Security Basics mailing list archives
Re: Device Authentication - The answer to attacks lauched using stolen passwords?
From: Nick Owen <nickowen () mindspring com>
Date: Wed, 06 Sep 2006 17:14:48 -0400
Saqib Ali wrote:
If you have the host and user strongly authenticated, do you need the client device to be authenticated?What is a good { host <---> user } authentication scheme that can be used on a "un-trusted" client device?
I believe that most for most financial services activity, it wouldn't matter - typical risk management techniques should get fraud down to a very manageable level. For risky transactions, some form of transaction authentication is more realistic (and less problematic for many as you mention) than a trusted platform. It might actually be better to use passwords for the session authentication and an OTP for the transaction.
nick Saqib Ali wrote:when you say mutual authentication, do you mean mutual auth between 1) server and the client device; or 2) server and the user #2 is already in place. e.g. when you connect to SSL enabled banc website using a OTP. However you DO depend on the user to correctly authenticate the SSL cert offered by the webserver. It is #1 that is missing. On 9/6/06, Nick Owen <nickowen () mindspring com> wrote:Saqib Ali wrote:A recent "self-serving" report by Phoenix Technologies indicatedthat84 of attacks could have been prevented only if DeviceAuthenticationwas used in addition to user authentication. - Evidence Abound: · Losses from stolen IDs and passwords far exceeded damages from worms, viruses, and other attack methods not utilizing logonaccounts· Vast majority of attackers, 78 percent, committed crimes fromtheirhome computers; most often using unsanctioned computers with no relationship to the penetrated organization · 88 percent, of those crimes were committed from a home PC using stolen IDs and passwords and following normal logon procedures. - Link to full report: https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf -Their solution? Use Trusted Platform Module to authenticate devices. - Problem? TPM can also be used to force DRM. (EFF and ACLU member don'tlike DRMto say the least) - Alternatives? 1) Be a sitting duck. Passwords WILL stolen and USED to causefinancialdamage; 2) Use software based device authentication. e.g. Passmark asused byBank of America 3) Create a world-wide PKI, issue SSL certificates to machines aswellas users, and then perform client side authentication from theserver.4) Use IP addresses to perform machine authentication. <grin> - Read more at: http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243 Any thoughts?I don't accept the assumption that device authentication is the way to go. I find it more useful to look at what your are trying to authenticate. Is it a user for a session? Is it a host for mutual authentication? Is is a transaction? I would bet that doing cryptographically secure mutual authentication would eliminate most of the *current* phishing attacks, thus it might be more important to authenticate the host, not the user's device. Of course, that won'tlastforever... Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen-- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen
-- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 05)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)