WebApp Sec mailing list archives
RE: Token authentication with web applications
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Sun, 4 Jul 2004 14:20:16 -0400
Two interesting points: 1. " To make it a little
more secure, add an ip address check along with the seed file and id/password."
In today's world of "super-proxies" (AOL) and super-short-life dhcp leases, there is no guarantee that a user will come from the same IP address during a session. An error (or even a warning) here will confuse most users, and 99% of the time, there's nothing they can do about it anyway. 2. " Add the mac address to the file. When the
user connects, run a local java script to get the mac address of the
pc
and send it back. Compare the mac address to one you have on file."
MAC addresses are easily spoofable by any script-kiddie, and javascript does not allow direct access to the mac address. Even Java doesn't support this (but can through an external call). I also believe that home-grown security solutions are probably fatally flawed 95% of the time. You have to think about things like MITM attacks (even with SSL), weak passwords, process debugging (via SoftICE), memory scans, and offline attacks. Unless you are a security expert and are willing to take on these challenges, or unless this is a politically-centered decision, I would stay away from brewing something like this yourself. Regards, Michael Scovetta Computer Associates Senior Application Developer tel: +1 631 342 3139 cell: +1 813 727 5772 michael.scovetta () ca com
-----Original Message----- From: Levenglick, Jeff [mailto:JLevenglick () fhlbatl com] Sent: Friday, July 02, 2004 8:46 AM To: Michael Silk; Ivan Krstic; webappsec () securityfocus com Subject: RE: Token authentication with web applications Ivan, You are correct that token solutions can be expensive. But.. in some sorts, you get what you pay for. What type of web app are you looking to protect? Some solutions that are out there: 1) RSA Cleartrust or Netegrity Siteminder. Not a token system, but can
be
integrated with one. Can protect web apps or application server apps. (java...ect) You setup a user id/password and assign rights. 2) RSA Keon or other CA software. Be your own CA and issue certs to
your
users. Set your web server up to only trust/use those certs. Set acl's/filters to only accept
your
certs. 3) If your going to program your own system. You might find it to be
as
expensive as just buying tokens...ect. But... You could try some simple things: 1) Install a password encrypted, hidden file to their hard disk. 2) Everytime they connect to you, get that file. Un-encrypt it and
read
the sead number in it. Then, if it matches a seed number assigned to that user, change the number
and
send it back. (encrypt the file again) This would be semi-safe because if someone did find and take the file, they would have a hard time trying to decrypt the file to get the seed. Plus, they would need the user
name
and password to get in. To make it a little more secure, add an ip address check along with the seed file and id/password. <<just popped into my head>> Add the mac address to the file. When the user connects, run a local java script to get the mac address of the
pc
and send it back. Compare the mac address to one you have on file. Jeffrey Levenglick -----Original Message----- From: Michael Silk [mailto:michaels () phg com au] Sent: Friday, July 02, 2004 02:25 AM To: Ivan Krstic; webappsec () securityfocus com Subject: RE: Token authentication with web applications Hi, As far as I have found is that the secure systems will perform some computation on the card itself, the computation is such
that
it is secure (i.e. no private data leaves the card, and other such things) So, in your situation obviously the computer where the key is plugged into isn't considered secure; so computation can't be done
there.
Perhaps you could look into utilising the users' palm pilots? If they have them ... If not, well, the only solution is to use a system that can be copied (i.e. cd's, printouts, and so on) and accepting the risk. Potentially (and this is just a very rough suggestion) you could have a secure server and the users' computers can request a
token
from that. (i.e. try and emulate the computational card-based
system
utilising a server instead of the card). -- Michael -----Original Message----- From: Ivan Krstic [mailto:krstic () fas harvard edu] Sent: Friday, 2 July 2004 8:48 AM To: webappsec () securityfocus com Subject: Token authentication with web applications All, I'm looking for people's experiences with cheap, uncomplicated token devices or other physical means of authentication that play nicely
with
more traditional authentication methods in web applications. The cheapest solutions that came to mind are printing credit-card
sized
s/key cards, or burning mini-CDs with a key and an auth agent for
users.
Obviously, both methods are flawed (s/key cards can be copied down if left exposed, and that's assuming they're not taped to the monitor, while a stolen CD can be copied and replaced without evidence of tampering[1]), but would still raise the security bar at essentially
no
cost. More extensive authentication solutions are usually rather expensive. Thoughts? Cheers, Ivan. [1] The s/key printed cards at least address this insofar as the user, presuming he can be bothered with remembering which of the 100 s/keys
he
used last, can notice that an intruder gained access to the system. This email message and accompanying data may contain information that
is
confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you
have
received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You
should
only rely on information and/or instructions in writing and on company letterhead signed by authorised persons. ----------------------------------------- This e-mail message is private and may contain confidential or
privileged
information.
Current thread:
- Token authentication with web applications Ivan Krstic (Jul 01)
- <Possible follow-ups>
- RE: Token authentication with web applications Michael Silk (Jul 02)
- RE: Token authentication with web applications sfdl01 (Jul 02)
- RE: Token authentication with web applications Graham Howe (Jul 02)
- Re: Token authentication with web applications Ivan Krstic (Jul 02)
- RE: Token authentication with web applications sfdl01 (Jul 02)
- RE: Token authentication with web applications Levenglick, Jeff (Jul 02)
- RE: Token authentication with web applications Scovetta, Michael V (Jul 04)
- RE: Token authentication with web applications stevenr (Jul 05)