Authentication is simply a process used to verify the identity of a user. For example, the user states their identity and the authentication system then issues a challenge to the user, such as requesting a password. If the user produces the correct password the authentication system approves the user's identity assertion and the user is granted access. The modern way of doing this is to use a system based on digital certificates and PKI-based cryptography, which provides the strongest way to validate a user's identity.
Digital certificates are already widely used to authenticate interactions between individuals. For example, they are used by secure email systems to ensure privacy and to validate the identity of the sender. The sender uses a digital identity, in the form of a certificate, to encrypt and digitally sign the message to ensure privacy and prove the sender's identity. The email recipient decrypts and authenticates the message in a similar fashion.
Digital certificate technology provides more than just a means to digitally authenticate individuals - digital certificates are also being applied to devices such as IP phones, computers, and cable modems to uniquely identify and authenticate devices in large networks where security and easy management are paramount.
To ensure that digital identities embedded in these devices remain trustworthy, the same rigorous security controls used to issue digital certificates to individuals must be translated to the manufacturing process that issues digital credentials to devices. To prevent fraud and ensure trust, a secure digital identity infrastructure must begin with trusted identity issuance. A critical component of this trusted infrastructure is the protection of the keys used to issue certificates. This protection is generally accomplished using hardware security modules (HSMs).
Digital Certificates for Cable Modems
Hardware authentication offers a solution to combat the theft of programming from cable television which plagues cable service providers and content producers. To address the issues of signal theft, the Data Over Cable Service Interface Specification (DOCSIS), standard, published by Cable Television Laboratories, was drafted to establish security benchmarks for the cable industry. The standard employs digital certificates to confirm the identity of cable modems before allowing them to access the cable operator's services.
With DOCSIS in place, cable modem manufacturers are now deploying digital certificates to cable modems and set top boxes to combat the illicit cloning of equipment and theft of cable services. These manufacturers are employing HSMs in conjunction with PKI software to generate cryptographic keys and corresponding digital certificates. The certificates are issued during the manufacturing process where the certificate information is programmed into a special write-once, read-only area in the cable modem's memory. The digital certificates are then used to automatically identify individual modems in a cable network.
Embedding digital certificates into cable modems not only protects the value of existing content and services, but also enables cable system operators to introduce a broad range of new content, applications, and value-added services to market without fear of piracy. Next-generation broadband services such as pay-per-view, view-on-demand, digital rights management (DRM), and online software delivery will depend upon the ability to authenticate each cable modem with its unique digital identity.
Digital Certificates for BIOS based Computer Devices:
A computer's BIOS (Basic Input/Output System) is required to perform basic system management and configuration functions that allow hardware components in a computer system to communicate with each other. As every computer requires a BIOS, it also provides a convenient location to store a unique digital identity.
In response to enterprise and consumer demands, BIOS manufacturers are now issuing digital certificates to BIOSes to provide unique identification for the computing devices they reside in. The presence of a unique digital identity in every computer is helping address internet security concerns by binding a unique digital identity to every computer - if fraud occurs, it can be traced back to the offender's computer. By adding digital certificates to the BIOS, users enjoy a level of built-in security that, previously, was only achievable with specialized hardware. This approach provides a quicker and more cost-effective way for securing applications ranging from remote access authentication to digital document signing and secure messaging. The addition of digital certificates in every computer creates a web of trust between the end points of the network, dramatically improving network security in a seamless, cost-effective way.
Phoenix Technologies, the leading BIOS manufacturer has deployed HSMs to provide hardware-based security for the private encryption keys used to generate and sign the digital certificates stored within the BIOS. These HSMs ensure that the critical private keys used to perform signing and cryptographic operations during the certificate issuance process are protected from exploitation and attack within dedicated secure hardware.
Digital Certificates for IP Phones
IP-based telephony offers greater mobility, lower costs, and improved integration of data and voice services. Traditional wireline telecommunication systems maintain physical control over the switching system and telephone lines; in comparison, IP phones can connect to a telephone system from virtually anywhere across corporate LANs or the internet, introducing new security challenges. Where traditional phones relied on their fixed telephone number or physical connection to a telephone line as crude but effective means of authentication, IP telephones require a more sophisticated, distributed method to authenticate themselves to the networks they connect to.
To prevent identity theft and resulting fraud that plagues the cellular phone and satellite television industries, the security of the IP phone identities is a top priority. To ensure security and interoperability between IP telephones, telecommunication equipment manufacturers adopted the ITU H.323 protocol. H.323 specifies security mechanisms needed to ensure authentication, integrity, privacy, and non-repudiation within compliant devices. These security mechanisms all rely on a digital identity embedded within each IP phone to serve as a unique device identifier.
In this system, highly secure cryptographic hardware is required to protect the certificate issuance root key - the basis of trust for all of the IDs issued to the phones - and prevent the key from being copied or used to create illegitimate device identities. In addition, HSMs feature high-performance cryptographic processors to ensure that the computationally intensive certificate issuance process doesn't become a manufacturing bottleneck in the IP telephone production line.
With each IP telephone containing a unique, trusted digital identity, users can know with confidence that the IP telephone they are connecting with is definitely the telephone it claims to be. The ability to authenticate IP phones is particularly important to large companies who have telephone systems with thousands of telephones located around the world; the phone's digital identity helps prevent unauthorized access to the corporation's private LAN while providing users with the assurance that the call they receive is actually from a person within the company.
As more and more devices become network connected, the need for device-to-device authentication becomes more important. IP telephones, cell phones, hand-held computers (PDAs), computer devices, and cable modems are only a few examples of a growing list of common electronic devices that can benefit from digital identities for authentication. The use of HSMs within the digital identity issuance process allows high-volume, high-speed certificate issuance to be seamlessly integrated into the manufacturing process without sacrificing the security that the people who rely on these devices for business and personal use depend on.
David Hicks is product manager, Chrysalis-ITS
Chris Dunn is vice president of product development, Chrysalis-ITS (www.chrysalis-its.com)