Werx Limited

We make IT work.

Posts Tagged authentication

The Economist on Biometrics

Oct 21

Posted by wes in general, it industry, security | No Comments

[HT Bruce Schneier]

Here’s an excellent article on the use of biometrics in security system. Here are some highlights.

Intro

Authentication of a person is usually based on one of three things: something the person knows, such as a password; something physical the person possesses, like an actual key or token; or something about the person’s appearance or behaviour. Biometric authentication relies on the third approach. Its advantage is that, unlike a password or a token, it can work without active input from the user. That makes it both convenient and efficient: there is nothing to carry, forget or lose.

Some problems

The downside is that biometric screening can also work without the user’s co-operation or even knowledge. Covert identification may be a boon when screening for terrorists or criminals, but it raises serious concerns for innocent individuals. Biometric identification can even invite violence. A motorist in Germany had a finger chopped off by thieves seeking to steal his exotic car, which used a fingerprint reader instead of a conventional door lock.

Another problem with biometrics is that the traits used for identification are not secret, but exposed for all and sundry to see. People leave fingerprints all over the place. Voices are recorded and faces photographed endlessly. Appearance and body language is captured on security cameras at every turn. Replacing misappropriated biometric traits is nowhere near as easy as issuing a replacement for a forgotten password or lost key. In addition, it is not all that difficult for impostors to subvert fingerprint readers and other biometric devices.

Research findings

The panel of scientists, engineers and legal experts who carried out the study concludes that biometric recognition is not only “inherently fallible”, but also in dire need of some fundamental research on the biological underpinnings of human distinctiveness. The FBI and the Department of Homeland Security are paying for studies of better screening methods, but no one seems to be doing fundamental research on whether the physical or behavioural characteristics such technologies seek to measure are truly reliable, and how they change with age, disease, stress and other factors. None looks stable across all situations, says the report. The fear is that, without a proper understanding of the biology of the population being screened, installing biometric devices at borders, airports, banks and public buildings is more likely to lead to long queues, lots of false positives, and missed opportunities to catch terrorists or criminals.

Tags: , , , , , , ,

Secure client authentication with php-cert-auth

Sep 28

Posted by wes in php, security, software development | 9 Comments

Most websites employ a simple authentication mechanism generally consisting of a username and a password. While this method is certainly acceptable and secure for most applications, I want to take a minute to explore a more complex and, if employed correctly, more secure method of authenticating a user to a website.

This method employs the public key infrastructure (PKI) via client based SSL PKCS12 certificates.

First you need to make sure your server is conigured to use SSL properly. Setting up SSL in Apache is beyond the scope of this post, but here is a great HOWTO on it. You’ll also need to make sure you configure Apache to export the SSL variables it gathers to PHP.

Here is the Apache config setting to allow the SSL environment variables to be correctly exported to PHP (via the $_SERVER variable).

SSLVerifyClient optional_no_ca
SSLVerifyDepth  10

SSLOptions +ExportCertData +StdEnvVars

Next you’ll want to grab a copy of our handy php-cert-auth class from here. The configuration is pretty straightforward, feel free to include config parameters in the class directly if you don’t want to worry about maintaining a seperate configuration file.

Here are a few examples of what our class will allow you to do.

To download a self-signed certificate:

header("Content-Type: application/x-pkcs12");
header('Content-Disposition: attachment; filename=client.p12');

$countryName = "US";
$stateOrProvinceName = "Georgia";
$localityName = "Roswell";
$organizationName = "Werx Limited";
$organizationalUnitName = "Labs";
$commonName = "Wes Widner";
$emailAddress = "[email protected]";

$cert = new WerxLtd_Auth_Cert();
$pks12 = $cert->getPKCS12SelfSigned(
	$countryName,
	$stateOrProvinceName,
	$localityName,
	$organizationName,
	$organizationalUnitName,
	$commonName,
	$emailAddress
);

echo $pkcs12;

/*
 * You can also parse the pkcs12 data back out via: openssl_pkcs12_read($pks12, $data, null);
 */

Here is how you could go about authenticating a user:

$cert = new WerxLtd_Auth_Cert();
if($cert->hasClientCert()) {
	$keyid = $cert->getSubjectKeyIdentifier();
	// You can then use this key to query a list of known keys associated with valid users
}

This package is not designed to work in a stand-alone fashion. It is designed to be a helpful passwordless enhancement to an existing authentication system. Since the subjectKeyIdentifier is unique for each certificate that is issued1, it is wholly possible to associate it with a user’s account and check the supplied user certificate against a list of known client certificates in order to authorize the user in a transparent fashion.

There are many other ways a client certificate can be used to make your application even more secure. Like encrypting information before it is saved to permanent storage. You can also use the information contained in the client certificate to automatically fill in form fields. The biggest pitfall I can see to employing client certificates is the added complexity of the application.

Further reading:

  1. http://www.ietf.org/rfc/rfc3280.txt []

Tags: , , , , , , ,