Heartbleed: A Case For Two-Factor Authentication
By now you’ve probably heard about a major vulnerability in the OpenSSL Project’s implementation of SSL known as Heartbleed. If you’re not familiar with SSL, it is a protocol designed to secure communication between an end-user (client) and application (server) using cryptography and keys intended to make it difficult to intercept and read protected traffic. The process of establishing that secure communication looks something like this:
However, a protocol on its own is useless without a means to implement it, which is where OpenSSL enters the picture. OpenSSL provides a toolkit that allows developers to easily incorporate SSL encryption into their applications. Used by companies as diverse as Google and USAA, it’s estimated that nearly 2/3 of all traffic traversing the Internet passes through servers utilizing OpenSSL. OpenSSL’s popularity is thanks in large part to the appeal provided by the flexible terms of the open source license it is developed and maintained under.
Given this widespread adoption, it’s understandable why customers and vendors alike were floored when the OpenSSL Project released a security advisory on April 7, 2014 detailing a vulnerability that had been present in its near-ubiquitous encryption library for over two years.
This bug came to be known as Heartbleed, both because it presented within the heartbeat extension of OpenSSL’s implementation of the transport layer security protocol, and because of the manner in which the bug could be exploited; hemorrhaging chunks of system memory 64kb at a time. The popular webcomic xkcd created probably the best depiction/explanation of the exploit in action seen so far.
Source: Wikipedia
Even though the OpenSSL Project released a bug fix in tandem with the security advisory announcement, the ease with which the Heartbleed vulnerability could be exploited coupled with the length of time it went undetected in the wild sent the Web into a tailspin. As companies set about plugging holes (Juniper released a Heartbleed IDP signature within 24 hours) and sharing insights (Palo Alto produced a series of poignant blog posts), some companies had a daunting road ahead of them (Cisco had over 75 impacted products).
While the SSL protocol remains inherently secure (GnuTLS,Mozilla’s Network Security Services, and Microsoft’s implementations were unaffected by the bug), the emergence of Heartbleed clearly demonstrated that in our increasingly network connected world, even unforeseen security vulnerabilities need to be planned for. This is why it is so important to implement layers of defense.
For example, if a site or application relied solely on a compromised version of OpenSSL, it’s possible that an attacker could have obtained sensitive information (like user authentication credentials or secret keys) that could be used to decrypt traffic or perform other attacks. However, by utilizing a layered security approach, it may have been possible to impede a hacker’s ability to use private keys and other confidential information to compromise a system or service. An example of one such additional security measure is two-factor authentication.
Two-factor authentication entails logging into a service using something you have (an RSA tokens as probably the most familiar example), something you are (fingerprint readers and facial recognition via webcam leading the pack), or something you know (enter the password and/or secret question).
The idea is that by requiring two out of the three authentication mechanisms listed above to login to a service it is possible to thwart unauthorized access to a service. This new paradigm is being widely embraced by companies ranging from Apple (where biometrics have been implemented in the form of a fingerprint reader into its latest iPhone offering) to Microsoft (where one-time passwords are issued via text message) in an effort to facilitate secure user login.
While two-factor authentication won’t protect data in flight, SSL will. Even if SSL’s encryption is compromised (as happened with Heartbleed), user authentication still poses a major barrier to an attacker. By coupling two-factor authentication with SSL, it is nearly impossible for a hacker to gain access to a protected system using illicitly gained credentials. It is for this reason that SSL with two-factor authentication is rapidly becoming the accepted norm for enabling secure access between systems.
PhoneFactor (now Azure MFA), Symantec VIP, and Duo Security are among the most popular platforms in use for enabling two-factor authentication services. For more information about how these solutions may be integrated with your existing security environment, please feel free to contact your friendly neighborhood Myriad Supply team.
___________________________________________________________________________________________________________________________________________________________________
Rick Kenney is a resident Senior Sales Engineer at Myriad Supply. He has over 10 years of experience leveraging technology to solve evolving business challenges.