Re: [PEN-TEST] Your opinions ... last request

["Deus, Attonbitus" <Thor () HammerofGod Com>]

This has been an interesting thread...

The short answer to your question, in regard to the micro-topic of the
certificate's integrity, is that the generation of the client side
certificate with a properly configured CA produces a token whose security,
in of itself, is "reasonable and customary".  Of course, if your CA's
private key was compromised, then bogus certificates could be generated with
a home grown CA and  I suppose the reverse engineering of the .cer generated
during the installation and configuration of a new CA to also generate bogus
certs is theoretically possible given time and money, but that is not your
concern.  For the certificate to be properly installed for the purpose of
identity validation, key pairs must be generated by the server at
installation.  Though you may export and import a cert to another box, it
will not provide root identity validation.

You have already indicated that client-side breaches are out of your control
and therefore outside the realm of your legal or fiduciary responsibility.
Security issues can never be obviated.  They can only be managed against
possible
risk.  This leads me to the thought that given your target client base of a
maximum of 200 users, that your choice of the Internet medium to serve these
clients carries with it a tremendous risk overhead that need not exist.  Why
design a system where you must protect yourself from 200 million in order to
serve 200?  Direct dial options with required client-side software and
security options seems like a much more viable (and cheaper) alternative and
are normally distributed by financial institutions in these cases.

Call-back security can most certainly be overcome, but it is more secure
than putting a box on a global network.

The most important piece of your security model is not what we have been
discussing here: it is the term "due diligence".  Any system we design can
be broken into, and will be broken into if the boost is worth it. The trick
is to have a reasonable security model that your clients will perceive as
sound, while maintaining ease of administration, and most importantly, ease
of use for your clients.

With this in mind, your certificate solution meets this criteria.  Can it be
engineered against?  Yes.  Can client-side breeches break the model?  Sure.
Will the person you have managing the certificates be your best buddy
afterwards?  Doubtful.  However, you and your clients are protected by law,
and my money in your bank is protected by the government.  Due Diligence can
be proved, and your measures fall into what the auditors will view as
reasonable and customary.  You also don't build a system that costs so much
that you must raise your loan rates to pay for it, thus running off the very
customers you built it for.  Job well done.

---------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com







----- Original Message -----
From: "Jim Miller" <MillerJ () FABSSB COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, November 01, 2000 7:09 AM
Subject: [PEN-TEST] Your opinions ... last request


Thank you all for your elucidating responses.  I have come to understand
better the technology that my bank will deploy.  I just have one last point
to clarify, and would like to ask one more time for info on this specific
point.

The client side security is less than adequate, and the bank intends to
protect itself using legal stipulations in signed client contracts.  But
this obvious step will be pointless if the system we deploy to the customer
is easily hacked.  For the customer, physical security is a recommended
control, and necessary to prevent the obvious hack, theft of the hardware.

But if the certificate itself is easily removed from the client and can be
transported and installed on another PC, the client is even more easily
hacked.  It would not do the bank any good to deploy the system to any
customer if the certificate is readily accessible by any employee with a
fair technical knowledge.

This begs [the last and final] question:  can the certificate be exported to
another PC without re-issuance by the bank?  Where does the certificate
reside on the client?  How easily is it hacked, copied, transported, and /
or re-installed?



Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas   77805-8100
979/361-6515
801/835-5546
millerj () fabssb com