Safehaus Finds Open Source Business Model in OATH
Authenticating with Open Source
Can an open source .org find happiness and success in teaming up with a multivendor consortium? It's a business model that seems to work for Safehaus, an organization now collaborating with OATH (Initiative for Open AuTHentication) on technologies for authenticating cell phone subscribers, among other things.
For its part, OATH was formed by vendors who perceived a void in standards around authentication based on strong encryption, said David Berman, OATH's membership chair, during an interview with LinuxPlanet.
"The static password has been a weak link. We need to drive down the costs of strong authentication," according to Berman, who is also director of partner marketing for VeriSign Security Services.
Although industry groups such as OASIS and the Liberty Alliance have been dealing with issues such as federated identity management, other groups have not focused on the need for specifications dedicated to strong encryption and authentication, Berman said.
Meanwhile, though, banks, cellular providers, and other organizations have been using a range of different proprietary authentication and encryption methods on various smartcard and keyfob hardware, he maintained.
"If you have accounts in three or four banks, you might be carrying around three or four different keyfobs," Berman told LinuxPlanet.
OATH wants to build a unfied specification for secure single-on that will be available for royalty-free use throughout industry.
"Free is good," agreed Alex Karasulu, a founder of Safehaus, also during the interview.
"It's great to be able to mix and match the best of breed. And if the best of breed is open source, by all means you should go with this," chimed in Wally Kowal, vice president of marketing for DiversiNet.
But instead of acting alone, OATH [plans to work with established standards bodies wherever possible.
As a first step, in October of 2004 the group endorsed submission of a dynamic two-factor authentication method dubbed HOTP as a proposed draft standard to the IETF.
According to Kowal, the HOTP algorithm creates a one-time sequence number by combining a "secret credential," pre-loaded on to the device, with a sequential counter. The authentication server is aware of both the credential and the sequence for the specific device. Once the server grants access, the same sequence number can never be used again.
Meanwhile, DiversiNet announced last June that its MobiSecure mobile token and authentication system will be integrated with VeriSign's United Authentication service.
The deal is [targeted at letting mobile service providers authenticate users of smart phones, PDAs, laptops and other devices by deploying software tokens directly on the mobile device, rather than requiring the use of smart cards or other hardware.
Then, in December of 2005, OATH made a draft submission to the IETF proposing a set of extensions to HOTP. Known as Mutual OATH, the extensions accommodate occasionally connected environments by permitting replacement of the sequential counter, which requires time-based synchronization, with challenge-response mechanisms such as passwords.
Mutual OATH also provides for authentication of servers, so as to help prevent phishing scams, Berman said.
Now, OATH is looking at submitting another technology proposal to OASIS at some point in the future, he added.
How is Safehaus playing into this security scenario? The .org now runs a total of eight open source projects around open source directory and security infrastructure.
Last year, Safehaus announced integration between two of these projects--TripleSec and HausKeys--with the OATH framework and OpenSource HOTP
According to Karasulu, the integration project was targeted at helping enterprises to deploy OATH as an open source authentication solution for use with Windows, Macintosh and Unix.
The solution combines Kerberos security with LDAP directory services, he said.
Meanwhile, Safehaus has become a contributing member to OATH, a consortium that also includes board-level "coordinating" members such as VeriSign and IBM Tivoli, in addition to several dozen adopter members.
Safehaus' TripleSec is an authentication server. HausKeys, on the other hand, is a token-based encryption system.
Through OATH, Safehaus has been working particularly closely with VeriSign partner DiversiNet, according to Karasulu.
The relationship with DiversiNet helps to bring more exposure to Safehaus' open source development work as well as much greater production capabilities as the technology starts to come to market, Karasulu contended.
"Without DiversiNET, we wouldn't have nearly the same resources at our disposal," he elaborated.
OATH's algorithm might also be used in other form factors, such as credit cards, according to the OATH members.
"But we see the cell phone as the future," Karasulu noted. "The HOTP footprint is small, and its processing requirements are also small."
Karasulu also participates in the Apache Foundation, another .org that has joined OATH. Apache, however, is an adopter member of OATH, meaning that it pays no dues.
He is also the author of the LDAPd pure Java LDAP server and founder of a previous .org called the LDAP Group. After dissolving the LDAP Group, Karasulu proposed and founded the Directory Project at Apache, which has absorbed the code base to the LDAPd Directory Server.
Meanwhile, two banks have joined OATH as adopter members, but their names are being kept anonymous.
Safehaus is also "a staging area where we bring in a whole bunch of products," Karasulu told LinuxPlanet.
Other current projects at Safehaus include Penrose, Guardian, Mitosis, HausMail, Radius, and Jug.