April 2002
Abstract
This paper discusses the relative merits of various hardware authentication solutions from the point of view of FreeBSD integration. The author is a consultant charged with implementing “support for at least two low-cost cryptographic peripherals” in FreeBSD as part of the DARPA CHATS program.
Table of Contents
Hardware authentication solutions fall in three broad categories: key storage tokens, dynamic password generation tokens (“password calculators”), and biometric devices. All three have their uses: password generation tokens, for instance, are useful for remote access, while key storage tokens and biometric devices are mostly useful for local access. Of these two, the latter usually require expensive hardware to be installed at each station, while the former can easily be carried around and connected to almost any computer, including most laptops and many handheld devices.
Since different solutions have different applicability, we should try to support at least one solution in each category. One important caveat is that existing biometric devices are so easily fooled that they have little value beyond proof of concept (see [Mat2002].) In spite of this, we think it can be useful to implement support for biometric devices, as long as this does not consume an undue amount of resources.
Hardware authentication tokens range in price from around $20 to around $800 (though when purchased in large quantities, prices can easily go as far down as $10 or less.) Price is not only a concern for the contractor, but also for the user base; we should support at least one low-cost solution. On the other hand, higher-priced tokens usually offer more functionality, so we should not restrict ourselves to cheap tokens.
While some vendors will happily sell tokens piecemeal to any comer (as is the case for most key storage solutions), others guard their secrets jealously and will only sell tokens in large quantities under restrictive licenses (as is the case for many dynamic password generation solutions.) Products which fall in the latter category are obviously less desirable, not only because obtaining specimens and documentation will be harder, but also because small users will have a hard time obtaining tokens.
While key storage tokens can easily be deployed for a single machine at a time, dynamic password generation tokens require a central server to manage the permissions database, generate challenges and verify responses. Although it is possible to implement these functions on the target machine itself, this would significantly reduce the security of the system, since a compromise of the target machine would imply compromise of all deployed tokens. Such server software, while proprietary, usually supports the Radius authentication protocol, which FreeBSD already supports through its pam_radius(8) PAM module.
Biometric devices have their own ease-of-deployment issues, the foremost being the need to install a reader on each workstation. While costly, compared to token-based solutions, when the ratio of users to workstations is one or less, as it is in most office environments, it makes far more sense in environments where many users share a small number of machines, such as an educational institution. Unfortunately, concerns about their reliability and resistance to counterfeiting all but eliminate biometric devices from the game.
Some key storage solutions are based on smart card readers which are permanently attached to the machine, and store the user's keys on a smart card which can do double duty as photo ID, keycard or similar physical-security measures (in fact, most USB key storage tokens behave as smart card readers with a single permanently inserted card.) The concerns we described above for biometric devices also apply to such decoupled key storage solutions.
Through web searches and discussions with colleagues in the IT security business, we arrived at a list of currently available key storage and generation products. With one exception, all products on our list were also listed in [Fra2001], along with some we hadn't thought of. We therefore based our investigations on that list.
[Mat2002] “Impact of Artificial Gummy Fingers on Fingerprint Systems”. Proceedings of SPIE. Optical Security and Counterfeit Deterrence Techniques IV. 275-289. Rudolf L van Renesse. 4/2002.