| 4.5 Problem Manager
07 Authentication Principle | |
|---|
| 4.5.07 Authentication Principle: | | What was good enough for last year will not be good enough for next year. | | Continual improvement can keep authentication relevant and ahead of the criminal. |
| Session Cookie | | Sign in creates a session cookie with a life of one hour or until the browser is closed. Each web page request shall renew the cookie for a further one hour. Where the user does not request any web page within one hour the session will expire and the session cannot continue without the user signing in. |
| Permanent Cookie | | Sign in creates a data cookie with a life of 42 days. This contains 256 digits that is the encrypted result of the user name, handle and email address. The encryption is salted so each time the user signs in, the actual encryption key changes to make it a bit harder to decrypt. | | This encryption is fit-for-purpose, but would not stop a government agency from eventually decoding the user name, handle and email address. A lot more primary numbers need to be implemented with three layers of interleafed encryption keys to get up to the "true vault" quality. | | TO DO. | | The numeric data can be encrypted again to letters with a variable starting point in a letter array - the starting point key is appended to the result. The encrypted letters can be reordered according to an algorithm where the sort algorithm ID is appended to the encrypted string. Three different encryption methods can be decoded in a fraction of a second but may cause the hacker too much pain to try to figure out. As all 3 encryption methods can be revised and upgraded from time to time, as anybody thinks they have a solution, the rules are changed. No standard decoding tool will have any idea of where to begin - this is not fixed character replacement as the same cookie will be encoded differently each time it is created. |
| Get Cookie | | The sign in web page will get the cookie to display the user name and insert the handle and email address in the sign in form. The user must sign in to create the data cookie before it can be used. |
| Hours of the Day | | All servers are continually set to GMT and never get changed for summer (daylight saving) time. Grenwich Mean Time (GMT) also means Western European Time (WET). Users in different time zones will have their displayed time adjusted in accordance with their branch office profile time zone field value. | | Users are permitted to sign in between certain hours of the day such as 7am to 7pm that is encoded as "h0719". "h0719" has "07" as part-1 and "19" as part-2 to means that when sign in is requested, the current time must be 07:00 to 19:57. | | Night shift working is supported with 7pm to 7am encoded as "h1907" where the sign in hour must be not less than part-1 as "19:00" and not greater than part-2 as "07:59". "h0303" has has a special meaning that the user is not granted access at any time of the day. | | Please note that the hour of the day when a user can sign in does not limit how long the user may stay signed in. "h0719" does NOT mean that the user cannot continue to work after 19:59 hours. |
| Day of Week | | The days of a week when a user can sign in must be assigned as: | | "dYYYYYNN" means the user can sign in Monday thru Friday. | | "dYYYYYYN" means the user can sign in Monday thru Saturday. | | "dYYYYYYY" means the user can sign in Monday thru Sunday (any day). | | "dNNNNNNN" means the user cannot sign in on any day. | | Other bespoke assignments can be defined. |
| Super Pass Phrase | | A super pass phrase (of 51 characters) is designed to be used with any user handle and email and to bypass hours, days and location constraints. The business requirement is for an ASP user to be able to sign in as any user at any time to validate data access permissions and rights. The super pass phrase means that each users pass phrase can be kept encrypted and private at all times. |
| Pass Phrase Data entry Field | | To enable cut and paste to be used in the most effective way, the handle, email and pass phrase may all be entered in the pass phrase field, comma separated. The handle and email address must be set to blank to trigger this style of sign in. When used in conjunction with the super pass phrase, sign in as any user can be achieved. |
| Pass Phrase Generator | | Pass phrases must be internally generated by Eliza so no person can assign an ineffective pass phrase and nobody other than the assigned person has the ability to see the pass phrase. The generator uses many different algorithms that change every ten seconds, so a pass phase generated one minute is very different from a pass phrase generated a minute later. | | Experience has shown that people can be confused with reading their assigned pass phrases that contain a one or a zero or an upper case alpha I or a lower case alpha l. Additional business rules have been created to scan a generated pass phrase to ensure that people cannot be confused with alpha that look like digits or digits that look like alpha. |
| ZZZ IP Address List | | "ZZZ" users with a fixed IP address may have that IP address added to a white list that will means that they do not need to enter their pass phrase. The "ZZZ" IP address list will identify the user and will create the super pass phrase so the "ZZZ" user can sign in without hours, days or location constraints. The "ZZZ" user handle and email address must match the permanent cookie that is stored on the machine. |
| Customer IP Address List | | Customers with known IP addresses will have their (partial) IP addresses maintained in a white list. Where a page request is made from a customer IP address, then the user is trusted enough for warnings messages to be displayed. The customer IP address is checked before any black listed IP address so a customer will never be treated like a criminal. |
| Black IP Address List | | Criminals and search engines will have their IP addresses maintained in a list where any page request will have a reply as "hello world" and nothing else. As a means to minimise processing and network traffic, as soon as a blacklisted IP address is identified, then the "hello world" message is shown with no logging or any other action. | | Where needed, geo-location checks could be made on unknown IP address and any page request for a country that is not part of the service could be shown the "hello world" message. Where the "ZZZ" and company white list are comprehensive and virtually any other IP address must be invalid, then it is worth doing a geo-location check and saying "hello world" to China. |
| Expired User Profiles | | Each time a user signs in the date that they sign in is updated. Where a user has not signed in for nn days, then their user profile will naturally expire and they will no longer be able to sign in. This means that people who leave will have their user profile expired after nn days of inactivity. | | An authorized person may reset a user profile sign in date to the current date to enable them to sign in. The expired user profile mechanism only applies to people with "normal" sign in security checks. An executive who only signs in once a year can have a "loose" security check where the user profile rule does not apply. | | nn days is a configuration parameter that is currently set to 45 days. |
| Welcome Page Refresh | | Each welcome page has a refresh time set as 42 minutes between 7am and 7pm GMT each day. This means that a user with only their welcome page open will experience a page refresh every 42 minutes and their session cookie will not time out. The final page refresh will take place at 18:59 so all users will be timed out each day by 19:40. Users actively making a page request at least once an hour may continue to be signed in until midnight. |
| Dashboard Refresh | | Each dashboard page has a refresh time set as 21 minutes between 7am and 7pm GMT each day. This means that a user with only their dashboard page open will experience a page refresh every 21 minutes and their session cookie will not time out. The final page refresh will take place at 18:59 so all users will be timed out each day by 19:20. Users actively making a page request at least once an hour may continue to be signed in until midnight. |
| Public Web Pages | | Public web pages shown before sign in can be treated as private to certain white listed IP addresses. A person in China or Russia entering our domain name will be shown the "Hello World" message on a white page and nothing else. | | Where every "ZZZ" user and customer user can be identified by IP address or geo-location country then every other page request can be shown the "hello World" message. |
| IP Address Lists | | Three independent IP lists are maintained for: "ZZZ" users, Customers and a Black list. Each IP address list is a text file with one IP address in positions 1 to 15 of each line of text - the remainder of the line may be used for comments that are ignored. | | An IP address may be generic, that is less than 15 characters where only the relevant text string is matched. The length of each IP address is determined when the file is read and only the provided string is compared. | | In general, black listed IP addresses are only 7 characters long. White listed IP addresses tend to be more than 12 characters long. | | ASP dashboard links to a file editor to maintain each IP address list. |
| Geo-Location | | A licensed function and complex dataset is used to derive the country name from any IP address. Where the IP address is in a white list of black list, then the geo-location check is not needed. | | Where a new user tried to sign in, then their sign in "Country" must be "ANY" to bypass this validation process. For typical users, their sign in Country name may be "United Kingdom" - abreviations will not match the licensed software result. Testing of eachh sign in Country field value must be done to verify a match by long country name. | | Country names are not 100% reliable when AOL is the ISP. |
| ISP Name | | Users can be restricted to sign in using an assigned Internet Service Provider. "ANY" may be assigned to support a user who needs to sign in using any ISP. | | A string of characters may be provided that must match any part of the ISP name such as "UPS" or "SCANSAFE" (Towergate) - this is NOT case sensitive. Athens only use "OTENET". Nice use "SFR" but some need a roving profile | | ISP name checks are only needed where a fixed (or generic) IP address is not available to be managed by a white list. See "Who Signed In" to view IP address history. |
| Strategy | | 1. The sign-in procedure has been made worthless by browsers that "remember" a persons password. When the device is lost or stolen, the criminal can access the signed in service without having to know the password. | | 2. The old sign-in method MUST be replaced with a more effective access pad method, especially for all devices that can be lost or stolen. The password is replaced with a PIN and a person is permitted to sign-in for a month or more. | | 3. In the event that the device is lost, the device can be disabled from another computer. Because no data is stored on the device, the criminal will not be able to access any personal or business data. | | 4. URL design has been improved to prevent keylogers and URL recorders from replicating the transactions made by an approved person. Improvements prevent one device from impersonating another device. |
| Personal Devices | | 1. Authentication of desktop computers in the office has been well proven using pass phrases, but personal devices need a more effective authentication method. With a persons phone or tablet that is only available to be used by one known person, then physical possession of the device is nine-tenths of the authentication method. | | 2. It is reasonable that a person signs in once to identify themselves and register the device, and that person may stay signed in for weeks and months at a time. Sign in is improved by showing a number pad and asking the person to press 3 to 8 numbers as their access number or personal identifier (PIN). | | 3. If the device is lost or stolen, then a support request can instantly disable the device so it cannot be used, even if the correct PIN is also stolen. Adequate precautions are taken to ensure that an identical device cannot be used to impersonate the real device, even if the session identifier is stolen. | | 4. A person may have many devices and any one device may be stolen or lost, so each device must be uniquely identified and can be uniquely disabled. | | 5. Encryption is paramount with multiple layers. Every field value must be pseudonymised with an 8 digit token. Every 8 digit integer number is represented by a date derived from the number of 12.34 milli-seconds since a historic event. |
| Authentication Factors | | 1. IPA is a mashup of the network IP address. If a new IP address is used, then the PIN may be needed to register the new IP address. A white list of approved IP addresses are maintained. Any approved device may use any approved IP address. A black list of criminal IP address is maintained to show "hello world" to any criminal. When on the road, the IP address may alter within a range and this will not be classified as a new IP address. | | 2. Fingerprint is a mashup of the physical characteristics of the device that can be detected by JavaScript on the URL link to the access pad page. The device fingerprint may change from time-to-time when it is upgraded and each upgrade may require to be registered with the persons PIN. A database of approved personal device fingerprints is maintained. | | 3. Agent is a mashup of the browser and operating system used, including version numbers. If a new browser is used or the browser or operating system is upgraded, then the PIN may be needed to register the new agent. A database of approved personal device agents is maintained. | | 4. Cookies are stored on the personal device as the encrypted persons session, site, ledger and user identities. Cookies are written when a person signs in with their PIN and locks that session to the information stored in the cookies. The fingerprint and agent mashup are stored in cookies, so if the cookies are stolen, they cannot be used with any other device. | | 5. Session identifier may be stolen by a criminal and used from a different device to impesonate a signed in person. A mashup of the agent and datetime that the session begins is stored and and checked by every transaction to detect if a session has been stolen. Every private URL carries the session number to ensure that no other device can impersonate the sign-in device, even with an identical agent. |
| Threat Analysis | | 1. Analysis of every documented criminal attack has identified the extreme levels state sponsored agents will try to access data. Adequate precautions have been devised that will block each and every known attack. | | 2. Authentication in depth means that as new criminal attacks are devised, methods already exist to block such attacks. | | 3. By replacing pass phrases with a numeric PIN, the need for a password manager is avoided. | | 4. The physical device acts as a registered dongle that cannot be impersonated by a similar device. | | 5. The encrypted URL carries the session number to prevent an identical device from impersonating the registered signed-in device with the same agent and fingerprint. | | 6. Cookies could be stolen and used by a different device. The IP address will block most such attacks. The fingerprint and agent will block most such attacks. The URL session will block most such attacks. The cookie is encrypted, not reversable and meaningless to a criminal, but can be generated from known: fingerprint, agent, site, ledger, user and other information. | | 7. The internal session identifier that criminals know about and may try to steal is changed every 30 minutes to prevent fixation. No person is aware of the change of session identifier that can be seen as a session cookie. | | 8. Key Logger and URL recorder: The threat is that a client machine has a key logger or a URL recorder installed. When a criminal replays the same URL sequence as the approved person, Eliza must detect the change of agent to blacklist the criminal. This demands that the agent data must be part of the public URL - Access Root URL cannot be replayed by other browsers. | | 9. Brute Force can be used by a criminal to guess the PIN by trying every number with a program script. The criminal must be able to fake their IP address as a white listed IP address. Every invalid guess is highlighted by Monica for manual action to blacklist the criminal behaviour. |
| Authentication Information | | 1. Encrypted information is stored to identify: PIN number, site number, user number, fingerprint number, agent number. Many such records exist to reflect each registered set of values - the information is encrypted and meaningless to a criminal. | | 2. The IP white list is used as an initial filter to eliminate criminals from countries that are not supported. Any approved device may use any approved IP address. | | 3. The fingerprint and agent numbers are used as the second filter to identify approved devices with a matching cookie. | | 4. The cookie derived from the fingerprint, agent, site and user numbers is reset each time the person enters their PIN or the access step is bypassed with a matching cookie. | | 5. A person with 1 phone and a tablet where that tablet has 2 browsers will have 3 different authentication records. The person will sign-in with their phone by entering their PIN in the access pad to register that specific fingerprint and agent. The person will sign-in with their tablet by entering their PIN in the access pad to register that specific fingerprint and agent for one browser, then again for the other browser. Each browser has its own cookies that are not shared with different browsers. |
| Black and White Listing | | 1. Any transaction from a partial blacklisted IP address is shown the "hello world" message with the minimum of processing. | | 2. Approved people are only permitted to sign-in with their PIN from a white listed IP network. This can be a challenge for new people on a new network. | | 3. An email is sent to the new person with a new device on a new network so they can register their IP address. Click the email link or copy and paste the link to a browser and the network IP address will become whitelisted. | | 4. The email uses a special one-time link that cannot be copied and reused by others. | | 5. The New Device procedure may then be followed to register the new device. | | 6. For some people, the AUTH record may have their IP assigned as "new" so the access pad is shown and the IP registered once. |
| Authentication Data | | 1. The AUTH file and cookie hold similar (encrypted numeric) data as:- 1=Site, 2=User, 3=Welcome, 4=Agent, 5=Fingerprint, 6=PIN, 7=IP, 8=Date-last-used. | | 2. IP address is mashed into 8 digit number - not reversable. | | 3. IPA is return code as OK or ER or NEW from white list lookup. Blacklisted IP will show hello world and exit. | | 4. Agent is Browser mashed into 8 digit number - not reversable. | | 5. Fingerprint is device factors mashed into 8 digit number - not reversable. | | 6. Agent and Fingerprint together act as a hardware dongle to identify a unique person. | | 7. A unique approved person is identified by a site number and a user number. | | 8. Within reason, every field value looks like an eight digit date. A valid date can be used to represent any eight digit integer number of seconds since a historic event. |
| Authentication Functions | | 1. Get IP as session. | | 2. Get IPA from white list as OK or ER. If in blacklist then hello world exit. | | 3. Get Agent from browser as session. | | 4. Get Fingerprint from URL as session. | | 5. Get AUTH by Agent and Fingerprint. | | 6. Get AUTH by PIN. | | 7. Get Cookie. | | 8. Put Cookie like AUTH record. | | 9. Add AUTH record like cookie. | | 10. Add IP to white list. | | 11. Add IP to black list. | | 12. PIN Manager: unique date for each number. |
| Authentication Processes | | 1. Home-Page: Get IP, Get IPA, Get Agent. It is not protected and has optional short cut URL. | | (1) Access menu URL includes Agent and get fingerprint request. | | 2. Access-Root: Get IP, Get IPA, Get Agent, Get Fingerprint, Get Cookie, Get AUTH by Agent and Fingerprint. | | (1) When URL-agent not browser Agent, Add IP to black list and go to Hello World exit. | | (2) When Cookie data = AUTH data and IPA = OK, go to Welcome-1. | | (3) When Cookie data = AUTH data and IPA = ER, go to Welcome-2. | | (4) When IPA = OK, go to Access-Code. | | (5) When IPA = ER, Add IP to black list and go to Hello World exit. | | 3. Access-Code: Get PIN. | | (1) When IPA = OK and AUTH data = PIN, go to Welcome-3. | | (2) When IPA = OK and AUTH data not PIN, add attack to Monica, go to Home-Page. | | (1) When IPA = new and AUTH data = PIN, go to Welcome-4. | | 4. Welcome-1: Put Cookie. | | 5. Welcome-2: Put Cookie, Add IP to white list (new network). | | 6. Welcome-3: Put Cookie, Add AUTH as cookie (new device). | | 6. Welcome-4: Put Cookie, Add IP to white list (new network). Add AUTH as cookie (new device). |
| Authentication Proceduces | | 1. Normal: home page is bookmarked - click to begin by showing home page. | | (1) Click "Access" in menu to trigger Access-Root Process as above. | | (2) When same device on any network, welcome page is shown as current months diary or any other registed page. | | 2. New Network: home page is bookmarked - click to begin by showing home page. | | (1) Click "Access" in menu to trigger Access-Root Process as above. | | (2) When same device on any network, welcome page is shown as current months diary or any other registed page. | | (3) The new network is added to the white list. | | 3. New Device: home page is entered using domain and "/c2.c2/c2" shortcut from an approved network. | | (1) Click "Access" in menu to trigger Access-Root Process as above. | | (2) When the network is white listed or "new", the access pad is shown and the approved PIN is entered. | | (3) When the network is not known, the network is blacklisted and Hello World is shown. | | (4) When the PIN is authenticated, the welcome page is shown as current months diary or any other registed page. | | (5) When the PIN is unknown, the home page is shown and monica will report the defact for action. | | 4. Blacklisting is the result of any criminal activity. A blacklisted network will only show Hello World messages. It is not permitted to use a new device on a new network - that is criminal behaviour. First time people must have their network white listed BEFORE their new device can be used with a PIN. |
| BMS + SAR | | 1. Personal application secret services are independent of, but associated with the following services:- | | (1) Subject Access Request where a business associate is granted access to review and revise their Personally Identifiable Information (PII). | | (2) Business Message Service where an invoice and statement are shared with a customer contact. | | (3) Business Message Service where a message is shared with a business associate. | | (4) Business Message Service where a new persons network IP detail is registered and white listed. The agent and fingerprint used may also be registered. | | 2. BMS and SAR uses a compound URL that acts as the authentication method that has an expiry date and time. In the event of misuse of any specific BMS or SAR service, the impacted service URL can be marked as expired. | | 3. Agent and IP details are registed as evidence of who did what. Fingerprint evidence needs JavaScript and that is not viable with the first BMS (or SAR) transaction, but is part of subsequent transactions triggered from the menu. | | 4. Every BMS service includes a SAR PII service. Every SAR PII service includes a BMS message service. |
| Quantum URL | | 1. A URL with quantum characteristics is like a constantly vibrating string that cannot be faked or reused. Every private URL may be used once (within the hour) and can never be reused again. Criminals may try to record and decrypt the URL, but such effort will be totally wasted because every URL string is unknowable and unchangeable. | | 2. Information stored in the URL is a mashup that cannot be reversed, but can act as an index to what caused the URL to be generated. In effect, any private URL is just a pseudonymised token that indexes an action with a parameter, but that action and parameter are not part of the token. Datetime is part of every token to ensure that every URL has a life cycle before it will automatically expire and become worthless. The device fingerprint, agent and session is part of every token to ensure that a URL cannot be reused by a different device. | | 3. To cope with using services on the road, the IP address may change (within reason) during a session. A URL can continue to be active during an IP address switch. | | 4. If an operating system or browser (agent) upgrade is made, then the service is terminated and must begin again with the new agent. A URL cannot continue to be active during an operating system or browser patch. A URL may not continue to remain active if browser extensions and add-ins are installed. | | 5. Every ISP are obliged to record every URL and many agencies in all parts of the world will record every URL. When a set of URL is recorded and replayed, then they must not disclose any private information. | | 6. Application business rules may choose to act on one expired URL where ISP theft is unlikely. |
Do you want a job? | | 1. I shall pay you 50% of what you earn for me - you do the job and get paid half of what you earn for me. | | 2. You may do your job anwhere you choose. You may do your job for any hours you choose. You may do your job any days you choose. You may have any holidays you choose. You may have any benefits you choose to pay for. | | 3. Your job is a "day trader" to invest my money to earn me a profit. Your service agreement states that you are paid 50% of the profit you made for me at the end of each calendar month - nothing more and nothing less. | | 4. The more profit you earn for me in any month, the more you are paid as 50% of that profit. You shall not be expected to use the telephone or have contact with other people. | | 5. If you do not earn any profit for me in any month, then you do not deserve to get paid. You may choose to do your job as a self-employed trader, as a contractor, as an employee of your own company, as a freelancer or anything else you choose. | | 6. You have your job for as long as you do not make a loss. If you have no money left to invest, then you have no job left to do. | | 7. You shall be responsible for all your own taxation, holiday and pension matters. You shall never have your job terminated, but you may terminate you job at any time. You shall never be paid by the hour or any other duration. | | 8. You may choose to use your own phone, tablet, laptop or desktop. You may choose to use your own desk and chair. You may choose to use your own Internet Service Provider. | | Lessons:. | | 1. You get a job for an employer to make a profit out of the job you do. | | 2. You could be paid twice as much if you were both the employer and the employee by doing exactly the same job. | | 3. If you want somebody else to manage your taxation matters, your earnings may be reduced by 20%. | | Free Training:. | | 1. You shall be trained free of charge for as long as you choose to be trained. | | 2. You shall be given a 100,000 pound free trial account to practice and learn how to invest when the price is low and how to sell when the price is high. | | 3. If at the end of any month you have made a profit, then you shall be offered a job with 50% commission on future profits. | | 4. If at the end of any month you have not learned enough, you may choose to continue training until you can prove you are ready to do the job. | | Jobs Available:. | | 1. Day trader. Graphics designer. Photographer. Web designer. Event organiser. Travel agent. Import-export agent. Insurance agent. Energy broker. penetration tester. Web site Tester. Virtual assistant. Survey taker. How-to video maker. Language training. Search engine optimisation. | | 2. Many You-Tube video makers in their teens earn over 10 million per year by publishing short how-to videos. A five year old girl earned 5 million in 2016 with videos of her opening toys to show how they worked. | | 3. Education has switched from the classroom to the Internet, from group level training at the pace of the school term to one-on-one training at the pace of the recipient. | | 4. What a person is and what they have achieved in the past year is worth much more than any historic examination results. Forget the work-life balance, a person is what their job says they are. The work-life balance begins after financial independence has been achieved. What a person has achieved in the past year is measured by the profit they made for their employer. A large profit trumps any social skill. |
|
|