Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... more info
From: "L.W." <eldub () POBOX COM>
Date: Tue, 31 Oct 2000 11:36:54 -0800
-> Jim Miller said: -> -> Objective: -> Is the certificate authentication process adequate for the cash -> mgt application, or is a VPN recommended? All other issues are -> off target. Jim, a couple of key points. I am assuming this is B2B and best described as an Extranet. First, as a general rule, VPNs provide authentication at the network layer and are thus best classified as "device to device" authentication. If you use a VPN, you get a secure pipe (assuming ESP), but must authenticate separately to the application. Since you are an "IS Auditor", I'm sure it would be redundant to mention the policy implications of this, but none the less, I'll stress that control of the customer-located access point is critical. Second, SSL provides authentication at the application layer and is best described as "client to server" authentication. In order to pull off the client part, you require SSLv3. Trusting the client certificate requires three things. First, you must unequivocally trust the CA. Second, you must ensure the keys are valid (CRL checking). Finally, you must ensure that the user possesses the private key.
From your description, the CA is poorly implemented, and seems to lack a CPS
and/or a CP. It is not necessarily located in a place that can assure that it remains trusted. There is no mention of CRL checking and this is not automatic with SSL. Finally, there seems to be no way to assure that the end user is the real key owner. I feel, given the information you have posted to this point, neither of these are adequate, as neither has been properly planned. It looks like the business requirements phase was not properly completed. I would spend some time resolving these issues before even worrying about the network part. -LW eldub () pobox com
Current thread:
- [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info L.W. (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... more info St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Drew Simonis (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info krisk (Nov 02)
- Re: [PEN-TEST] Your opinions ... more info Jim Miller (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info Matthew Micene (Nov 01)
- Re: [PEN-TEST] Your opinions ... more info David Vandervort (Nov 01)