Re: Device Authentication - The answer to attacks lauched using stolen passwords?

[Nick Owen <nickowen () mindspring com>]

By "mutual" authentication, I mean that the user is authenticated *to*
the server (the implication is strongly authenticated) and that the host
 is also strongly authenticated to the user to prevent a
man--in-the-middle attack.

If you have the host and user strongly authenticated, do you need the
client device to be authenticated?

nick

Saqib Ali wrote:
> when you say mutual authentication, do you mean mutual auth between
>
> 1)  server and the client device; or
> 2)  server and the user
>
> #2 is already in place. e.g. when you connect to SSL enabled banc
> website using a OTP. However you DO depend on the user to correctly
> authenticate the SSL cert offered by the webserver.
>
> It is #1 that is missing.
>
>
> On 9/6/06, Nick Owen <nickowen () mindspring com> wrote:
> > Saqib Ali wrote:
> > > A recent "self-serving" report by Phoenix Technologies indicated that
> > > 84 of attacks could have been prevented only if Device Authentication
> > > was used in addition to user authentication.
> > >
> > > - Evidence Abound:
> > > · Losses from stolen IDs and passwords far exceeded damages from
> > > worms, viruses, and other attack methods not utilizing logon accounts
> > > · Vast majority of attackers, 78 percent, committed crimes from their
> > > home computers; most often using unsanctioned computers with no
> > > relationship to the penetrated organization
> > > · 88 percent, of those crimes were committed from a home PC using
> > > stolen IDs and passwords and following normal logon procedures.
> > >
> > > - Link to full report:
> > > https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf
> > >
> > > -Their solution?
> > >  Use Trusted Platform Module to authenticate devices.
> > >
> > > - Problem?
> > > TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
> > > to say the least)
> > >
> > > - Alternatives?
> > > 1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
> > > damage;
> > > 2) Use software based device authentication. e.g. Passmark as used by
> > > Bank of America
> > > 3) Create a world-wide PKI, issue SSL certificates to machines as well
> > > as users, and then perform client side authentication from the server.
> > > 4) Use IP addresses to perform machine authentication. <grin>
> > >
> > > - Read more at:
> > > http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243
> > >
> > > Any thoughts?
> >
> > I don't accept the assumption that device authentication is the way to
> > go.  I find it more useful to look at what your are trying to
> > authenticate.  Is it a user for a session?  Is it a  host for mutual
> > authentication?  Is is a transaction?   I would bet that doing
> > cryptographically secure mutual authentication would eliminate most of
> > the *current* phishing attacks, thus it might be more important to
> > authenticate the host, not the user's device. Of course, that won't last
> > forever...
> >
> > Nick
> >
> > -- 
> > Nick Owen
> > WiKID Systems, Inc.
> > 404.962.8983
> > http://www.wikidsystems.com
> > Commercial/Open Source Two-Factor Authentication
> > https://www.linkedin.com/in/nickowen

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------