New Software From Bell Labs May Lead to More Secure, Easier to Use Authentication Systems
datekrt.newsalert.com
Business Wire - August 07, 2002 07:32
MURRAY HILL, N.J.--(BUSINESS WIRE)--August 7, 2002--Lucent Technologies (NYSE:LU):
-- Requires no changes to a websites' current user authentication
methodology
-- Software can be ported to a range of operating systems
including Windows*, Linux*, Unix* and Solaris*
Lucent Technologies' Bell Labs has designed new network security software that makes the process of logging into network-based services and applications easier and more secure without sacrificing user privacy.
The new software will be described today at the USENIX Security conference in San Francisco, where a paper will be presented that also outlines a new, more secure model for user authentication systems.
The new security software consists of two complementary programs, called Factotum and Secure Store that work together to prove a user's identity when he or she attempts to access a secure service or application such as online banking or shopping. In contrast to some commercially available approaches where a company or third party is in control of user information, this approach puts the user in control of their personal information. Furthermore, it is an open platform that could authenticate a user with any website without requiring a website to adopt any single sign-on standard.
Secure Store acts as a repository for an individual's personal information, while Factotum serves as an agent that handles authentication on the user's behalf in a quick, secure fashion. This approach tackles the problem of how to conveniently hold and use a diverse collection of personal information such as usernames, passwords and client certificates, for authenticating users to merchants or other services.
"This model for doing authentication is inherently more secure because users control their information, personal information is stored on the network not on a device, and it employs the latest protocols," said Al Aho, professor of Computer Science at Columbia University and former Bell Labs vice president of Computing Sciences Research. "Additionally, it's incredibly convenient because these applications eliminate the need for users to type the same information over and over, or to remember multiple passwords for each service they wish to access."
While Factotum and Secure Store were both written for the Plan 9 operating system, an open-source relative of Unix developed at Bell Labs, they can be ported to other operating systems, including Linux*, Windows*, Solaris* and Unix*. Both applications are currently available in source code form to industry and academia at plan9.bell-labs.com.
"This technology has the potential to serve as the foundation for a new generation of more secure, easier-to-use authentication systems," said Eric Grosse, director of Bell Labs' Networked Computing Research. "After using and improving Factotum and Secure Store in our own network and research lab, we are confident that they are ready for wider implementation."
To set up the Factotum and Secure Store services, a user would first enter all of his or her usernames and passwords for the various websites they subscribe to -- online banking, web mail, shopping, etc. into the Secure Store. The Secure Store server on the network protects this information using state-of-the art cryptography and the Advanced Encryption Standard (AES).
To retrieve key files for Factotum, running on a local device like a laptop or PDA, users only need to provide a password to prove their identity, thanks to a new, advanced security protocol created by Bell Labs for doing password-authenticated key exchange, called PAK. This approach thwarts the most common security threats, like so-called "dictionary attacks" on the password, by making it impossible for someone to eavesdrop in on the challenge-and-response approach used in most password schemes.
When Factotum accesses a user's keys, it stores the information in protected random access memory (RAM), and keeps it there for a short period of time. This is an improvement over today's common method of storing passwords on a user's hard drive, which is insecure. Factotum only holds user information in memory when the machine is running, and when the machine is off, the secrets are only kept in Secure Store. The final security precaution designed into the new architecture is that Secure Store is located on the network, not on the user's PC, so even if a user's machine is hacked or stolen, the information stored in Secure Store is safe.
"The new security features in Plan 9 integrate organically into the system making it unique among security options in the marketplace today, said David Nicol, professor of computer science at Dartmouth College and associate director of Research and Development at the school's Institute for Security Technology Studies. "Bell Labs' design recognizes rightly that identity and the authentication of identity are the heart and soul of security. My research group plans to use this code as we develop backbone peer-to-peer networks of trustable components with applications to securing critical infrastructure."
With more than 10,000 employees in 16 countries, Bell Labs is the leading source of new communications technologies. Bell Labs has generated more than 28,000 patents since 1925 and has played a pivotal role in inventing or perfecting key communications technologies, including transistors, digital networking and signal processing, lasers and fiber-optic communications systems, communications satellites, cellular telephony, electronic switching of calls, touch-tone dialing, and modems. Bell Labs scientists have received six Nobel Prizes in Physics, nine U.S. Medals of Science and eight U.S. Medals of Technology. For more information about Bell Labs, visit its Web site at bell-labs.com.
Lucent Technologies, headquartered in Murray Hill, N.J., USA, designs and delivers networks for the world's largest communications service providers. Backed by Bell Labs research and development, Lucent relies on its strengths in mobility, optical, data and voice networking technologies as well as software and services to develop next-generation networks. The company's systems, services and software are designed to help customers quickly deploy and better manage their networks and create new, revenue-generating services that help businesses and consumers. For more information on Lucent Technologies, visit its Web site at lucent.com.
* Other names and brands may be claimed as the property of others. |
