Thumb print and a set of padlocks on a computer chip.

Why You Want to Authenticate Everything

What is Authentication?

Authentication is the act of proving an assertion. In information security, this is often understood as verifying the identity of a computer user.

Identification must be differentiated from authentication. Identification is the ability to identify uniquely a thing: a person, a machine, a process running in a computer, … Authentication is the ability to prove the identity of that thing. But we will see - it provides more than this. See the previous blog post here.

Typical Applications of Authentication

These are five common applications for authentication. In the past blog posts, we've learned the use of public key cryptography, public key Infrastructures, and secret key cryptography. Those are fundamental to understanding this new part of authentication.

Application 1: Proving the identity of a human user who seeks access to a corporate application, a web server, etc. This type of authentication typically involves the query of the person’s unique identifier such as an email address, and a password. This authentication scheme is very often enhanced with a second factor to mitigate the compromise of the password. The second factor can be a one-time code sent over to the user’s phone: this additional protection forces attackers to steal both the password and the user’s phone, which greatly limits the risks. This is known as multi-factor authentication.

Application 2: Proving a machine’s identity. In a secure network, computers or connected devices, such as IoT devices, must authenticate each other before exchanging data. Without this measure, hackers could connect rogue devices to the network and impersonate legitimate devices. Machines commonly utilize public key-based authentication (cf. Part 1 and 2). As opposed to humans who use passwords they memorize, and other physical attributes to authenticate themselves, machines use a private key to sign a random number (aka “Challenge”) sent by the verifier and a certificate issued by the network certification authority. This authentication scheme is called “Strong authentication or “Challenge-Response authentication”.

Application 3: Proving the provenance and integrity of data. When a networked machine receives data over a network, it is essential for it to make sure of the identity of the sending machine and be assured that the data has not been modified in transit. Without this, hackers could forge fake network traffic (spoofing), or tamper with data in transit. Most networks today use protocols to mitigate this risk, such as the Transport Layer Security (TLS, formerly known as SSL) which combines a mutual machine authentication as an initial step (like in the application above), with a secure exchange of secret keys between the two machines, and the secret-key based authentication of all data exchanged between these two machines (and very often, encryption) using the exchanged key. This way, the origin of data is guaranteed, as the wrong sender wouldn’t have the right session key, and the integrity of data is enforced, as any modification of the data would lead to a verification failure on the receivers’ end.

Application 4: Proving a computer’s program origin. It is clearly essential that computers, or any kind of connected device, execute legit software. An attacker injecting arbitrary software into such a device can take control of the data it manipulates, including personal user data. The attacker could also weaponize the device and use it to attack other machines on the network (like DoS attacks – Denial of Service). Such authentication, also called “code signing”, also uses public-key cryptography: the code signer digitally signs the software with a private key, and the device uses the corresponding public key to make sure of the provenance of the software.

Application 5:  Attestation. Attestation can be seen as the authentication of a machine’s current state. The machine state can be anything including, the software/OS revision executed, the machine hardware revision, the machine configuration, the fact that the executed software has been authenticated (like in the previous application) and the answer to additional questions such as: “was the last OS update applied?” or “Is the anti-virus running?”. Usually, the state is a set of attributes that establish some trust in the machine. In network communication, this gives additional assurance between the machines. For example, your banking website could refuse you to connect with an outdated OS version even though you were perfectly authenticated. Again, attestation uses public-key cryptography.

Authentication Enables Trusted Computing

Typical information security (InfoSec) today combines all of the above to provide so-called “trusted computing”: users authenticate themselves to network applications, underlying machines authenticate each other, get assurance of their mutual trustworthiness through attestation, and verify the integrity of the traffic so that the application-level exchange between the user and the application is perfectly reliable. Encryption is almost always added on top of this to preserve the user’s personal data over the network.

Hardware Counterfeits are also Prevented

Strong authentication, like in application 2 above, is also a powerful tool to prevent the production of counterfeit devices. Public or secret key-based authentication can be used to authenticate hardware devices such as disposable medical devices, to make sure they are genuine. In scenarios where accessories are connected to a main appliance, the appliance can use a challenge-response authentication to obtain confirmation that the device was produced by the authorized manufacturer and is not a clone. The device can provide evidence of its genuineness by demonstrating knowledge of the manufacturer’s key (if using secret key authentication), or possession of a manufacturer-certified private key (when using public-key based authentication).

Conclusion

In conclusion, authentication is central to the security of information, and to the safety of users by preventing the production of counterfeit devices.