Trusted Web Access
Author: David Tayouri, Deputy Director of Engineering, National & Aviation Cyber Programs Directorate of the Cyber Division, ELTA Systems – Israel Aerospace Industries Ltd (IAI).
Trusted Web Access – The Internet began with the development of the ARPANET project, where the first message was sent between two universities in 1969. The ARPANET project led to the development of protocols for internetworking, in which multiple separate networks could be joined into a network of networks using the Internet protocol suite (TCP/IP). The World Wide Web was used to link hypertext documents into an information system accessible from any node on the network. Since the use of the internet expanded gradually over decades and was initially designed for closed groups, the design didn’t include inherent security and user authentication.
The history of cyberattacks started even before the internet was opened to wide public use. Cybersecurity technologies have been evolving for a long time with the development of firewall, anti-virus, IDS/IPS (Intrusion Detection/Prevention System), endpoint security, active defense capabilities and more. Meanwhile, and on the other hand, user authentication has been evolving relatively slowly.
There are 3 main types of authentication:
- Something you know, usually username and password
- Something you have, such as key generator device or cellphone
- Something you are, i.e. biometric authentication such as fingerprint, iris, 3D digital face photo etc.
The Challenges of the Current Situation
Most of today’s applications still use authentication with username and password. This method has some disadvantages:
- If the password is not strong enough, it can be cracked (e.g. by brute force) or guessed, as many users use common passwords. According to the Splashdata annual list of most common passwords, the passwords “123456” and “password” are still the most commonly used as of 2018.
- The password can be stolen – there are many known cases where cloud-based servers were hacked and credential records were published.
- Social engineering may be used to trick users into divulging their credentials. 97% of cyberattacks try to trick a user through some type of social engineering scheme. Phishing is the leading form of social engineering attacks that are typically delivered in the form of an email, chat, web ad or website, any of which can be designed to impersonate a real system and organization, with the end goal of capturing an end user’s sensitive data.
- Since many people use the same password for many applications, a password revealed in one application can be used entering another application.
Unlike in the physical world, users in the virtual world maintain many identities: one or more private and business email addresses, one or more private and business phone numbers and several social media profiles – a profile (identity) in each social network and even two or more profiles in the same social network for different purposes, e.g. business, advertisement and promotional activities.
Physical impersonation is relatively rare since physical identity is hard to fake. This is not the case in the virtual world. The openness of the web, which enables us to instantly create emails and social media accounts, and its inherent anonymity, is abused by criminals, terrorists and other illegal activists to create fake identities to hide their activities. Therefore, the current authentication methods have a low level of trust.
When using the social media for commenting to posts and blogs or sending a recommendation on places we have visited, a low level of trust may be satisfactory. But when accessing sensitive personal data in the cloud such as health records and bank accounts, paying for digitally purchased goods, remotely accessing business environments, accessing governmental and public organization sites and more, a higher level of trust is required.
Another case where a high level of trust is essential is when children communicate with each other through the web. When our kids chat or exchange pictures with their friends, we want to be sure they are contacting other children and not imposter pedophiles. Can we be sure of this with the existing web?
To improve the security process, some applications use two-factor authentication, i.e. in addition to the entered credentials, they require a message that was sent to the user’s mobile phone or a serial number generated by a token or an application in the mobile phone. Two-factor authentication is inconvenient, still requires remembering many passwords and doesn’t prevent the creation of fake identities, since a one-time SIM card can be used.
Another issue with our virtual identities is that they are not related to each other. Credential entries can vary based on the service in use, for example, email and different social media accounts. This is not convenient and can cause a situation where users use the same credentials for different accounts (that eases the work for hackers, as mentioned above) or save the credentials in a file (which may be accessed or stolen by malicious players).
Building Blocks for Solving the Web Authentication Challenge
In order to effectively solve the above mentioned challenges and create an inherently authenticated and secure Web, ELTA proposes utilizing three key technologies: Biometric Authentication, Asymmetric Cryptography and Blockchain.
Biometric authentication is a user identity verification process that involves biological input, or the scanning or analysis of some part of the body. Biometric authentication methods are used to protect many different kinds of systems – from logical systems facilitated through hardware access points to physical systems protected by physical barriers, such as secure facilities and protected research sites.
Biometric authentication is widely known as the most effective type of authentication because it is extremely difficult to transfer biological features from one user to another. However, the traditional costs of biometric authentication have made it a less desired option for many projects. Recently, new technologies are making biometric authentication more realistically feasible for a range of different implementations.
One common and evolving type of biometric authentication involves facial scanning. Facial scanning tools now have the ability to identify people and can be used for different types of security and authentication. Fingerprint-based authentication is also common. Some types of biometric authentication focus on particular features, such as eyes, whereas others use more comprehensive body scanning models.
The biometric technologies most used in applications in the United States as of 2018 were fingerprint reading (40%), face recognition (15%) and iris scanning (13%).
Asymmetric cryptography is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.
In such a system, any user can encrypt a message using the receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key. Robust authentication is also possible: a sender can combine a message with a private key to create a short digital signature on the message. Anyone with the corresponding public key can combine a message and add a digital signature to it. The known public key is used to verify whether the signature was valid, i.e. made by the owner of the corresponding private key.
Public key algorithms are fundamental security ingredients in modern cryptosystems, applications and protocols assuring the confidentiality, authenticity and non-repudiation of electronic communications and data storage.
A blockchain is a growing list of records, called blocks, which are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. A blockchain is an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. For use as a distributed ledger, a blockchain is typically managed by a peer-to-peer network collectively adhering to a protocol for inter-node communication and validating new blocks.
By design, a blockchain is resistant to modification of the data. Once recorded, the data in any given block cannot be altered retroactively without alteration of all subsequent blocks, which requires a consensus of the network majority. Although blockchain records are not unalterable, blockchain is commonly considered secure by design.
One of the first and most known uses of blockchain in 2008 was for managing bitcoin digital currency transactions. It solved the double-spending problem without the need of a trusted authority or central server. During the last decade other uses of blockchain were tested and implemented, such as smart contracts, supply chain, tracking digital use and payments to content creators, decentralized voting and more. Recently, The US Homeland Security Department awarded a contract to institute interoperability between the agency’s multiple data formats and blockchain-related endeavors, and to ultimately implement an innovative distributed ledger solution to combat forgery and counterfeiting in immigration and citizenship documents.
ELTA’s Solution: Trusted Web Access
ELTA Systems has developed the Trusted Web Access solution (patent pending), in which the users are uniquely identified and strongly authenticated. This is achieved by creating a database of trusted users. The database includes users’ biometric IDs and their credentials for Cloud Service Providers (CSPs). The credentials are encrypted and passed directly, automatically and securely to the CSP for the authentication process.
The records in the database are irrevocable to avoid fraud and forgery. It also is decentralized to avoid centrality and single point of failure. These database properties are achieved with Blockchain.
This solution has the following essential features, to overcome the previously mentioned challenges:
- Strong biometric identification, which uniquely identifies a physical person and is the most durable compared to the other identification methods.
- Strong authentication, which will provide a high level of trust that the person is what he/she claims to be and ensuring that only privileged users access their accounts.
- Single authentication process for all the users’ virtual accounts to avoid user having to remember all the credentials for the different CSP accounts.
Eliminating the fake identities phenomena by using physical (biometric) identification.
Summary: Privacy vs. Security
The openness of the web and its inherent anonymity are considered advantages, because they enable wide access and privacy, but they can also be considered as disadvantages, since they are abused by criminals and other illegal activists to create fake identities and hide their activities. Anonymity can assure total privacy, but it comes with a price – low level of trust as well as low level of security. ELTA’s solution suggests more trust when accessing the web, with less anonymity. When I think of my children surfing the web, I prefer losing some anonymity in order to enable them more security. What do you think?
About David Tayouri
David Tayouri is Deputy Director of Engineering, National & Aviation Cyber Programs Directorate of the Cyber Division, in ELTA Systems – Israel Aerospace Industries Ltd (IAI). Mr. Tayouri has been one of the cyber activity leaders in IAI and has managed the cyber intelligence department from 2013 till the beginning of 2017, when the Cyber Division was established. During the last 15 years, Mr. Tayouri has been developing intelligence-gathering systems for defense organizations, in different layers, mastering the cyber domain in the last 8 years by heading cyber technology and business units and developing innovative cyber solutions. Mr. Tayouri has 28 years of experience as a technology leader with business understanding, software development, team leading, system engineering, project management and system architecture in various domains. He is professional with a MSc. with Honors focused in Computer Science from Bar-Ilan University.
Trusted Web Access