Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... last request
From: "Deus, Attonbitus" <Thor () HammerofGod Com>
Date: Wed, 1 Nov 2000 10:18:34 -0800
This has been an interesting thread... The short answer to your question, in regard to the micro-topic of the certificate's integrity, is that the generation of the client side certificate with a properly configured CA produces a token whose security, in of itself, is "reasonable and customary". Of course, if your CA's private key was compromised, then bogus certificates could be generated with a home grown CA and I suppose the reverse engineering of the .cer generated during the installation and configuration of a new CA to also generate bogus certs is theoretically possible given time and money, but that is not your concern. For the certificate to be properly installed for the purpose of identity validation, key pairs must be generated by the server at installation. Though you may export and import a cert to another box, it will not provide root identity validation. You have already indicated that client-side breaches are out of your control and therefore outside the realm of your legal or fiduciary responsibility. Security issues can never be obviated. They can only be managed against possible risk. This leads me to the thought that given your target client base of a maximum of 200 users, that your choice of the Internet medium to serve these clients carries with it a tremendous risk overhead that need not exist. Why design a system where you must protect yourself from 200 million in order to serve 200? Direct dial options with required client-side software and security options seems like a much more viable (and cheaper) alternative and are normally distributed by financial institutions in these cases. Call-back security can most certainly be overcome, but it is more secure than putting a box on a global network. The most important piece of your security model is not what we have been discussing here: it is the term "due diligence". Any system we design can be broken into, and will be broken into if the boost is worth it. The trick is to have a reasonable security model that your clients will perceive as sound, while maintaining ease of administration, and most importantly, ease of use for your clients. With this in mind, your certificate solution meets this criteria. Can it be engineered against? Yes. Can client-side breeches break the model? Sure. Will the person you have managing the certificates be your best buddy afterwards? Doubtful. However, you and your clients are protected by law, and my money in your bank is protected by the government. Due Diligence can be proved, and your measures fall into what the auditors will view as reasonable and customary. You also don't build a system that costs so much that you must raise your loan rates to pay for it, thus running off the very customers you built it for. Job well done. --------------------------------------------------------- Attonbitus Deus thor () hammerofgod com ----- Original Message ----- From: "Jim Miller" <MillerJ () FABSSB COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, November 01, 2000 7:09 AM Subject: [PEN-TEST] Your opinions ... last request Thank you all for your elucidating responses. I have come to understand better the technology that my bank will deploy. I just have one last point to clarify, and would like to ask one more time for info on this specific point. The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in signed client contracts. But this obvious step will be pointless if the system we deploy to the customer is easily hacked. For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft of the hardware. But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the client is even more easily hacked. It would not do the bank any good to deploy the system to any customer if the certificate is readily accessible by any employee with a fair technical knowledge. This begs [the last and final] question: can the certificate be exported to another PC without re-issuance by the bank? Where does the certificate reside on the client? How easily is it hacked, copied, transported, and / or re-installed? Jim Miller, CISA, CDP VP & IS Audit Mgr First American Bank Texas Bryan, Texas 77805-8100 979/361-6515 801/835-5546 millerj () fabssb com
Current thread:
- [PEN-TEST] Your opinions ... last request Jim Miller (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Gary Flynn (Nov 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... last request Eric Lauzon (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Frank Knobbe (Nov 03)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 03)