- Email: [email protected]
OATH – the answer to ID theft?
feature
OATH – the answer to ID theft? Online commerce and communication has long been hampered by fears about consumer security and privacy combined with a lack of standards and high costs for technologies that attempt to address these concerns. To resolve these issues, a new industry-wide collaboration was launched earlier this year. Tasking itself with the development of an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication technology across all networks, the Open Authentication Reference Architecture (OATH) group aims to develop authentication, giving customers the confidence to conduct commerce online. Backed by key players from throughout the cards industry – including ActivCard, Aladdin Knowledge Systems, Authenex, Axalto, SafeNet and Gemplus – as well as industry leaders and other standards groups, OATH’s intention is to provide strong authentication which combines a user ID with a software or hardware token to form a unique device that validates a user’s identity when accessing a software application or network. This represents a key element of trusted networks where business partners can securely share information. This is essential where the identity theft ‘network effect’, the rise of federated identity networks and rogue ID devices is a reality. In a 2002 Federal Trade Commission study of consumer complaints, ID theft was the most common reason for an individual to contact a consumer protection group. According to OATH’s ‘Industry Roadmap for Strong Authentication’ white paper, “An average person has more than a dozen passwords, which hackers using software programs can typically copy and crack in seconds. As credit card accounts, social security numbers and other personal information is increasingly used and stored online, information can more easily be stolen from any place at any time. The ‘network effect’ related to identity fraud creates the need for strong credentials.”
Benefits for all? According to those backing OATH’s proposals, it will lead to lower costs for devices such as chips, tokens and cards, and allow customers to replace existing disparate and proprietary security systems; validation will be simplified as a network utility instead of a complex enterprise responsibility; bestof-breed solutions will be enabled through interoperable components; and development of devices which embed multiple authentication methods such as One-Time Password, SIM authentication and PKI-based authentication will be possible. This will turn mobiles, PDAs and laptops into strong authentication devices, and give developers the ability to build connectors for strong
10
authentication using open specifications. The architecture will share device credentials, algorithms and authentication software across network end-points such as desktop PCs, servers, switches, Wi-Fi access points and set-top boxes. “As we’ve seen with PCs, networking and other advances, ubiquitous adoption of any technology accelerates with a shift from proprietary to open architecture,” says Stratton Sclavos, chairman and CEO, VeriSign. “An architecture such as OATH will be a key enabler and accelerator of secure communications and commerce. Customers demand choice, flexibility and protection… [OATH] supplies the missing pieces and sets out a path that the industry can take to offer enterprises solutions that can be deployed with ease.” To aid development, OATH has created a roadmap. Technically, the roadmap looks at 3 areas: • credentials and security devices; • authentication protocols framework; • credential provisioning & validation. Within the credentials and security devices context, SIM-based authentication using GSM/GPRS SIM, PKI-based authentication using X509.v3 certificate and One Time Password (OTP)-based authentication are to be addressed. A major goal of the roadmap is devices that can embed many, if not all, the base authentication methods. The plan is to create flexible and versatile devices for authentication, encryption, signing, secure storage and physical access. The paper states: “... functionality and personalisation are essential to influence users to embrace devices such as a token on a key chain or a card in a wallet. By supporting multiple authentication methods, the device can interact with a range of networks and applications.”
Specifications OATH reference architecture leverages widely used protocols and technology such as LDAP (Lightweight Directory Access Protocol) and RADIUS. The companies involved in OATH aim to develop new specifications for missing standards
for credential provisioning and an OTP algorithm. These will be brought forward and refined within appropriate groups, including the Internet Engineering Task Force (IETF), and the Trusted Computing Group (TCG) as well as the Smart Card Alliance. “We believe that strong, multifactor authentication is a must to increase the security of logical access and to provide assurance that individuals accessing networked data, applications and services are who they say they are,” Cathy Medich, consultant and Task Force chair, Smart Card Alliance. “The Smart Card Alliance has been working with OATH to provide input on the role of cards for strong authentication and to assist in defining the early OATH activities.”
Credential provisioning and validation The blueprint requires co-ordination of credential issuance and other management functions across all types of symmetric keys or RSA key pairs. In the method proposed, the SIM and OTP secrets become subordinate to an RSA key pair. The secrets are encrypted and embedded as attributes within the certificate. The certificate acts as a private store for the shared secrets and the security device acts as a secure vault for the ‘root’ credential. Manufacturers and customers can then leverage the breadth of secret management capabilities and security practices from existing PKI platforms.
Freedom of choice By incorporating standard open authentication technologies into a company’s products, OATH partners believe that such businesses will lead the way towards making strong authentication the solution to security challenges. “Consumers don’t want to be tied to one product or supplier,” says David Berman, partner marketing at VeriSign. “Manufacturers who use standard technology in their products will produce goods that, because they work with other technologies, will promote competition and be favoured by customers who do not want to be locked into solutions.” “Open architecture is valuable for an entire system, melding competition with industry support,” says Philippe Martineau, vp, WLAN, Gemplus. “We believe the industry needs direction. Currently, there isn’t one solution for end-user authentication, rather multiple methods and solutions that must match diverse criteria, such as enterprise IT security and remote network access, be it wireless or fixed. We believe the OATH reference architecture will trigger new market opportunities by allowing wireless service providers to enable business travellers to remotely access their enterprise resources.” Contact: David Berman at OATH, Email: [email protected], www.openauthentication.org Cathy Medich at the Smart Card Alliance, Tel: +1 925 600 3617, email: [email protected]
Card Technology Today July/August 2004
OATH – the answer to ID theft? Online commerce and communication has long been hampered by fears about consumer security and privacy combined with a lack of standards and high costs for technologies that attempt to address these concerns. To resolve these issues, a new industry-wide collaboration was launched earlier this year. Tasking itself with the development of an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication technology across all networks, the Open Authentication Reference Architecture (OATH) group aims to develop authentication, giving customers the confidence to conduct commerce online. Backed by key players from throughout the cards industry – including ActivCard, Aladdin Knowledge Systems, Authenex, Axalto, SafeNet and Gemplus – as well as industry leaders and other standards groups, OATH’s intention is to provide strong authentication which combines a user ID with a software or hardware token to form a unique device that validates a user’s identity when accessing a software application or network. This represents a key element of trusted networks where business partners can securely share information. This is essential where the identity theft ‘network effect’, the rise of federated identity networks and rogue ID devices is a reality. In a 2002 Federal Trade Commission study of consumer complaints, ID theft was the most common reason for an individual to contact a consumer protection group. According to OATH’s ‘Industry Roadmap for Strong Authentication’ white paper, “An average person has more than a dozen passwords, which hackers using software programs can typically copy and crack in seconds. As credit card accounts, social security numbers and other personal information is increasingly used and stored online, information can more easily be stolen from any place at any time. The ‘network effect’ related to identity fraud creates the need for strong credentials.”
Benefits for all? According to those backing OATH’s proposals, it will lead to lower costs for devices such as chips, tokens and cards, and allow customers to replace existing disparate and proprietary security systems; validation will be simplified as a network utility instead of a complex enterprise responsibility; bestof-breed solutions will be enabled through interoperable components; and development of devices which embed multiple authentication methods such as One-Time Password, SIM authentication and PKI-based authentication will be possible. This will turn mobiles, PDAs and laptops into strong authentication devices, and give developers the ability to build connectors for strong
10
authentication using open specifications. The architecture will share device credentials, algorithms and authentication software across network end-points such as desktop PCs, servers, switches, Wi-Fi access points and set-top boxes. “As we’ve seen with PCs, networking and other advances, ubiquitous adoption of any technology accelerates with a shift from proprietary to open architecture,” says Stratton Sclavos, chairman and CEO, VeriSign. “An architecture such as OATH will be a key enabler and accelerator of secure communications and commerce. Customers demand choice, flexibility and protection… [OATH] supplies the missing pieces and sets out a path that the industry can take to offer enterprises solutions that can be deployed with ease.” To aid development, OATH has created a roadmap. Technically, the roadmap looks at 3 areas: • credentials and security devices; • authentication protocols framework; • credential provisioning & validation. Within the credentials and security devices context, SIM-based authentication using GSM/GPRS SIM, PKI-based authentication using X509.v3 certificate and One Time Password (OTP)-based authentication are to be addressed. A major goal of the roadmap is devices that can embed many, if not all, the base authentication methods. The plan is to create flexible and versatile devices for authentication, encryption, signing, secure storage and physical access. The paper states: “... functionality and personalisation are essential to influence users to embrace devices such as a token on a key chain or a card in a wallet. By supporting multiple authentication methods, the device can interact with a range of networks and applications.”
Specifications OATH reference architecture leverages widely used protocols and technology such as LDAP (Lightweight Directory Access Protocol) and RADIUS. The companies involved in OATH aim to develop new specifications for missing standards
for credential provisioning and an OTP algorithm. These will be brought forward and refined within appropriate groups, including the Internet Engineering Task Force (IETF), and the Trusted Computing Group (TCG) as well as the Smart Card Alliance. “We believe that strong, multifactor authentication is a must to increase the security of logical access and to provide assurance that individuals accessing networked data, applications and services are who they say they are,” Cathy Medich, consultant and Task Force chair, Smart Card Alliance. “The Smart Card Alliance has been working with OATH to provide input on the role of cards for strong authentication and to assist in defining the early OATH activities.”
Credential provisioning and validation The blueprint requires co-ordination of credential issuance and other management functions across all types of symmetric keys or RSA key pairs. In the method proposed, the SIM and OTP secrets become subordinate to an RSA key pair. The secrets are encrypted and embedded as attributes within the certificate. The certificate acts as a private store for the shared secrets and the security device acts as a secure vault for the ‘root’ credential. Manufacturers and customers can then leverage the breadth of secret management capabilities and security practices from existing PKI platforms.
Freedom of choice By incorporating standard open authentication technologies into a company’s products, OATH partners believe that such businesses will lead the way towards making strong authentication the solution to security challenges. “Consumers don’t want to be tied to one product or supplier,” says David Berman, partner marketing at VeriSign. “Manufacturers who use standard technology in their products will produce goods that, because they work with other technologies, will promote competition and be favoured by customers who do not want to be locked into solutions.” “Open architecture is valuable for an entire system, melding competition with industry support,” says Philippe Martineau, vp, WLAN, Gemplus. “We believe the industry needs direction. Currently, there isn’t one solution for end-user authentication, rather multiple methods and solutions that must match diverse criteria, such as enterprise IT security and remote network access, be it wireless or fixed. We believe the OATH reference architecture will trigger new market opportunities by allowing wireless service providers to enable business travellers to remotely access their enterprise resources.” Contact: David Berman at OATH, Email: [email protected], www.openauthentication.org Cathy Medich at the Smart Card Alliance, Tel: +1 925 600 3617, email: [email protected]
Card Technology Today July/August 2004