Security Architecture - Beyond Passwords?

a voice in the crowd asks: "We're investigating different PKI technologies to introduce support for strong authentication, single sign-on and secure messaging. There seems to be a broad range of both companies and approaches out there. I'm looking for success and horror stories from those who have taken point on this issue. Your help is appreciated." Read on for more information on what is being evaluated and the critical questions being asked.

"Some of the pieces currently under review include:

• Verisign's Onsite Lite
• USB Token holders (aladdin, hasp, etc)
• smart cards

Some of our questions include:

• What headaches is key recovery going to be?
• Is there any meaningful long-term competition?
• How reliable is the hardware once deployed?
• How is vendor support?
• Is the integration with Win2k, Notes, etc both functional and seamless?
• What policy administration issues do we need to be aware of?
• What best-practice documents are available?
• How locked in will we be?
• Will our Blackberry 5810's grok the secured messages, and if so do they represent a point of vulnerability for the certificates?
• Can we enforce non-trivial PINS
• What changes to your help desk workload and practices have resulted?

Most importantly, Do the users like it?"

Anonymous Coward

[Anonymous Coward]

I am posting AC because bloody /. won't accept my smartcard login.

Re:Anonymous Coward (mod this up)

[geoswan]

I am posting AC because bloody /. won't accept my smartcard login.

Come on moderators, this is funny.

Novell SingleSignOn

[CounterZer0]

Novell's SingleSignOn solutions with iChain, iManage, and dirXML work wonderfully. And yes, users I've seen use it, have loved it (primarily RSA SecureID's).

Re:Novell SingleSignOn

[littlerubberfeet]

Novell generally tends to be bloated and somewhat difficult to use. Its a good solution if you dont need something to heavy. What about a concentric ring scheme built on Unix? I forget who makes it, but it is out there, and very very secure.

Some traps

[XoXus]

What headaches is key recovery going to be?

Are you sure you want this? Chances are you don't. Perhaps what you really want is key resetting.

Can we enforce non-trivial PINs

Be careful of the scope with this. You might want to ban affine PIN sequences (e.g. "1234", "3579", etc.), but if you ban too many things it will massively reduce the keyspace, making brute-force attacks easier.

An interesting approach to PIN "goodness" that I just thought up would be to look at the (algorithmic information theory) complexity of the string. This would also easily generalise to whole passwords, too.

Just remember that the weakest point in your security is almost certainly going to be the people involved. An ultra high-tech security door is no good when someone leaves the side window open.

Re:Some traps

[a voice in the crowd]

the systems that we've examined so far do not provide any way of enforcing a policy, of which simplistic passwords exclusion would be one rule. we would also like to apply policy to documents such that two members of management from non associated business units are required to access certain documents. brute force attacks lose their effectiveness when the chip holding the certificates erases itself after the nth+1 bad password. key recovery is what we want. there isn't anything to reset. anything less and all the documents signed and encrypted by that user would be lost.

Remeber the users.

[Neck_of_the_Woods]

We deployed, then yanked it right back out. I am not going to bore you with the product, because it really does not make a difference.

After deploying the secure solution, which worked just as promised and proposed to everyone. In fact it worked very well, it was still yanked. Why you ask? Ever tried to take something from someone they have had for over 2 years? Ok multiply it by 600 people. Take those 600 people and have thier managers bitch about having these things taken away from them, then have thier manager bitch, and on up the chain until it gets to the CIO that folds like a little kid with a skinned knee.

What am I trying to say here? Get approval in writing. Make it known what your going to do as soon as you can. Let them know 4 months ahead of time if you can(not 2, because that seem not to be enough). Lay it all out, get it all on the table, and get them to replay with issues, bitches, etc... Of course they are not going to call you until it goes in, but at least for 4 months they where told, warned, and when it comes it is not a surprise.

People by nature ignore what they don't want to hear, and say they never heard it. Say it 30 times. Make sure your CIO has a backbone, and get ready for a war. I hope you don't waste 2 weeks like we did. Good luck.

PKI - the realities...

[eldub1999]

Caveat, I work for a company that does PKI. Over the years I have deployed PKIs using technologies from Baltimore, RSA, and Verisign.

- Verisign's Onsite Lite
>> There is not enough money in the world to make me ever eant to do business with these guys again. Crappy customer service, ignorant professional services, and in the case of Onsite, buggy software.


- USB Token holders (aladdin, hasp, etc)
- smart cards

>> I'm guessing you are in a windows environment. A few notes. The USB ports on most corporate PCs are still on the back. Also YSB tokens *always* need software (drivers and middleware) installed on every desktop.

Smartcards are not a bad way to go in a homogeneous environment. Under Windows 2K and XP, any PC/SC compatible driver works with no additional software installed. Use a supported "Win2K/WinXP" card such as the Schlumberger Cryptoflex card and you don't have to do any desktop software installation or maintenance at all. It works out of the box.

Usually the lower overhead of smartcards makes up for the additional cost over USB tokens.

- What headaches is key recovery going to be?
>> Its just a process. Virtual smart card solutions can help alleviate these problems.

- Is there any meaningful long-term competition?
>> Not really for secure email or transaction signing. If your primary business problem is authentication, then yes, there are many other solutions that are probably cheaper and easier to manage.

- How reliable is the hardware once deployed?
>> Pretty darn good from what I've seen.

- How is vendor support?
>> Depends on the vendor. Note Verisign rant above.

- Is the integration with Win2k, Notes, etc both functional and seamless?
>> Win2K is simple. Notes is a pain in the ass unless the company you are working with has done it before. Lots of gotchas.

- What policy administration issues do we need to be aware of?
>> PKI will force you to clearly define your identification and authentication processes, which most companies lack definition for. You will also need to spell out all of your policies and processes and add in checks to ensure you follow them. You will see an increase in administrative overhead.

- What best-practice documents are available?
>> There are a few good books. The biggest problem I see in the field is that there is a major disconnect between the "theory" of PKI and the practical realities. Find a knowledgeable consultant who can spend 5-10 days with you. A good consultant should be able to provide you with a "PKI vendor agnostic" overview of the current state of PKI and help you with a needs analysis. The outcome should be a realistic set of requirements you can use to shop vendors with.

- How locked in will we be?
>> If your design is correct, you should not be locked in at all. The biggest issue here is ensuring you stick with standards and avoid vendor-specific toolkits/APIs that will lock you into their solutions.

- Can we enforce non-trivial PINS
>> This is a function of the credentials store. Generally speaking, the answer is no. There are exceptions.

- What changes to your help desk workload and practices have resulted?
>> Most companies I work with are surprised at how often they have to replace certificates. If the end users are trained and well communicated with, there should not be a huge increase.

-LW

ask Sun

[josepha48]

I went to Sun MS this past week and they have smart card profiles. You basically get to carry around a card that ho;lds your 'roaming profile' like NT's roaming profile except it is on a card. I'd imagine that it works pretty well and key recovery would be a matter of a new card key and syncing it with the users desktop or something.

Re:ask Sun - SunBlades for examples

[josepha48]

Actually all their employees now have them. I also hear they can go anywhere and have there profiles. I have not tried this, but my impression is that you basically almost need them to operate the computer. Not sure how easy they are to replace. Sun can do this cause Sun hardware is cheap for Sun. (They make it they don't have to buy it they can write it off as business expense.. think of all the testers on their software too).

Re:ask Sun - SunBlades for examples

[a voice in the crowd]

aren't these what larry the liar^h^h^h elison was flogging a while back. the computer of the new millenium or something like it. good idea for schools i would think.