Re: [PEN-TEST] Your opinions ... last request

[Frank Knobbe <FKnobbe () KNOBBEITS COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Jim Miller [mailto:MillerJ () FABSSB COM]
> Sent: Wednesday, November 01, 2000 9:10 AM
>
> [...]
> The client side security is less than adequate, and the bank
> intends to protect itself using legal stipulations in signed
> client contracts.  But this obvious step will be pointless if
> the system we deploy to the customer is easily hacked.  For
> the customer, physical security is a recommended control, and
> necessary to prevent the obvious hack, theft of the hardware.
>
> But if the certificate itself is easily removed from the
> client and can be transported and installed on another PC,
> the client is even more easily hacked.  It would not do the
> bank any good to deploy the system to any customer if the
> certificate is readily accessible by any employee with a fair
> technical knowledge.
>
> This begs [the last and final] question:  can the certificate
> be exported to another PC without re-issuance by the bank?
> Where does the certificate reside on the client?  How easily
> is it hacked, copied, transported, and / or re-installed?


Jim,

you might want to check with other banks and see how they are
tackling this. I know of a few who actually use tokens (Vasco's
tokens being their favorite). With under $50 per token it is
affordable. Certificates are just not easy to control. You give the
client a certificate, have him install it and sign a legal agreement
taking full responsibility. Months later that same client will sell
his old computer to a friend, having forgotten the long-time-ago
installed certificate.

A token is different. A token is physically present, just like an ATM
card. The client won't loose it without noticing (even if he does,
the token is protected by a PIN), the client won't make inadvertent
copies of it (You know, the backup of the public/private certificate
keypair on ZIP drive/CD-Rom/Tape that every forgets about), the
client won't need to reinstall it when his OS crashes and he has to
reinstall, etc. The main advantage is that it is something the client
will hold in his hand while logging on to his account. From a
psychological point of view, it reminds the client about security.

Use the token to have the client authenticate his session, then rely
on SSL and secure session cookies for the rest of the session. Oh,
and when the client forgets his PIN and/or locks-out the token, your
helpdesk can re-enable it remotely (of course after identifying the
client in an appropriate manner). Much easier than revoking the
certificate and issuing a new one.

Let me know if you like more info about the token thing. Seems to
work out great for several large banks.

Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOgDmqERKym0LjhFcEQLgrQCg94Du8yakLps9OqHTMchwGpnFFjEAnRu6
BDKubNbWmfA4Cu+MlhO6z3O/
=sF80
-----END PGP SIGNATURE-----