It takes three

Jun 1, 2002 12:00 PM, By BILL HOLMES

Precise identification is the foundation for security. Whether confirming building access to employees, validating a pilot entering an aircraft, or completing a transaction on the Internet — they all rely on knowing exactly who is there.

Technologies are available that are capable of delivering a truly secure mechanism for identification and can protect public safety better than any employee badge, driver's license or password. Public key infrastructure (PKI), smart cards and biometrics work together to transform the art of identification — both physical and virtual — into a security level once reserved for military installations or government communications.

Passwords, pictures and PINs

Common identification methods offer little more than a façade of security. Employee badges are common tools for granting physical access, yet, like photo IDs such as passports or driver's licenses, they are easily falsified, lost or misused. These basic means of identification represent a weak security obstacle for someone armed with sophisticated technology.

For virtual business requiring Internet transactions and remote access to documents or applications, passwords or personal identification numbers (PINs) are the most commonly used form of digital identity, yet they are still perceived as insecure. They function as a “shared secret,” meaning at least two people must know the password — and a secret known by more than one person is not a secret. Passwords can also easily be discovered, due to human oversight or by using equipment to crack the code.

Enter PKI

Unlike passwords or PINs, PKI authenticates the origin or owner of a file or document, and optionally allows only the intended recipient to access and open it. It is based on encryption keys — asymmetric number sequences known as public and private keys — that are related, work only in unison, and interact in pairs to validate and identify specific individuals in a digital environment.

The shared secret is eliminated because each side of the transaction possesses a single, unique element of the equation that can only work with content generated by the corresponding element. The same mechanism used when digitally signing a document or transaction translates effectively to the real world — allowing any individual to undeniably prove his or her identity in physical business applications such as building access, loyalty programs or travel situations.

PKI uniquely eliminates the primary security weakness of passwords, PINs or photo IDs — namely their inability to authenticate the individual as being who he claims to be. There is no validated, indisputable factor proving the link between license and license holder — a basic tenet of highly secure and precise identification, and the only way to extend proof of identity beyond physical storefronts and into virtual environments.

How authentication works

A certificate authority (CA) company, a trusted third-party, issues its authentication of a person's identity as a “digital certificate.” Because reputable CAs apply rigorous checks to verify that applicants are actually who they claim to be, the information in the certificates can be deemed accurate. A digital certificate represents a person's identity and also contains a public key used to validate content originating from that person.

When executing a PKI transaction, the person requiring identity confirmation first sends the user a random challenge, which is used so that nobody can copy a previous response and pretend to be someone else. The random challenge is accepted by signing it with a private key. Only the proper private key can generate the valid response back to the inquiring party. The response includes the user's digital certificate, and that is used by the inquirer to confirm that the response came from the proper person.

The Smart Place to Store Your Keys

The e-business climate created by PKI technology can be further secured when a private key is stored safely off the computer. A smart card is an excellent and highly secure alternative to storing this sensitive information on the hard drive. The smart card not only stores the private key securely, it provides a tamper-free arena for the digital signing ceremony to take place. Since signing is actually performed on the card, a user's private key is never in the open, thus there is no risk of identity theft.

In addition to protecting the private key from the potentially hostile territory of the PC, a smart card represents just a single occurrence of a person's digital identity. It's portable and can be conveniently transported between smart card-enabled machines. The concept of carrying a smart card is similar to carrying credit cards — users should know where they are at all times for the maximum level of security.

If someone does attempt to tamper with the smart card, additional security precautions on the card come into play. A PIN is required to activate the card, but the wrong PIN can only be entered a predetermined number of times as defined by the issuer before the card will go into sleep mode. A company security officer is then required to reactivate the card so it can be used again — an operation also limited by an issuer-defined number of security officer attempts. If the security officer's attempts fail, the card automatically dies, rendering itself useless and erasing all information on the card.

Two-factor authentication: Now it's personal

PINs can be another weak link — essentially they are just another type of password, susceptible to human tardiness, shoulder surfing and hacking, and are also expensive and difficult to manage in corporate environments. Today's security industry is moving toward a better two-factor authentication — using a combination of smart cards and biometrics.

Biometrics systems integrate PKI and the smart card with a personal physical or behavioral characteristic, such as an iris pattern, voice, fingerprint or handwritten signature, before the authentication can commence. A reference template of a person's biometric — actually a numeric representation rather than the biometric itself — replaces the PIN and is actually held on the smart card along with the private key. The smart card will only use the private key necessary to execute the signing ceremony and response to the “who are you” challenge after positive biometric identification. This authentication promises powerful security for employee verification, funds transfer, encrypted communications, and granting of physical and electronic access to personal records, documents or transactions.

Two-factor authentication is a significant improvement — bolstering authentication, and proving not only that information was sent or received by a specific person, but also that the person was actually present at the time of the transaction. Biometrics further authenticates identity. The end result is a business exchange that cannot be completed without the card and a card that can't be used without the cardholder — delivering a “cardholder present” situation for the strongest physical authentication and the highest confidence in Internet communications.

Usable and practical

Properly implemented, PKI, smart cards and biometrics protect the system, protect the user and ensure an individual cannot be impersonated. That's not to say every type of biometric works in every situation — there are a variety of considerations that must be addressed.

Usually there is a 90/10 rule for each biometric system — it will be comfortable for 90 percent of the population and the remaining 10 percent would prefer or require another option. For example, an engineer with a greasy hand could not provide a fingerprint and a stroke victim may not be able to sign a name. These cases require alternative systems.

Security, privacy and control

PKI, smart cards and biometrics offer a solid business model that not only addresses high-level security and strong authentication but also protects individual privacy.

Biometric reference templates are a mathematical representation of biometric data — the templates themselves are of no use on a stand-alone basis. Complex algorithms protect the data samples they store, and they cannot be manipulated to reveal a person's identity or reconstruct a person's biometric feature.

It takes three

While the government still leads the charge as a top consumer of security technology, corporate America is realizing that effective business processes can exist and flourish in highly protected environments — without sacrificing convenience and usability. Recent innovations reflect not only the industry's push for mass acceptance and deployment, but also the need for increased public safety spanning both virtual and physical environments.

In government and business alike, the technology trio of PKI, smart cards and biometrics is being recognized as usable, deployable, and powerful technology that equally guards the interests of both sides of a given transaction or exchange.

For the record

About the author

Bill Holmes is vice president of marketing for SSP Solutions Inc., Irvine, Calif.

About the company

Visit infoLink at www.securitysolutions.com for more information on the company featured in this article, or circle the card number.
SSP Solutions Inc. — 35

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue