Lucent Technologies' Bell Labs has designed new network security software that promises to make the process of logging into network-based services and applications easier and more secure without sacrificing user privacy. The new software was described at the USENIX Security conference in San Francisco, where a paper outlined a new, more secure model for user authentication systems.
The new security software consists of two complementary programs, called Factotum and Secure Store that work together to prove a user's identity when he or she attempts to access a secure service or application such as online banking or shopping. In contrast to some commercially available approaches where a company or third party is in control of user information, this approach may put the user in control of their personal information. Furthermore, it is designed to be an open platform that could authenticate a user with any website without requiring a website to adopt any single sign-on standard.
Secure Store acts as a repository for an individual's personal information, while Factotum serves as an agent that handles authentication on the user's behalf in a quick, secure fashion. This approach is designed to tackle the problem of how to conveniently hold and use a diverse collection of personal information such as usernames, passwords and client certificates, for authenticating users to merchants or other services.
"This model for doing authentication is inherently more secure because users control their information, personal information is stored on the network not on a device, and it employs the latest protocols," said Al Aho, professor of Computer Science at Columbia University and former Bell Labs vice president of Computing Sciences Research. "Additionally, it's incredibly convenient because these applications eliminate the need for users to type the same information over and over, or to remember multiple passwords for each service they wish to access."
While Factotum and Secure Store were both written for the Plan 9 operating system, an open-source relative of Unix developed at Bell Labs, they can be ported to other operating systems, including Solaris, Linux, Unix, and Windows. Both applications are currently available in source code form to industry and academia at http://plan9.bell-labs.com/plan9.
"This technology has the potential to serve as the foundation for a new generation of more secure, easier-to-use authentication systems," said Eric Grosse, director of Bell Labs' Networked Computing Research. "After using and improving Factotum and Secure Store in our own network and research lab, we are confident that they are ready for wider implementation."
To set up the Factotum and Secure Store services, a user would first enter all of his or her usernames and passwords for the various websites they subscribe to - online banking, web mail, shopping, etc. into the Secure Store. The Secure Store server on the network protects this information using state-of-the art cryptography and the Advanced Encryption Standard (AES).
To retrieve key files for Factotum, running on a local device like a laptop or PDA, users only need to provide a password to prove their identity, thanks to a new, advanced security protocol created by Bell Labs for doing password-authenticated key exchange, called PAK. This approach thwarts the most common security threats, like so-called "dictionary attacks" on the password, by making it impossible for someone to eavesdrop in on the challenge-and-response approach used in most password schemes.
When Factotum accesses a user's keys, it stores the information in protected random access memory (RAM), and keeps it there for a short period of time. According to Lucent, this is an improvement over today's common method of storing passwords on a user's hard drive, which is insecure. Factotum only holds user information in memory when the machine is running, and when the machine is off, the secrets are only kept in Secure Store. The final security precaution designed into the new architecture is that Secure Store is located on the network, not on the user's PC, so even if a user's machine is hacked or stolen, the information stored in Secure Store is safe.
"The new security features in Plan 9 integrate organically into the system making it unique among security options in the marketplace today, said David Nicol, professor of computer science at Dartmouth College and associate director of Research and Development at the school's Institute for Security Technology Studies. "Bell Labs' design recognizes rightly that identity and the authentication of identity are the heart and soul of security. My research group plans to use this code as we develop backbone peer-to-peer networks of trustable components with applications to securing critical infrastructure."
For more information on Lucent Technologies, visit its Web site at http://www.lucent.com.