Time-Gated Mutual Authentication
System Architecture: Part 1

DRAFT (15-Nov-2016)

Distributed Systems Software
Victoria, BC


Part 1


Abstract

This document describes the design and architecture of a general-purpose authentication system that is superior in many respects to password-based authentication methods, two-factor authentication methods, and password managers. The architecture ensures that information useful to attackers is always held within the system's most secure components, eliminating many of the attacks that plague password-based authentication, helping to protect information stored in user accounts, and preventing unauthorized system access.

Central to the architecture is the use of a secondary computer called a validator that is responsible for managing account information on behalf of a user and executing the system's secure cryptographic protocols. Beyond its application to user authentication, a validator can act as a general purpose personal security assistant.

Functioning prototype components have been implemented and can be demonstrated.

This document provides a higher-level description of the system, omitting many technical details. In particular, the specifics of the mutual authentication protocol are not disclosed. Some related technologies are described and critiqued, but not exhaustively. Basic knowledge of client/server architectures, computer security, and cryptography is assumed.


Executive Summary

Password-based authentication methods have many serious security weaknesses, administrative problems, and usability issues. High-profile attacks aimed at client software, server software, and users themselves via social engineering have leaked private information, resulted in identity theft, damaged or misused systems or property, and so on. Efforts to find a suitable replacement approach have been largely unsuccessful.

We propose a replacement for password-based authentication that addresses many of its weaknesses and offers additional features. It might be approximately described as a combination of password-management software and multi-factor authentication. Its novelty rests on:

While the architecture has wide application, it is presently felt that the best avenues center around improving security or accessibility to software, products, or devices that would ordinarily be password protected and where security breaches may have significant financial, legal, or safety consequences.

The primary goal of this work is to develop a more secure and versatile alternative to username/password authentication for niche and/or general-purpose applications.

A secondary goal is to develop a cryptographic assistant for managing user authentication and for integration with any software that requires secure client/server and/or peer-to-peer communication, as a better alternative to username/password authentication and SSL/TLS communication.

Claims
The design is based on the following assertions, which will be justified throughout this document:

It is intended for the architecture to be open, using standardized (or de facto standard) cryptographic methods, and a reference implementation made available.


Introduction to TGMA

Time-Gated Mutual Authentication (TGMA)[1] is a software architecture for performing convenient, highly-secure mutual authentication (M-AUTH) between a user and a service provider by employing a secondary computer. A service provider is any software that requires its user to identify herself through a suitable system interface. The service provider can be a computer system (desk top, laptop, workstation, display manager, screen saver, etc.), web site, command, device, and so on. The secondary computer is intended to be a programmable personal mobile device, such as an Internet-capable cell phone (a "smart phone") or tablet, but it could also be a laptop, special-purpose device, or even a general-purpose computer system. The secondary computer is configured with user account information as required and runs software that conducts the TGMA protocol with server-side components.

By moving certain data, functionality, and protocol from the application software that needs to perform authentication to the validator, many avenues of attack based on compromising the client disappear. In effect, the user authenticates a transaction rather than himself. We will generally frame the typical transaction as signing on through a system interface, such as a login screen, but that is not the only possibility.

Personal mobile devices have become small, commonplace, relatively inexpensive, and powerful. As they are increasingly used for a wide variety of everyday tasks (financial, informational, entertainment, administrative, and more), they have become indispensable. Mobile devices are typically equipped with at least one data transmission method, non-volatile memory, one or more access control mechanisms,[2] and a camera. This makes them particularly well-suited to this application. As the cost of hardware components decreases, affordable special-purpose devices become more attractive, but there will always be a desire to combine frequently-accessed functions into a single device (e.g., the tricorder).

The architecture provides important security benefits both to users and service providers compared to password-based authentication ("username/password"). In brief, for users:

For service providers:

An important design goal is to minimize inconvenience for authenticating users and system administrators compared to password-based authentication. Though not a drop-in replacement, adoption of the new system on the server side should be straightforward for system administrators.

The system architecture lends itself to several powerful features. Sign-on approval lets a user or a third-party track sign-on requests in real time. Rules can be evaluated to decide whether an authenticated user should be allowed to sign-on.

For authentication purposes, the TGMA protocol does not need to run on top of SSL/TLS, although it can, perhaps to provide secure communication after mutual authentication or for practical reasons. In some cases, light-weight, very secure end-to-end communication is possible without the many weaknesses related to SSL/TLS (RFC 7568: SSLv3 Is Comprehensively Broken, sslstrip), and without the need of SSL/TLS certificates and certificate validation.[3] The authentication protocol is entirely peer-to-peer, without the participation of a third-party server.

Here are a few applications of the architecture:

TGMA can be deployed as a two-factor authentication method. Successful authentication can require a particular device (something the user possesses) and information associated with the user's account (secrets the user knows). On the device, a password can optionally augment an account (another secret the user knows).

More detail is presented in Benefits and Advantages.

Computer systems must make trade-offs between security and practicality. If security is maximized, a system will be far too inconvenient for everyday use, and will therefore have limited applicability. If usability characteristics, such as cost and functionality, are of prime importance, a system must relax security constraints. Additionally, it should be recognized that not all systems demand the same level of security. A user's home desk top system probably does not need as strong an authentication method as that user's banking web site. It is necessary to find a suitable balance between security and usability. Unfortunately, users have demonstrated a strong preference for ease of use.[6]

For many use cases, the authentication system described here is intended to be a better alternative to password-based authentication methods, many two-factor authentication methods, and password managers, in most contexts, over public and shared computer networks. Security is greatly improved without sacrificing overall ease of use.

Continued in Part 2.


Footnotes

  1. The name "Time-Gated Mutual Authentication", though descriptive, may yet be changed to something more catchy.
  2. Access to a personal device is typically protected by a variety of methods, such as a password, fingerprint, inactivity timeout, or a remote reset feature.
  3. Frequently quoted studies: a) approx. 60% of all SSL server certificates are invalid and b) an invalid SSL certificate has no effect on people visiting the web site.
  4. In some situations, such as administering classroom or lab facilities, a laptop may be a preferable secondary computer.
  5. Sometimes a sysadmin cannot use an administrative password and must obtain a user's password. It turns out that users commonly use the same password for multiple accounts and so might have legitimate concerns about sharing it. Or, a user might have chosen a potentially embarrassing password.
  6. By "ease of use", we mean the actual or perceived convenience, usability, speed, and availability of a method for a wide class of users. Interface "friendliness" characteristics, such as functioning in much the same way across different kinds of devices, are also relevant.
  7. Just one example: Chrome Bug Enabled Crooks to Send Malicious Code to Your Browser as PDF Files