ViewsLetter(SM) on Provisioning

Site Map



ViewsLetter on Provisioning         25 July 2005           #47

Provisioning automation--from chips to the business layer.

By William Flanagan, Editor

Spent a day recently with an RSA user group at a meeting covering several security items that impact service provisioning, particularly self-service features. Overall, the thrust of the day was that in the future, authentication of users must be more robust while remaining simple to use. Otherwise, network services (and connected computers) will either be too easy to cheat or too hard to use at all.

Robustness can lie in better passwords, random rather than "dictionary words" that are easily guessed. But even better is frequent changes of passwords--up to once every minute. More on this below.

Simplicity depends on automation--you probably can remember more passwords than I, but you're almost certainly not good enough for optimal levels of protection.

For both aspects, you need tools.

Starting at a very simple level, how about a pocketable device that generates "good" passwords and remembers them for you? It's called the Mandylion. On request, it displays the one you want so you can key it in.

RSA favors "tokens" that generate one-time passwords with a life of just a few minutes. A key-fob size device computes a new p/w periodically from a unique key for each user. The same key is entered at the central site device, which applies the same algorithm so it always knows the current p/w for each registered user. The recognition parameters allow for a little drift in the separate internal clocks.

Stepping up the automation level, let's put either of these methods on a USB (universal serial bus) device so you can plug it in and eliminate the "fat fingering" errors of keyboard entry. Some additional software may be necessary to deal with multiple password procedures for different networks or hosts, but that's eminently doable.

When communicating from a browser or a proprietary client, it's possible to take another step up in the level of security by applying encryption to the information sent over the wide area network (WAN). Secure Socket Layer (SSL) is built into all modern browsers, with a wide range of encryption algorithms. IP security (IPsec) clients can authenticate as well as encrypt with the same range of algorithms. And there are other methods, such as the one built into cell phone systems.

Key length can vary from 40 bits to 256 or more--longer keys are harder to break, but consume more CPU cycles or processing power. Weak encryption is hardly worth the bother, so you probably want strong (processor intense) encryption if you want any at all. Does this mean every PC needs a 3 GHz+ processor? Not necessarily.

Even the slowest PC can enjoy the best encryption without performance penalty if the encrypting is done in dedicated hardware. Chips tailored to encryption work much faster than PC software, and are available in routers, for example. One company used to offer that kind of chip as an easy add-on in a USB device. Of course, multi-GHz microprocessors usually can handle one user's encryption load.

As an example of automated sign-on, KoolSpan provides a remote USB device (the "Key") for the PC terminal and a larger box (the "Lock") that handles hundreds of sessions at the central site. Both the Lock and Key are equipped with a Smart Card (similar to a Subscriber Identity Module (SIM chip) used in a GSM phone) for a ‘keyless’ authentication. Encryption occurs at Layer 2, in hardware on the Lock and in software on the remote PCs. The KoolSpan Key automatically generates and transmits a one-time p/w so that the user doesn't have to type in anything and can't share the one-time password because it’s not revealed.

Perhaps these folks should talk to each other about cross licensing their ideas. Here's the goal: a USB stick that generates and displays both time-based and relatively fixed passwords, fills in the sign-on forms from web sites, and then encrypts the transmission with the best available algorithm.

Oh, by the way, each user would have a unique key or other identifier so the host computer could produce an audit trail of "who knew what and when." Those logs could be the next big surprise for cheats, something like the reappearance of "deleted" emails.

But the best aspect of the system is that it would be simple to use--meaning it would be used rather than defeated by frustrated indians who couldn't deal with what the chiefs were trying to impose. Also might keep a few honest managers out of hot water.

Note that this discussion focuses on the initial authentication and access by a user. It doesn't include any reference to "single sign on," ways to reach multiple servers from one session, or portals. That's for each organization to decide, and certainly will impact service self-provisioning: if a user authenticates well enough (to pay), and has a secure access link, why not enable additional services?

The security of authentication and communication methods may influence quite heavily the adoption of self-service offerings. But that's the topic of another ViewsLetter.
============ + ===== + ===== + ===== + ============


1-Day Seminar Converges Skills for a Converged Network

More than the basics, attendees get real insight into the other
side of the shop. Everyone gains an appreciation for the skills
needed to do the other job.
Building on what each team knows, this seminar ties voice and data
into shared knowledge:
--voice signaling and data routing.
--continuous and packetized transmission.
--encoded digital voice and formated data.
Taught at your site by people who understand thoroughly all
aspects of communications (video, too). Ideal for organizations
planning VoIP deployment or network convergence.
Call for more information: 703.855.0191.

"We Have the Experience."

Special thanks for supporting ViewsLetter to, your
best source for communications tutorials and white papers.

Special thanks for supporting ViewsLetter to, your
best source for communications tutorials and white papers.

"Flanagan Consulting" and "ViewsLetter" are Service Marks of W. A. Flanagan, Inc.

Flanagan ConsultingSM
W. A. Flanagan, Inc.
45472 Holiday Drive, Suite 3, Dulles, VA 20166
Ph:  +1.703.242.8381
Fx:  +1.703.242.8391

Publisher(at )