. Bob doesn t want the new service to use non-required identity attributes to profile him. Nor does he want to be traced when browsing through the various services he has chosen. In some countries, there are regulatory bodies that ensure that user privacy is well implemented and respected before a service deployment is authorized. For instance, the default behavior of a system should not give it the ability to monitor user behavior at an atomic level. As a result, minimal disclosure policy, which only provides information required to exercise the service, should be the rule. For example, full name or national ID number are not used unless accessing a service that requires this information. Software vs. hardware (authentication) Software and hardware authentication differ in two main ways: Where the security credentials (the factor elements) are stored Where the authentication algorithm is executed
5 Software authentication refers to when there is no dedicated secure element to store the credentials and run the security algorithm, whereas hardware authentication describes cases where a dedicated element using secured smartcard technology hosts the critical items. Software authentication may also apply to implementations that use server storage and checking of credentials. Today s hardware tokens don t always take the form of a removable token such as a smartcard or a USB key - since more and more systems are equipped with an embedded secure element. Smartphones, tablet PCs and PCs that include Near Field Communication (NFC) can open the secure element for authentication applications. Software and hardware have their respective advantages and disadvantages, summarized in the table. Software Hardware Issuance Easy, possibly online More complex Security Low High Security portability Low High Privacy (by design) Low High Issuance Software has an advantage here as being purely dematerialized. The token is installed online and may be comprised of a certificate, key(s), an algorithm, and so on. Hardware is more complex to handle from an issuance perspective, since it involves personalization and the shipment of tokens. However, there are secured hardware tokens that the user can purchase in stores that can be personalized or bound to an online account. Security Software tokens are intrinsically easier to tamper with or duplicate. Since they reside on equipment connected to the internet, they are more subject to attacks by malware. Moreover, they are not protected by hardware firewalls and therefore are vulnerable to attacks of reverse engineering. Hardware tokens are based on smartcard technology, which is known for its tamper resistance. Information stored on the smartcard is protected by strong hardware firewalls and controlled by password or PIN code. The keys or credentials used by the authentication algorithms never leave the protected environment. Hardware tokens are also ideal for biometrics-based authentication, since user details are kept secure and private in a token and never exposed externally. Smartcard technology implements secure memories to store the critical data (PINs and keys) such that they cannot be read easily. The technology also implements countermeasures against various attacks on the cryptographic algorithms. With software implementations that use standard controllers and memories, the keys and PINs are stored in an unsecured environment. Furthermore, creating secure implementations of cryptographic algorithms poses a significant challenge. The security advantages of hardware tokens are acknowledged by the US National Institute of Standards and Technology (NIST) in their Electronic Authentication Guideline, where they state that hard cryptographic tokens are the only applicable technology for the highest level of authentication assurance 2). Security portability Hardware tokens offer intrinsically secure portability. A token can be used on any equipment providing this equipment can access it. These days, tokens with USB/contactless or smartcard ISO/contactless interfaces are available to secure PCs, NFC devices, and potentially smarttvs and game console devices. 2) Electronic Authentication Guideline, NIST Special Publication , December
6 Privacy (by design) Hardware tokens securely store the user s credentials and attributes, which can be verified locally without any unnecessary exposure to the outside world. Software authentication usually stores user attributes in a server belonging to the service provider, an identity provider or the service provider acting as identity provider for a third-party application. Storing attributes in a hardware token allows a straightforward minimum disclosure implementation that keeps all credentials under the user s direct control. It ensures that unnecessary details are kept hidden in the token and that only the required information is disclosed during the transaction. For instance, a service that requires the user to be more than 18 years old might provide the user with an older than 18 flag instead of asking for specific date of birth. Signature The signature is as important as authentication for maintaining the security of electronic transactions. In the real world, handwritten signatures are used to stipulate that all parties agree for a transaction. In case of dispute at a later stage, the signed contract serves as a reminder of the rights and duties the parties formally agreed to. Handwritten signatures are also used by people to verify and guarantee the validity of the information they provide when engaging in a business transaction or acknowledging the receipt of goods or information. Use cases for digital signature Online signature generation and verification respond to the same use cases as hand-written signatures in the real world. Our old friend Bob, a loyal tax-payer, has decided this year to fill out his tax forms online, through his government web-portal. He authenticates to the portal using his national electronic ID card and initiates a secure session over the internet connection. Once he has finished his tax declaration, Bob confirms that the editing session is complete. The tax declaration is then compiled in a document that Bob signs once he has given it a quick recheck, just as he would have done with a paper-based form. For the virtual digital signature process, Bob re-uses his national electronic ID card and confirms that he agrees with the document contents. This generates a formal signature that requires a specific validation, likely based on a new PIN code presentation. Once generated, the signature is sent to Bob s government portal and is appended to the declaration for future reference. Bob also receives a dated certificate of deposit, built using a similar signature process. Generally speaking, signature generation the proper document signing process- is employed when the user must give another party proof of acceptance or authenticity of a document. In the tax example, signing the online tax form engaged the responsibility of the signing party regarding the information provided. Signing a mail message will prove to the receiver that the sender is who he claims to be. Digitally signing a contract document proves that the signing party received and accepted the contract as-is. Requirements and features The algorithm for signature generation must guarantee that the signature is bound to the document it was generated with and only to that document. If the document is modified, the algorithm needs to produce a different signature regardless of the importance of the modification. The signature process should also date the signature with a timestamp. The signature verification process should check the signature against the related document and the signing party, and therefore control both the authenticity of the document presented and the identity of the signer. Signature algorithms rely on so-called public key cryptography. This technology involves a public key, bound to the user identity, and a private key. The signing operation consists of running an algorithm on the document (or a digest of the document) to build a signature using the private key. Signature verification involves applying reverse operation on the signature using the public key. If the operation results in the document or its digest, then the signature is verified. The basic principle is that only the private key holder can create a signature but everyone else can verify the signature using the public key. The signature can only be trusted if the user s private key is kept in a heavily secured area and never exposed, such as in a hardware token. The user s public key is also bound to the user s identity and is guaranteed by a trusted party. The same generation and verification algorithms are often used by secured authentication processes. If a user wants authentication to a service, he signs a piece of document (a challenge ) randomly issued by the service provider. The provider then verifies the signature and authenticates the user if it s correct. Again, only the holder of the private key which is typically buried in a smartcard can generate the signature and therefore successfully perform authentication.
7 Data encryption Another main challenge is data confidentiality, especially when data is transferred over the internet. As illustrated in the previous example, the hardware token is a highly secured placeholder for cryptographic keys. With the advent of portable data storage and cloud storage, user data privacy is at risk, which can be circumvented by data encryption. A hardware token can be used to encrypt/ decrypt the user s locally or remotely stored data. The challenge in this case is performance of the interface and the encryption/ decryption engine, which can significantly decrease data bandwidth. For encryption based on a hardware token, it s essential that the token can t be accessed by an attacker. Additional access protection to the token (e.g. via a PIN) is usually recommended to achieve Multi-Factor Authentication. Conclusion A good password can improve security, but today s users deal with so many online services that keeping track of a long list of different passwords is cumbersome and prone to error. Multi-factor authentication offers stronger, more convenient security than the traditional username/password method. Software tokens, such as certificates stored in a PC, can enhance authentication strength, but today s software solutions can t reach the level of tamper-resistance enabled by secure silicon technology. The smartcard has become a part of daily life. This technology, the first widely deployed enabler for multi-factor authentication, has proven its efficiency in reducing offline payment fraud and has helped drive success in GSM, 3G, and 4G cellular services by being an essential part of the security architecture. The expanded use of secured silicon technology will support the fight against identity theft and fraud, and has the potential to enable even more end-user services. Based on trusted security, a complete product portfolio and the best contactless performance, NXP is the leader in the overall ID market as well as in key market segments such as transport ticketing, egovernment, access, infrastructure, RFID/Authentication, payments, and NFC. NXP provides the entire ID market with end-to-end solutions, enabling customers to create trusted solutions for a smarter life.
8 NXP Semiconductors N.V. All rights reserved. Reproduction in whole or in part is prohibited without the prior written consent of the copyright owner. The information presented in this document does not form part of any quotation or contract, is believed to be accurate and reliable and may be changed without notice. No liability will be accepted by the publisher for any consequence of its use. Publication thereof does not convey nor imply any license under patent- or other industrial or intellectual property rights. Date of release: December 2012 Document order number: Printed in the Netherlands