Re: Device Authentication - The answer to attacks lauched using stolen passwords?

["Saqib Ali" <docbook.xml () gmail com>]

when you say mutual authentication, do you mean mutual auth between

1)  server and the client device; or
2)  server and the user

#2 is already in place. e.g. when you connect to SSL enabled banc
website using a OTP. However you DO depend on the user to correctly
authenticate the SSL cert offered by the webserver.

It is #1 that is missing.


On 9/6/06, Nick Owen <nickowen () mindspring com> wrote:
> Saqib Ali wrote:
> > A recent "self-serving" report by Phoenix Technologies indicated that
> > 84 of attacks could have been prevented only if Device Authentication
> > was used in addition to user authentication.
> >
> > - Evidence Abound:
> > · Losses from stolen IDs and passwords far exceeded damages from
> > worms, viruses, and other attack methods not utilizing logon accounts
> > · Vast majority of attackers, 78 percent, committed crimes from their
> > home computers; most often using unsanctioned computers with no
> > relationship to the penetrated organization
> > · 88 percent, of those crimes were committed from a home PC using
> > stolen IDs and passwords and following normal logon procedures.
> >
> > - Link to full report:
> > https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf
> >
> > -Their solution?
> >  Use Trusted Platform Module to authenticate devices.
> >
> > - Problem?
> > TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
> > to say the least)
> >
> > - Alternatives?
> > 1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
> > damage;
> > 2) Use software based device authentication. e.g. Passmark as used by
> > Bank of America
> > 3) Create a world-wide PKI, issue SSL certificates to machines as well
> > as users, and then perform client side authentication from the server.
> > 4) Use IP addresses to perform machine authentication. <grin>
> >
> > - Read more at:
> > http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243
> >
> > Any thoughts?
>
> I don't accept the assumption that device authentication is the way to
> go.  I find it more useful to look at what your are trying to
> authenticate.  Is it a user for a session?  Is it a  host for mutual
> authentication?  Is is a transaction?   I would bet that doing
> cryptographically secure mutual authentication would eliminate most of
> the *current* phishing attacks, thus it might be more important to
> authenticate the host, not the user's device. Of course, that won't last
> forever...
>
> Nick
>
> --
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
> https://www.linkedin.com/in/nickowen


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------