Novell Announces Novell Modular Authentication Services (NMAS)
Articles and Tips: article
01 Mar 2000
Novell recently announced new directory-enabled Net security software for managing user authentication to network resources. The Novell Modular Authentication Service (NMAS, pronounced en-mass) leverages NDS eDirectory to provide a single point of administration and management for an expanded set of authentication methods to business network resources. For enterprises using NDS that require the strongest forms of authentication security, Novell Modular Authentication Service simplifies the integration of the variety of authentication solutions currently available.
Authentication is the process by which users prove who they are as they log in to a network. While password authentication combined with sound password policy measures has traditionally been accepted as a sufficient authentication method in business networks, the e-business explosion has caused many businesses to reexamine their network security and in particular, how users authenticate to the network. Many businesses are now expanding their network authentication requirements beyond traditional password authentication to support advanced strong authentication methods such as smart cards, physical tokens, or biometrics.
"As companies increasingly rely on the Net for e-business the need for secure authentication is paramount," said Patrick Harr, director of product management, Novell Inc. "Security is evolving from providing something you know, such as a password, to something that you are, such as biometrics, or something you have, in the case of tokens and smart cards. Being able to support and manage all of these new security devices in a single place with NMAS demonstrates the value of NDS eDirectory for managing access to your network services, data and information."
Fifteen top security companies also announced support today for the Novell Modular Authentication Service. Biometric, smart card, and token vendors alike announced that their specific authentication solutions would support NMAS, including ActivCard, Arcot Systems, Biometric Access Corporation, Compaq Computer Corporation, Datakey, Dialog Communication Systems (DCS), Gemplus, Identix, Keyware Technologies, Protocom, RSA Security, SAFLINK, Schlumberger, Secure Computing, and VASCO Data Security. Please see www.novell.com/products/nmas for more information.
NMAS is a unique framework that allows users to authenticate using different and multiple NDS authentication methods and thus provide flexibility and advanced security in a network environment. With native integration with NDS for ease of use NMAS provides support of all authentication types (face, finger, voice, signature, iris, tokens, smart cards, and passwords) and delivers the ability to dynamically assign authentication policies to users, groups, applications and access methods. Novell Modular Authentication Service will be delivered in two forms:
NMAS Starter Pack--which provides a single point of administration and supports an expanded set of network authentication methods in NDS. NMAS Starter Pack allows for any provided single form of user login method. This means that NDS users can now authenticate using either a smart card, physical token, biometric, X.509 certificate, or various forms of passwords.
NMAS Enterprise Edition--(which includes the NMAS Starter Pack) provides a single, cost-effective point of administration for managing, grading, and accessing an expanded set of network authentication methods in NDS. Additionally, the NMAS Enterprise Edition includes:
Multi-factor Authentication--which provides greater network security by allowing the administrator to set up users to log in following a sequence of authentication requirements (for example, requiring a user to provide a fingerprint and insert a smart card).
"Graded Authentication"--which delivers greater network security by allowing the administrator to establish grades among the different authentication methods and then grant NDS partition or volume access based on authentication methods used. "Graded Authentication" assures that only users completing all required authentication methods in a login sequence are able to access confidential or sensitive information.
Licenses for the Novell Modular Authentication Service Starter Pack are now available free of charge via download from the Web. Please visit www.novell.com/products/nmasto get started. Licenses for the Novell Modular Authentication Service Enterprise Edition begin at $995 for a server plus 5 users and will be available for order at the end of March from Novell channel partners or via shopnovell at www.shopnovell.com.
Novell Consulting Services' Rapid Deployment program reduces customers' deployment time by 30 to 50 percent. Networking consulting experts will design, plan, pilot and rapidly deploy Novell Modular Authentication Service and other customized solutions based on NDS in a customer environment, thus providing immediate business benefits and a competitive advantage from this technology. This Rapid Deployment Solution is implemented quickly and optimally the first time, allowing users and network administrators to immediately become more productive. To order Rapid Deployment Solutions, select "Engage Consulting" at the Novell Consulting Web site http://consulting.novell.com.
NMAS and NDS
Before the introduction of NMAS, NDS used a very secure two-process mutal authentication method, known as "password challenge response" user authentication. The first process involved user login where a password and nonce (identifiers that are used only once) values generated by both the client and server were hashed twice using two different hash algorithms and later encrypted using and RSA encryption algorithm. The second process involved background authentication to an NDS server.
While Novell makes a concerted effort to make its password challenge response authentication method secure, many NDS-installed organizations have determined that password authentication is insufficient for their security needs. Such organizations have decided to expand their network authentication from requiring the network user to authenticate via "something you know" (for example, a password) to "something you have" (for example, a smart card), or "something that you are" (for example, a fingerprint).
The NMAS framework is extensible in that it allows for these and other forms of alternative authentication methods. NMAS-supported authentication methods include both authentication modules developed by Novell as well as by third parties. A summary of each of these authentication methods follows:
Cleartext (or plaintext) authentication is a process of sending a password over the wire in an unencrypted form. Aside from no authentication at all, from a security standpoint, this is the lowest form of user authentication. Because there is no encryption process, plaintext authentication is normally quite fast. This authentication method is included in NMAS to provide faster authentication in networks requiring less security, as well as to provide interoperability with systems that use cleartext authentication (for example, FTP/Telnet, and POP3 e-mail).
Developed and published by the National Institute of Standards and Technology (NIST) in 1993 and 1995, the secure hash algorithm (SHA-1) is a popular hash algorithm for network authentication based on a hash algorithm. A hash (or message digest) is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. In terms of security, SHA-1/MD5 authentication is more secure than cleartext because the password is altered when it travels across the network. Authentication is relatively fast because it is easy to compute a shorter hashed value.
Developed by Ron Rivest at MIT, this message-digest algorithm takes a message of arbitrary length and produces a 128-bit message digest (or hash) output. MD-5 was, at one time, the most widely used secure hash algorithm.
Standard NDS Password Authentication
As discussed previously, this is the password challenge response authentication method that used different hash algorithms, and, beginning with the release of NMAS, the DES (Data Encryption Standard) algorithm. The multiple cyphering techniques provide a very secure password authentication method. Because of the increased security it offers, the standard NDS password authentication is slower than cleartext or SHA-1/MD-5 authentication.
Other Methods of Authentication Supported by NMAS
NMAS also supports physical device authentication and biometric authentication.
Physical Device Authentication
This method involves the use of an object that users carry with them ("something you have") to prove their identity. Third-party authentication developers have written authentication modules for two types of physical devices: smart cards and tokens.
A smart card is a plastic card, about the size of a credit card, that includes an embedded microchip that can store data and perform cryptographic functions. Depending on what is stored on the chip, a smart card can be used for a variety of tasks. With NMAS, a smart card can be used to establish an identity when authenticating to NDS. The ActivCard Gold, for example, lets users prove their identity by using private keys and associated X.509 v3 user certificates stored on the smart card.
With Novell's Certificate Server 2.0 product, which is shipped with NMAS, a network administrator has a powerful PKI (Public Key Infrastructure) where the administrator can issue X.509 v3 user certificates for NDS authentication (among other things).
A token is a hand-held hardware device that generates a one-time password to authenticate its owner. Token authentication systems are based on one of two alternative schemes: challenge response and time-synchronous authentication.
With the challenge-response approach, the user logs in to an authentication server, which then issues a prompt for a personal identification number (PIN) or a user ID. The user provides the PIN or ID to the server, which then issues a "challenge"--a random number that appears on the user's workstation. The user enters that challenge number into the token, which then encrypts the challenge with the user's encryption key and displays a response. The user types in this response and sends it to the authentication server.
While the user is obtaining a response from the token, the authentication server calculates what the appropriate response should be based on its database of user keys. When the server receives the user's response, it compares that response with the one it has calculated. If the two responses match, the user is authenticated to the network. If not, access is denied.
Vasco Data Security provides a module for NDS authentication using its Digipass token.
RSA Security uses a time-synchronous authentication scheme. RSA SecurID is a two-factor authentication solution requiring a PIN that the user knows, and an RSA SecurID authenticator, which the user has. RSA SecurID authenticators generate a one-time passcode every sixty seconds. The combination of user PIN and current authenticator code is valid only for that particular user at that one moment in time. The RSA ACE/Server security software protecting the network takes just seconds to verify the code and grant access.
RSA Security Inc. provides a module for NDS authentication using RSA SecurID authenticators along with RSA ACE/Server security software.
Another technique supported by NDS is biometric authentication. Biometrics is the science and technology of measuring and statistically analyzing human body characteristics ("something you are"). Biometric authentication can be classified into two groups: static biometric authentication and dynamic authentication.
Static biometric authentication captures and verifies physiological characteristics linked to the individual. Common static biometric characteristics include fingerprints, eye retinas and irises, and facial features.
Dynamic biometric authentication captures and verifies behavioral characteristics of an individual. Common dynamic biometric characteristics include voice and handwriting.
Biometric authentication requires readers or scanning devices, software that converts the scanned information into digital form, and, wherever the data is to be analyzed, a database or directory that stores the biometric data for comparison with entered data. In converting the biometric input, the software identifies specific points of data as match points. The match points are processed using an algorithm into a value that can be compared with biometric scanned when a user tries to gain access.
Indenticator, a division of Identix, provides a module for NDS authentication using its BioLogon 2.0 fingerprint authentication software.
SAFLINK Corp. provides three modules for NDS authentication using licensed biometric authentication technology for facial, fingerprint, and voice authentication.
NMAS is managed through an easy-to-install ConsoleOne snap-in module. ConsoleOne is the Java authored, GUI-based, NDS management framework. Specific ConsoleOne property pages let the administrator manage authentication methods, the sequence of those methods, and the security grade associated with those methods. Each of these management tasks is explained further below.
During the installation of the snap-in module, NMAS extends the NDS schema and creates new objects in the NDS tree's Security container. These new objects are the Authorized Login Methods container and Login Policy objects. All authentication methods are stored and managed in the Authorized Login Methods container.
By default, NMAS installs the standard NDS password authentication method. Additional authentication methods can be installed using a wizard launched from the Authorized Login Methods container using the Create New Object option.
Assigning how a user authenticates using NMAS is done by defining a login sequence and then enrolling a user with a method (such as password, token, or biometric). Sequences incorporate one or more authentication methods and are stored in the Login Policy object in the Security container. A sequence includes the methods and the order in which those methods execute during user authentication.
For example, suppose your organization implements a login policy that requires users to log in using "something they are" and "something they know." As the administrator, you decide to require each user to authenticate using the Identicator BioLogon method, along with a SHA-1 password method. You would first decide the sequence of login prompts and then create the sequence in the Login Sequences property page.
The NMAS framework lets administrators easily chain both Novell and third-party authentication methods as part of a login sequence. No collaborative engineering work between different companies is needed. The NMAS framework does the collaboration. This makes it possible to create a sequence using, for example, the Identicator fingerprint reader, a Vasco token, and a standard NDS password.
This powerful feature lets administrators determine a scale or grade of the authentication methods supported and grant access rights accordingly. For example, the organization's security policy might specify that a biometric is a stronger form of authentication than a password (Novell makes no claims as to the superiority of one method over another). As a result, a user successfully authenticated with a biometric might receive a wide set of access rights because the administrator has greater confidence in that form of authentication. NMAS thus allows network rights to be more finely controlled.
NDS Partition and Volume Labels
Graded authentication lets administrators assign security labels to NDS partitions and volumes based on the number and type of login factors deemed necessary to enable access to these partitions and volumes. For example, an administrator might assign a Biometric & Token label to a NetWare volume and subsequently create a login sequence that would include both a biometric and token authentication method.
NMAS lets administrators assign any one of the following labels to NDS volumes and partitions:
Biometric & Password & Token
Biometric & Password
Biometric & Token
Password & Token
The access requirements associated with each of these labels are self-evident, except perhaps with the access requirements of the Logged In label, which enables access without requiring the use of a specific NMAS login method. All users who have authenticated to NDS have at a minimum, read-only rights to any partition and volume labeled Logged In. All NDS partitions and volumes have the Logged IN label by default, so an administrator must label only those partitions and volumes requiring restricted access.
Clearance Level Assignments
Enforcing user access to labeled NDS volumes and partitions is done through assigning clearance levels to users. At the discretion of the network administrator, and NDS User object can be assigned one or many clearance levels. A user's access is dependent on both the label of the NDS volume or partition and the clearance the user has when logging in.
No matter what method users use to log in, they cannot access volumes and partitions with similar-method security labels unless they have been granted clearance that allows such access.
The clearance level names are identical to the security label names. That is, an administrator can assign User objects clearance levels such as Biometric & Password & Token, Biometric & Password, Biometric & Token, and so on down the list. In addition, administrators can assign a Multilevel Administration clearance. Multilevel Administration clearance provides read-write access to all areas on the network--a clearance that should be assigned to only a select few.
Users are prohibited from accessing NDS partitions and volumes that require login factors not included in their clearance level. For example, a user with Biometric & Token clearance does not gain access to volumes and partitions labeled Biometric & Password & Token. This ensures that users cannot access areas with labels that are higher (or entirely different) from their clearance level.
Users are granted read-only access to partitions and volumes with labels that require fewer but at least one of the factors stated in their clearance level. For example, if a user is granted Biometric & Token clearance and requests that clearance at login, that user gains read-only access to partitions and volumes labeled Biometric or labeled Token. This security measure ensures that confidential information remains on the volume or partition where it resides without being accidentally or maliciously copied to an area where it should not be stored.
Frequently Asked Questions
Q. Why did Novell create NMAS?
A. NMAS represents another step in Novell's strategy to deliver security solutions. Today many businesses have a mixture of authentication methods and no way to manage them or to use a combination of those methods.
In addition, many NDS-installed organizations have determined that password authentication is insufficient for their security needs. Such organizations have decided to expand their network authentication from requiring the network user to authenticate via "something you know" (for example, a password) to "something you have" (for example, a smart card), or "something that you are" (for example, a fingerprint).
Novell recognizes the value that these different forms of network authentication provide and has developed an extensible framework to support and manage different and multiple authentication methods in NDS.
Q. Who needs this kind of solution?
A. NMAS is a dual product offering answering the needs of many customers.
NMAS Starter Pack is a free Web download atwww.novell.com/products/nmas that allows for any provided single form of user login method. This means that NDS users can now authenticate using either a smart card, physical token, biometric, X.509 certificate, or a simple or NDS password.
NMAS Starter Pack is targeted towards organizations looking to implement different single-method NDS authentication policies. Undoubtedly, many of these initial customers will be existing customers whose authentication methods Novell is making available on the Web download.
NMAS Enterprise Edition is a for-charge product (available in April, 2000) that allows for multi-factor authentication as well as "Graded Authentication." Multi-factor authentication is the ability to chain authentication methods in a login sequence. Graded Authentication is the ability to grant network access based on authentication methods used.
NMAS Enterprise Edition is built for organizations with security needs that require multi-factor and Graded Authentication. While this can be virtually any large enterprise, the greatest need will come from health services, financial services, government agencies, pharmaceuticals, and utilities.
Q. How will NMAS help the CIO?
A. First, NMAS simplifies management of the authentication process, lowering costs of administration on the CIO's IT staff. Second, NMAS offers the management framework to increase security throughout the organization by offering IT the ability to write access policies that offer greater access protection to various volumes and partitions within the NDS. No dollar amount can be placed on undesired access to highly sensitive information.
Q. How will NMAS help the network administrator?
A. NMAS is flexible in allowing administrators to set the access policies for accessing NDS partitions and volumes, and then establishing who can access those areas through authentication.
With Graded Authentication, network administrators will feel confident in knowing that secure information in an NDS partition or volume requiring a certain login sequence, cannot be accidentally or purposefully moved or copied to any area that is not as equally secure.
Q. How will NMAS help the user?
A. More than anything, network users want to easily authenticate to NDS and get to their work. The Novell and third party authentication methods included in NMAS provide easy to follow user prompts that let the user authenticate to NDS quickly and securely.
Q. Why is network authentication management so important in an enterprise security program?
A. Authentication is the demonstration of credentials that indicate the user is who he or she claims to be. As the practical repository for enterprise data, network services must be able to adequately maintain the security of network data by limiting access to authorized users. These users validate their identities through authentication prompts and, provided the authentication credential is provided, are granted access.
NMAS supports a variety of strong authentication methods (smart card, physical token, biometric, X.509 certificate authentication) from many of today's leading network authentication developers.
Q. What are the primary security problems associated with passwords alone?
A. In many cases, it's unwise user tendencies that make password authentication vulnerable. For example, many users set up passwords that are easy to guess. Some users have their passwords noted in plain view of others on a sticky note on their monitor. For these reasons, and others, many organizations have decided to adopt strong authentication methods such as smart cards, physical tokens, biometrics, and PKI systems using X.509 certificates.
Q. What are tokens?
A. A token is a hand-held hardware device that generates a one-time password to authenticate its owner. Token authentication systems are based on various schemes.
NMAS includes a challenge-response token authentication from VASCO, and a time-synchronous token authentication method from RSA Security.
Q. What are biometrics?
A. Biometric authentication involves providing a unique physical characteristic that distinguishes one user from another. These characteristics might be a fingerprint, voice, handwriting, facial features, eye or retina scan, etc. Biometric characteristics are measured using sensors that produce data values that can then be processed by a computer using specialized algorithms for analysis and comparison against a known data value sample.
NMAS includes fingerprint authentication methods from Identicator and SAFLINK. SAFLINK also provides biometric authentication methods using voice and facial recognition technologies.
Q. Are strong authentication technologies expensive to implement and maintain?
A. As more and more organizations have begun adopting strong authentication methods, the deployment costs have dropped significantly. With smart card, physical token, and biometric authentication options now at affordable prices, many organizations are considering these methods as strong authentication alternatives.
NMAS supports a variety of industry-leading authentication methods for smart cards, physical tokens, and biometrics.
Q. Why would I be interested in chaining methods together?
A. NMAS Enterprise Edition allows for administrators to create login sequences that prompt for single, or a series of multiple (multi-factor) authentication prompts. By creating multi-factor login sequences that, for example, require the user to provide something he knows (such as a password), with something he has (such as a smart card), along with something he is (for example a fingerprint), the administrator has greater confidence that the user is who he or she claims to be.
As a security measure, certain industries are beginning to require multi-factor authentication policies for network users. These industries include health care, financial services, pharmaceuticals, as well as government departments.
The NMAS Enterprise Edition framework allows for Novell- and partner-developed authentication methods to work together easily and securely.
Q. Which authentication technology is best?
A. This is debatable among the different authentication developers and Novell makes no claims as to the superiority of one authentication method over another. Novell and it NMAS partners all agree that multi-factor authentication is normally more secure than single-factor authentication.
The NMAS Enterprise Edition framework allows network administrators to easily build multi-factor login sequences using a variety of Novell- and partner-developed authentication methods.
Q. Is Novell pursuing partnerships with any other authentication developers?
A. The value of NMAS comes from strong partnerships with some of the world's leading authentication developers. Novell continues to pursue partnerships and is currently working with nearly 30 partners in developing NMAS authentication methods.
Q. Does NMAS work with SSO? With BorderManager?
A. NMAS and Single Sign-on (SSO) provide different network security solutions to different security problems. NMAS provides security at the network authentication level, while SSO provides security at the application level.
Nevertheless, NMAS and SSO are designed to work together. For example, If a user has the connector for the Novell Client for Windows NT (http://www.novell.com/products/sso/applications.html), he can authenticate to NDS through NMAS, then, with the NT Client password stored in SecretStore, have the client launched automatically.
While BorderManager and NMAS work together well in the same network environment, there is no formal integration work between the two products with this release.
Q. Does NMAS replace BorderManager Authentication Service (BMAS)?
A. The NMAS roadmap includes plans to integrate the RADIUS authentication offering in BMAS in a future NMAS release.
Q. How much does it cost? When will it be available?
A. NMAS Starter Pack is a free Web download now available. NMAS Enterprise Edition will be $995 per server and five users. NMAS Enterprise Edition will be available in April, 2000.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.