By Dovell Bonnett, Founder and CEO, Access Smart, LLC
In a world of ever-increasing cyber-attacks, IT invests massive amounts of time, energy and money to secure corporate networks and data. Because there are no silver bullets, many different security technologies attempt to address each potential threat. With so many different vulnerability points, the first line of defense must be trusted authentication.
This report does not compare the operational functions or benefits of cyphers versus passwords. They are very different. Rather, it analyzes an important cryptographic component that the security industry goes to great lengths in time, energy, and money to protect – the keys. When cracking passwords becomes as difficult as cracking keys, then passwords will be secure.
This report focuses on:
- Symmetric Cyphers and Symmetric Keys
- Symmetric keys generation and management
- Weak password management practices
- Password similarities to symmetric keys
- Which symmetric key principles password management should adopt
In Part 3 of the “Passwords are Secure” series, I’ll analyze asymmetric public/private keys.
Trusted authentication verifies the identity of a person (or computer) before allowing them to logon to a computer, network, web site, or application. The most common protocol is user name and password. While recent media coverage has maligned passwords–suggesting replacement with certificates, biometrics and other advanced technologies–there is more to this story.
Certificates: One of the most discussed certificate based system on the market is Public Key Infrastructure or PKI. PKI combines both symmetric and asymmetric cyphers (along with other technologies) to offer the unique advantages of authentication, authorization, data integrity, and non-repudiation. However, PKI is only as trusted as the security of its symmetric and asymmetric keys. That is why so much money, time, and resources go into protecting these keys
Passwords: Ninety-six percent of all computers, applications, websites, and networks require user name and password authentication making it the #1 form of authentication. The management of these passwords often left up to the weakest link in the security chain–the user or employee. The fix is not necessarily investing in new technologies when properly managing the existing technologies are all that’s required.
If password security adopted some of these same practices as key security, then passwords would offer a high level of security and trust without drastically altering a company’s existing IT infrastructure.
My password security arguments are simple:
- Passwords are a viable means for secure authentication,
- Passwords are secure when generated and managed correctly, and
- Secure password authentication is affordable when leveraging existing infrastructure and investments.
Ever increasing computer breaches and password database thefts drives some security pundits to insist that passwords are insecure and must be “killed.” But, what would replace passwords; certificates, biometrics, smartphones, or something else?
These alternatives have their place in specific environments, but there is no one-size-fits-all solution. Certificates can be very cumbersome and expensive to implement. Biometrics has cost and implementation considerations. Smartphones require charging and monthly service fees.
Dispensing with the Biometric Argument
|Many industry leaders argue that biometrics will replace passwords. It won’t happen. Here’s why.Biometrics is the “Something you are” in multi-factor authentication (MFA). A password is the “something you know.” Killing passwords would eliminates one leg of the security stool, and no security expert will ever advocate that multifactor authentication stop at two factors.Other biometric concerns include:
Biometrics has much to offer the security industry and should be considered where appropriate. However, believing that biometrics will replace passwords is not reasonable.
Secret Key Practices that Passwords can Replicate
Symmetric cyphers deploy a single shared key for encryption and decryption. Older examples include character scrambling, codebooks, WWII Enigma machine, and the Captain America secret decoder ring. Today, some of the more common cyphers include DES, Triple-DES and AES. Symmetric cyphers are fast at encrypting large blocks of data.
Are symmetric keys any more secure than passwords? My answer is, Not necessarily. It depends on how the keys are managed, distributed, and protected. The best way to improve password security understanding symmetric key architecture.
Symmetric keys have to be complex and long to make guessing or testing every possible combination nearly impossible. Complexity is based on both length and character types used. For example, a five-digit key using a twenty-six character alphabet will generate over 11 million combinations; whereas a five-digit key using ten numeric characters generates only 100 thousand combinations. The longer and more complex the key, the less likely a brute force attacks will work. A strong symmetric key is at least 256-bits or thirty-two characters long.
A strong password also depends on complexity and length. Utilizing all ninety-six keyboard characters, an eight-character password would create over six quadrillion (six followed by fifteen zeroes) combinations. Impossible for a human to break by brute force, but not for a computer. To match the security of a secret key, a thirty-two character password is required.
Symmetric encryption relies on keeping the secret key out of an enemy’s hands and only letting the authorized person(s) know the key. Throughout history, cryptographers have implemented a number of clever key exchange schemes and devices, including a messenger who would rather die than revel the secret (these people are hard to find), a code within a code, or a Cryptex box.
Even today, with all our sophisticated computers, secure key exchange is very important. Diffiè-Hellman key exchange, created in 1976, is a very effective way to exchange secret keys while keeping eavesdroppers from intercepting the key. Another common key exchange is implementing asymmetric encryption for secure transmission of the symmetric key. Both these latter methods are used for secure internet communications where you see SSL (Secure Socket Layer) and HTTPS associated with the web account.
Passwords themselves typically do not flow unencrypted across a network. Instead, computer networks transmit the password’s hash and compare it to the hash stored on a site’s server. Hashing by itself is no longer secure because every occurrence of a particular password, no matter the user, will have the same hash value. Companies need to “salt” each hash separately. Now identical passwords will have completely different hash.
Passwords can also utilize Diffiè-Hellman, asymmetric encryption or SSL to securely exchange password data. As with symmetric key exchange, the goal is to hide the secret from unauthorized people. I will go into more details in an upcoming paper in this series.
When it comes to cyber security there are two approaches: Perfectly Secure or Practically Secure. The cost and effort to create perfectly secure is unrealistic. That is why practically secure is good enough where time to break a key is larger than the usefulness of the information. For example, the Duke of Wellington’s battle plans would have been important to Napoleon on June 17, 1815. Today they have no secretive value.
A cryptologist knows that given enough time, money, and resources, an enemy could break the secret key. Periodic key obsolescence neutralizes an enemy’s key hacking efforts. The importance and usefulness of information determines a key’s life span. Some keys are for one time usage, while others can last for a few months.
Passwords must have a defined end of life. Most security experts put an eight-character password at thirty to ninety days. A thirty-two character password can go much longer, assuming other password security mechanisms are in place.
Computers make symmetric key lifecycles manageable by automatically generating the new key. So why not have computers generate random passwords? Taking the burden of password generation and lifetime away from the user, adds to the security of passwords making them as strong as symmetric keys.
Another symmetric encryption task is creating different secret keys between different groups. For example, you need one key between you and Allan to send private messages back and forth. You need a different key so you and Betty can share messages without Allan. Finally, you’ll need a third key so you, Allan, and Betty can all share information. Now, let’s say you meet Cliff and Daphne. Adding two more people increases the permutations of keys from three to fifteen. Soon the permutation of keys grows exponentially and becomes unmanageable as the number of connections increases. As networks get more and more complex, the number of key permutations becomes astronomical. Node management and massive computer storage is required.
IT managers will tell you that every web site, server, application, and computer needs its own unique password. If technology makes symmetric key nodes manageable, then why not use similar technologies–like smartcards–to manage passwords. By removing the burden of password management, user will only have to manage their accounts, leaving security in the hands of IT where it belongs.
At some point, all the secret keys have to be stored somewhere. Whether it’s relying on the memory of a person, written on self-destructive paper, or in a computer database, security is only as strong as its weakest link. If secret keys are not securely stored, all the work generating unique, complex keys with a short lifecycle is moot. A computer’s weakest link is its data storage.
Today, the industry stores secret keys in smartcards, secure access modules (SAM), or secure hardware modules. These hardware devices use many advanced detectors, filters and features to prevent most known attacks. Until a threat is known, there will always be a potential vulnerability.
Secret keys are not some super advanced piece of information that is inherently secure. They are the result of a combination of management and supporting technologies that together maintain security and trust. Passwords are no different. Implementing smartcards and secure hardware modules to protect passwords raises them to a higher level of security.
Challenge-Response for Mutual Authentication:
After generating, distributing, and storing all the symmetric keys, how do you know that the two computers are the correct ones to communicate? That’s where mutual authentication by challenge-response comes in. Challenge-response establishes the trusted communications. Challenge-Response is how most networks authenticate each other by testing if they know the same secret and have the same algorithm to correctly encrypt and decrypt data before sending any.
Generally, Device1 will first send a unique identifier to Device2. Then Device2 combines its own identifier with that from device1, runs the number through an algorithm, and calculates a unique value. Next, repeat the same process but in the opposite direction where a unique identifier flows from Device2 to Device1. If both calculate the same value, then a trusted communication channel is established. Challenge-Response is a key component in secure SSL and HTTPS network communication.
Since the Internet, Kerberos is the most common challenge-response protocol, but it is not the only protocol used. The unique identifier, called a seed, can be a password, hash, random number, secret key, or some other unique value. The main requirement is that the two devices calculate the same value.
Once the trusted connection is established, logon and data transmission to websites, applications, and networks can proceed. With spam emails, phishing and pharming attacks running rampant, computers must establish a secure mutual authentication.
Today’s computer security experts are pushing for network mutual authentication before the firewall and before access to any data. Challenge-Response will protect password entry, password data files, and many other computer attacks.
Many of the security practices and policies for generating and protecting secret keys are the same recommendations I promote for protecting passwords. The big difference is that secret key security utilizes the power of computing, while the burden of passwords is placed on the weakest link – the user.
“When cracking passwords becomes as difficult as cracking keys, then passwords will be secure.”
Following are three summary tables that show where passwords and secret keys are similar, the secret key security features, and the password changes required to protect networks and data.
Passwords and Secret Keys Similarities
- Both must share the same secret
- Both require long, complex character strings
- Both are easy and inexpensive to change
- Both need to be changed periodically
- Both need secure storage
- Both require an identifier to select the correct accounts
- Both have to protect against the “man-in-the-middle” attack
- Both systems lose their trust when their secret is compromised
Secret Keys Security Features
- Keys never flow across networks unencrypted
- Keys uses secure communications protocols to transmit data
- Keys are generated by an algorithm
- Keys are unknown to users
- Keys are auto-filled by a computer, token or smartcard
- Keys require computer mutual authentication
- Keys have a minimal length of 256-bits (32 characters)
- Keys typically have a short lifecycle and are changed frequently
- Keys are unique for each connection
- Keys are managed by computers, not people
The way to strengthen passwords is to incorporate many of the secret key features. Here are just a few considerations to strengthen password management:
Secure Password Features
- Never allow users to generate their own passwords
- Make passwords unknown to the user
- Don’t allows users to type in passwords
- Hide the viewing of passwords even from the user
- Every account must have a unique password
- Implement a secure communications channel like Hypertext Transfer Protocol Secure (HTTPS), Transport Layer Security (TLS), Secure Sockets Layer (SSL), or some other communication cryptographic protocols
- Incorporate cryptographic technologies like smartcards, salted hash functions, AES-256, SHA-256, etc. to safeguard passwords
- Make passwords at least 32 characters long
- Update software, websites, and computers to accept longer passwords
- Compare Hash or MAC password to the correct account
- Never store unencrypted passwords, hashes, or salted hashes in cache or RAM
People make lousy password managers. When IT leaves the ever-increasing password burden on users, users will circumvent security for convenience. Cybersecurity has to start before computer logon and before the firewall. By implementing many of the same techniques and technologies used to generate, manage, and protect symmetric keys, passwords become much stronger, as well as and more convenient for the user. When users only have to remember which accounts they want to access, the entire system becomes more secure.
IT has done great work in securing secret keys, but they are still vulnerable. There will never be perfectly secure networks. All data, including encryption keys, are vulnerable. Either through technology, subpoenas, social engineering, black mail, break-ins or disgruntled insiders, there has always been, and always will be, an enemy (unauthorized groups) who want access. However, there are actions that reduce both the risks and damage of a security breach.
- Don’t expect a one-size fits all strategy when it comes to authentication
- Assess the value of the networks and data you are protecting
- Segregate valuable from non-valuable data, and place them on separate servers
- Take the user out of the roll of security manager
- Secure passwords require more than increasing the number and type of characters.
- Assign administrative and data access rights only to those who need it.
- Use HTTPS site, location authentication, challenge-response, encryption, and segment user privileges.
Current password management policies and implementations are flawed. But all is not lost and corporate networks can be secured. Once passwords become as difficult to steal, hack, or crack as secret keys, then corporate network security will greatly improve, and at a much lower cost than certificates.
Part 3 of the “Passwords are Secure Series” I will discuss public/private key-pair generation and security practices.