At the rate at which technology today is moving forward with the Internet speeds increasing manifold, with IoT gaining prominence and organizations more distributed across the globe than before, the authentication software, systems and architectures remain fairly primitive.
Among the many reasons attributing to this is corporates that build these authenticating systems and software hold on to these products as their main source of income. The insight and research in these areas has also been fairly mundane. Though there’s been enough research funding, what’s missing has been the intellect and knowledge required to build large-scale distributed and decentralized authentication systems and architectures.
Large-scale authentication systems and architectures used in building them must allow both manned [computers, tablets, phones, virtual machines etc] and unmanned [IoT devices etc] to authenticate and authorize themselves without a centralized bottleneck, as seen in authentication systems like LDAP, Active Directory and others.
As experienced on a daily basis, these centralized authentication systems are not scalable or fault-tolerant without a sane fail-over MTBF [Mean Time Between Failure] causing business disruptions on a regular and long-lasting basis.
■ What can be done about this?
Let us acquaint ourselves with AuthControl. SynchroKnot designed and developed AuthControl as a result of realizing inadequacies in the centralized authentication systems [LDAP & Active Directory].
AuthControl was designed with the following flexibility in mind:
- Ability for authentication to be either centralized, distributed, decentralized or a combination of these.
- Ability to be seamlessly and transparently scaled on-demand across the globe with no downtime.
- Ability to be used by standard operating systems within their security framework without custom or proprietary software, enhancements, modifications or hacks.
- Ability to be used across all devices that can make a simple https call. and much more.
■ What is AuthControl?
AuthControl is SynchroKnot’s unique Distributed Fault-Tolerant Authentication Management & Identification Control System that serves as a scalable, secure and simple alternative to LDAP, Active Directory and other authentication systems.
In AuthControl, the user[s] can be delegated and made responsible for managing their password. Furthermore, the user’s password SHA512/GOST checksum is kept encrypted.
■ Password + Pin
The user[s] can log in to their virtual machines or physical hardware [eg. computers, tablets, mobile phones etc] with their standard username and password + 5 digit unique pin.
This 5 digit pin is not set by the user, but is rather auto or manually generated per the preference of the organization. Without having to manage separate pins for each user, and the ability to change them on a regular basis, makes logging into systems and authentication for various purposes more secure without adding the burden of lengthy procedures/steps.
Depending on the nature of the circumstance, user access can be restricted/limited by simply changing the PIN.
■ Algorithmically-ascertained decentralized numeric User and Group ID
Authcontrol also has the unique capability of creating operating system specific user and group identities that are unique. For example, AuthControl can create a Linux User ID and Group ID that are unique and always return the same numeric value for the ID.
This unique numeric user and group ID is algorithmically created in a decentralized manner without having to generate, store and poll centralized or distributed databases.
Due to the uniqueness of the user and group IDs, they can be instantly checked for changes/manipulations and reinstated automatically if changed without having to poll, check and compare with central or distributed databases. It can also report/alert in the similar manner.
AuthControl’s strong security is strengthened with the use of inter-leaved mapping of Usernames to their Blockchain IDs and further using blockchain cryptography [not the blockchain network] to ascertain authenticity. This is another unique feature you will not find anywhere else but with SynchroKnot.
■ Fault Tolerant
AuthControl algorithmically checks for failures across multiple geographically-dispersed locations [configurable up to 10] before returning unreachable.
■ Load Balanced
Each user or groups of users can be assigned different geographically-dispersed locations for load balancing [with additional option of fault-tolerance].
Enable AuthControl in virtual or physical machines, point more users to them, and scale seamlessly and transparently across the globe.
Very easy to set up and manage. Works transparently with Linux PAM without modifying standard PAM modules, and is end-to-end encrypted [uses standard HTTPS for communication].
Since this is just an article for getting acquainted with AuthControl, we refrain from getting into technicalities which might be better reflected in a whitepaper.
■ Below are examples of different methods that users can log in or access resources transparently with their standard Username and Password + 5 Digit PIN:
├─> Graphical Login
├─> Graphical Screen Saver Login [eg. screen lock]
├─> Non-Graphical Login
├─> SUDO – Execute a command as another user
├─> SU – Super User
├─> SSH – Secure Shell
├─> SCP – Secure Copy
├─> SFTP – Secure File Transfer Protocol
├─> SSHFS – Secure Shell File System
├─> FTP – File Transfer Protocol
├─> VNC – Virtual Network Computing
├─> RDP – Remote Desktop Protocol
├─> CUPs – standards based open source printing system
├─> CRON – Execution of scheduled commands
├─> SAMBA – Windows AD and SMB/CIFS fileserver for UNIX
├─> File Manager – Create Network Place with SFTP, SAMBA and FTP
├─> All password requirements via Control Center
├─> Practically anything that uses Standard PAM for authentication!
Below is a direct link to the demonstration video:
Description of the demonstration:
This is a very basic impromptu demonstration of AuthControl. Here both of the virtual machines are enabled with AuthControl and show the following:
■ Login via Graphical Interface
■ Login via Non-Graphical Interface
■ Run a command with SU as another user
■ Run a command with SUDO as another user
■ Login to a remote system via SSH
■ Mount a remote filesystem via SSHFS
■ Use File Manager to create a Network Place using SFTP
All these different types of logins use AuthControl with standard Linux users and password + 5 digit pin. The basic HTTPS traffic is captured using TCPDUMP to show realtime interaction with the SynchroKnot AuthControl when the password is entered in the virtual machines for the purposes of authentication.
Note: This demo was recorded on a severely resource-constrained system. It is up to you to determine the performance.
More information and technical insights can be found @ synchroknot.com