SECURITY ASPECTS OF CHOSEN WEB BASED AUTHENTICATION MECHANISM Adrian Kapczyński Silesian University of Technology [email protected]

Abstract Presented paper focuses on aspects concerning authentication in business-tobusiness and business-to-consumer solutions. The aim of that paper is to present general rules of secure authentication in case of using single-sign in mechanisms. Key words: e-commerce, security, authentication

Introduction Nowadays information for businesses is one of the most important assets determining successful achievement of declared goals under circumstances of dynamically changing environment. Information delivered at the right time, place and form results in better output of decision making processes. As business-tobusiness solutions have evolved, proper sharing information with business partners, like suppliers or clients, could lead to effective growth of sales revenue. Proper sharing means providing needful functionality while security requirements are met. Information stored and transferred in digital nervous system of the company shall be well protected and shall not be a subject vulnerable to changes applied by unauthorized users. Finally, due to quantity and meaning of stored information in information system assurance of its continuous protection appears to be necessary. In a modern manner commercial companies work out activities aiming to improve the level of sale by utilization of Internet, which is perceived by companies and customers as media allows realizing commercial transactions. That sort of trade is called an electronic commerce and can be understood as the technology which opens new possibilities in the matter of exchanging of mission-critical information in business-to-business, business-to-customer and other relations like business-to-administration [MAHA00]. Exchange of information realized with utilization of Internet permits fast transfer, however carries also some threats. Because of complexities of market connections and quantities of functions realized by information systems along

144

Rozwiązania internetowe w SWO

with dynamic development of World-Wide-Web technology, the matter of security becomes the foreground-problem. Presented article deals with security of information systems pointing particularly into authentication in web-based access. The aim of that paper is to describe and analyze the logic of authentication mechanisms concerned with webbased access to resources shared by parties in business-to-customer or businessto-business solution.

E-commerce security at authentication level Once again, rapid expansion of commerce on the Internet leaves little doubt that an identity solution is needed for customers or companies providing services on the Internet. As the reports show, in the year of 2002 about 10% of people all over the world were logging onto Internet, using almost 800 million different devices, from computers to mobile phones. Looking ahead it is believed that the number of Internet users worldwide will double between 2001 and 2006, increasing from 500 million to 1 billion [FINN03]. Keeping in mind above statistics it turns out that authentication on the web, protecting privacy and providing appropriate levels of security are utmost important issues. In order to implement an e-commerce application, one has to be concerned with the security of computer system and ensure that system will be working properly in spite of attempts of intruders causing them to stop working. Information that has been published and thus is accessible from the Internet is extremely sensitive and likely to be possessed by impostors. As a matter of fact access is granted after providing credentials, like user name (company name) and password, and it turns out that authentication becomes one of the most important processes which should be carefully analyzed by security officers. The point is, that stealing (or breaking) most frequently used passwords is unfortunately not a tough problem even for inexperienced hackers. Security officers shall be aware of the fact, that verifying only something one’s knows can be very risky, that means can lead to high level of false acceptance. There are several solutions provided in this area and can be generally divided into two groups. First group consists of those which are using profiles of users or companies created by their own security mechanisms and stored in its own database. In this case end-user or company has to create as many profiles as many business partners (participating in e-commerce) it has. For example, in case of three companies as suppliers one needs to create and store three pairs of user name/company name and password. Interesting statistics was prepared by Jupiter Media Metrix

Security aspects of chosen web based authentication mechanism

145

[FINN03] which reported that more than 10% of customer-service interactions for over one third of all companies involve customers who have forgotten their passwords and for some companies, that figure is more than 30%. According to the report, 38% of the companies were lowering strategic investments in authentication systems due to the cost, complexity, and inflexibility of existing systems. The second group consists of those which rely on registering profiles of endusers or companies in central database of chosen company. The chosen company protects the profiles and offers authentication modules which can be easily implemented into e-commerce enabled websites, so call “participating sites”. In opposite to first group there is single sign-in, not multiple sign-in. In this article single sign-in solution named .NET passport provided by Microsoft will be briefly described and analyzed.

.NET passport basics .Net Passport is a web-based service launched in 1999 that implements single sign-in mechanism to provide secure information access for e-commerce solutions. With the proliferation of e-commerce today, it has been commonplace for merchants to provide profiling services with authentication to protect their customers’ privacy while they are shopping online. In result the customers have to remember their passwords and user names whenever they register for a new site. Using the same set of user names and passwords will give the impostor total control over profiles in other sites he visited once the password is compromised. Using different passwords is safer, but remembering those combinations becomes a problem and writing them down will increase the probability of compromises. To address this problem single sign-in was thus invented. Single sign-in can be defined as the way in which users enter multiple sites by only entering one set of password and username. .Net Passport is one implementation of this mechanism that solves the authentication problem for users by allowing them to create a single set of credentials that will enable them to easily log in to any site that supports .NET passport. The following section describes .NET passport accounts and later in detail how this account is used during the single sign-in authentication process.

.NET passport accounts A .NET passport user account is made of four parts with the last one optional [MICR02]:

146

Rozwiązania internetowe w SWO

1. The .NET passport unique identifier (PUID) is assigned by the .NET passport service during the .NET passport account creation. The PUID is a 64-bit numeric value. 2. The .NET passport user profile (email or phone number as obligatory; first and last names and address are optional). 3. The .NET passport credential (email or phone number along with password). 4. NET Passport wallet (credit card numbers and expiration dates). Passport accounts are created during the registration process of .NET passports. Registration process itself can be run in one of the following ways: 1. By opening an e-mail account on www.hotmail.com or www.msn.com. 2. By registering at a website that uses .NET passport single sign-in, which automatically redirect users to a co branded, centrally hosted .NET passport registration page. 3. By registering directly at http://www.passport.com. 4. By using the Microsoft Windows XP registration wizard. By registering for a .NET passport, the user creates unique online authentication credentials valid at any .NET passport single sign-in site. This credential is linked to a .NET passport unique identifier (PUID) assigned by the .NET passport service. At the end of the .NET passport account creation, the .NET passport service starts a process to validate the e-mail address typed during registration. This process sends a message containing a URL to the e-mail address. By clicking this URL, users are redirected to a .NET passport page where they can validate their e-mail address. This process ensures that the .NET passport holder owns this .NET passport e-mail address, and that the .NET passport service flags this .NET passport account as having a valid e-mail address. A .NET passport is still usable even if the e-mail address is not validated, but in the near future .NET passport will enable users to reclaim a .NET passport if they own an e-mail address that has previously been registered as a .NET passport.

Logic of authentication mechanism The Passport authentication protocol includes a Passport Server that stores the credentials of the customers centrally in a database. While the customer visits a site which asks for user authentication, the customer will be directed over an SSL (Secure Socket Layer) transmission to sign in the Passport Server. So, user will be requested to register a Passport account if he has not got one. The Passport database will then retrieve the user profile from its database to

Security aspects of chosen web based authentication mechanism

147

verify the correctness of the password. Once that is done, the Passport server will generate a cookie including the profile and other information such as timestamp wrapped as a ticket. It will redirect the customer to the merchant with this cookie encrypted using triple DES by a secret key shared by both the Passport Server and the merchant, telling the merchant that the customer is authenticated. Afterwards, the merchant will set an encrypted cookie in the customer’s browser so that he will not need to sign in to the Passport server again during next visit in the same browser session. When customer visits another online merchant who asks for the same set of credentials, the passport server will recognize the customer by reading his cookie and redirect back to the merchant, thus no further user intervention is required. The following procedure describes the .NET passport authentication process of a user who is not authenticated by .NET passport and signs in to a participating site: 1. Initial page request. The user clicks the on sign-in link at participating in order to access a page that requires .NET passport authentication. 2. Redirection for authentication. The user is redirected to the .NET passport sign-in page while unique Site ID is used to identify the participating .NET Passport site requesting the authentication. 3. Authentication request. A return URL which is the same URL as the one the user requested is added to the .NET passport login server URL in query string parameters. 4. Authentication response. Before further verification in the beginning .NET passport login server checks the Site ID and return URL, and if they do not match an entry in the list of participating .NET Passport sites, the authentication is rejected. In other case Login server displays secure form with boxes for credential information. If the user e-mail address and password match an entry in the .NET Passport database, then authentication result is accept. 5. Generating profile information. Their .NET passport unique ID (PUID) is extracted from the .NET passport database along with the .NET passport user profile information they have agreed to share with participating sites at sign-in. That information is used to create three .NET passport cookies: the “Ticket cookie” (includes the PUID and a time stamp), the “Profile cookie” (stores the user profile information) and the “Visited Sites cookie” (stores a list of the sites the user has signed in to). These three cookies are encrypted using a triple DES algorithm [MICR02]. 6. Authenticated request preparation. .NET passport encrypts the ticket and profile data, adds them as query string parameters to the return URL provided in the authentication request and redirects it to the participating site.

148

Rozwiązania internetowe w SWO

7. Authenticated request processing. The participating site extracts the ticket and profile data from the query string and sends it to .NET passport manager running at the participating site for being decrypted in order to receive the PUID and the profile information. Finally the user is authenticated. Thorough analysis lead us to conclusion that there is no direct server-toserver communication of users’ authentication and profile information between .NET passport and participating sites. The information exchange occurs through the internet browser using HTTP redirects and cookies. However, the .NET passport manager on the participating site's server does periodically download a centrally hosted configuration file (an XML document with current addresses for the .NET Passport servers). It is also worth noting that all cookies are temporary cookies that will expire after a period of time to lessen the chance of compromising the password. There is also a sign out function on the web page that deletes all the cookies in the user’s browser. Moreover, even when the user visits another merchant after authentication, the merchant still have the option to ask the user to sign in the Passport server again regardless there is a cookie in his browser. This is to prevent accidental misuse of Passport account such as leaving the computer without logging out. And it may be most applicable for financial service providers. Furthermore, the SSL used for signing in the passport server is a reliable mechanism which has been universally recognized. Although there are performance degrades in transmission, it significantly promotes the security of the information transmitted, which is critical to both the customer and the merchant.

Benefits of applying analyzed solution Benefits from application of described solution can be enumerated both for customers and companies. For customers analyzed solution delivers a valuable set of credentials for individuals to use when they are online, providing value at an ever-increasing number of sites and services on the Internet. It is a helpful tool in managing online identity and maintains control of personal information sharing. For participating e-commerce merchants, .NET Passport offers the easiest way to implement authentication on any site or service, regardless of the site’s underlying technology. Moreover it can be treated as a service that is flexible enough to meet business partners’ authentication needs and adding support for new security options and authentication technologies as the industry evolves. By relying on .NET Passport to authenticate users rather than hosting their own proprietary authentication system, participating sites can focus valuable

Security aspects of chosen web based authentication mechanism

149

resources on their services instead of maintaining their proprietary authentication system.

Final remarks and further work In this article chosen authentication mechanism used in web-based access was briefly described. Basing on provided description it is likely to become reality that .NET passport will help users and businesses unlock the Internet's full potential by enabling them to control their information and personalize their Web experience. Furthermore, analysis of authentication procedure enables security officers to pinpoint weak points in the matter of computer security – like privacy issues, scalability and reliability or interoperability with legacy (existing) authentication systems. In the future, .NET Passport will manage all improvements to the authentication process by providing additional authentication methods and security levels based on smart cards, digital certificates, and biometrics. Further work will be connected with using biometrics in web-based authentication mechanisms as well as examining adaptability in case of mobile phones.

Acknowledgement Author would like to acknowledge State Committee for Scientific Research for supporting the project.

References [FINN03] [MAHA00] [MICR02]

L. Finnel: Building secure Microsoft ASP.NET Applications, Microsoft Press, 2003. Ch. Mahadevan: E-commerce security, Information Systems Control Journal, 2000. Microsoft Passport Website: www.passport.com.

ASPEKTY BEZPIECZEŃSTWA WYBRANEGO MECHANIZMU UWIERZYTELNIANIA W INTERNECIE W niniejszym artykule zostały przedstawione wybrane aspekty bezpieczeństwa usług uwierzytelniania stosowanych rozwiązaniach dostępu w b2b oraz b2c. Celem artykułu jest przedstawienie fundamentalnych reguł bezpiecznego uwierzytelniania w przypadku wykorzystania mechanizmów jednokrotnej rejestracji dla wybranego rozwiązania. Słowa kluczowe: e-commerce, bezpieczeństwo, uwierzytelnianie