Single Sign-On and Password Synchronization
One issue that has irritated users in large secure environments is the burgeoning number of passwords they have to remember to access various applications. A user might need one password to log onto his or her workstation, another to access the network, and yet another for a particular server. Ideally, a user should be able to sign on once, with a single password, and be able to access all the other systems on which he or she has authorization.
Some have called this notion of single sign-on the “Holy Grail” of computer security.
The goal is admirable to create a common enterprise security infrastructure to re-place a heterogeneous one. And it is currently being at-tempted by several vendors through technologies such as the Open Group’s Distributed Computing Environment (DCE), MIT’s Kerberos, Microsoft’s ActiveDirectory, and Public-Key Infrastructure (PKI)-based systems. However, few, if any, enterprises have actually achieved their goal. Unfortunately, the task of changing all existing applications to use a common security infrastructure is very difﬁcult, and this has further been hampered by a lack of consensus on a common security infrastructure. As a result, the disparate proprietary and standards-based solutions cannot be applied to every system. In addition, there is a risk of a single point of failure. Should one user’s pass-word be compromised, it is not just his local system that can be breached but the entire enterprise.
A hash function is an algorithm that takes a variable-length string as the input and produces a ﬁxed-length value (hash) as the output. The challenge for a hashing algorithm is to make this process irreversible; that is, ﬁnding
a string that produces a given hash value should be very difﬁcult. It should also be difﬁcult to ﬁnd two arbitrary strings that produce the same hash value. Also called a message digest or ﬁngerprint, several one-way hash functions are in common use today. Among these are Se-cure Hashing Algorithm-1 (SHA-1) and Message Digest-5 (MD-5). The latter was invented by Ron Rivest for RSA Security, Inc. and produces a 128-bit hash value. See Table 1 for an example of output generated by MD5. SHA-1 was developed by the U.S. National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and produces 160-bit hash values. SHA-1 is generally considered more secure than MD5 due to its longer hash value.
Microsoft Windows NT uses one-way hash functions to store password information in the Security Account Manager (SAM). There are no Windows32 Applications Programming Interface (API) function calls to retrieve user passwords because the system does not store them. It stores only hash values. However, even a hash-encrypted password in a database is not entirely secure. A cracking tool can compile a list of, say, the one million most commonly used passwords and compute hash functions from all of them. Then the tool can obtain the system account database and compare the hashed passwords in the database with its own list to see what matches. This is called a “dictionary attack” (see “Password Cracking Tools”).
The ancient folk tale of Ali Baba and the forty thieves mentions the use of a password. In this story, Ali Baba ﬁnds that the phrase “Open Sesame” magically opens the entrance to a cave where the thieves have hidden their treasure. Similarly, modern computer systems use pass-words to authenticate users and allow them entrance to system resources and data shares on an automated basis. The use of passwords in computer systems likely can be traced to the earliest time sharing and dial-up networks. Passwords were probably not used before then in purely batch systems.
The security provided by a password system depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In a password-based authen-tication mechanism implemented on a computer system, passwords are vulnerable to compromise due to ﬁve es-sential aspects of the password system: