Re: Device Authentication - The answer to attacks lauched using stolen passwords?

[Nick Owen <nickowen () mindspring com>]

Saqib Ali wrote:
> > If you have the host and user strongly authenticated, do you need the
> > client device to be authenticated?
>
> What is a good { host <---> user } authentication scheme that can be
> used on a "un-trusted" client device?

I believe that most for most financial services activity, it wouldn't
matter - typical risk management techniques should get fraud down to a
very manageable level.  For risky transactions, some form of transaction
authentication is more realistic (and less problematic for many as you
mention) than a trusted platform. It might actually be better to use
passwords for the session authentication and an OTP for the transaction.

> > nick
> >
> > Saqib Ali wrote:
> > > when you say mutual authentication, do you mean mutual auth between
> > >
> > > 1)  server and the client device; or
> > > 2)  server and the user
> > >
> > > #2 is already in place. e.g. when you connect to SSL enabled banc
> > > website using a OTP. However you DO depend on the user to correctly
> > > authenticate the SSL cert offered by the webserver.
> > >
> > > It is #1 that is missing.
> > >
> > >
> > > On 9/6/06, Nick Owen <nickowen () mindspring com> wrote:
> > > > Saqib Ali wrote:
> > > > > A recent "self-serving" report by Phoenix Technologies indicated
> > that
> > > > > 84 of attacks could have been prevented only if Device
> > Authentication
> > > > > was used in addition to user authentication.
> > > > >
> > > > > - Evidence Abound:
> > > > > · Losses from stolen IDs and passwords far exceeded damages from
> > > > > worms, viruses, and other attack methods not utilizing logon
> > accounts
> > > > > · Vast majority of attackers, 78 percent, committed crimes from
> > their
> > > > > home computers; most often using unsanctioned computers with no
> > > > > relationship to the penetrated organization
> > > > > · 88 percent, of those crimes were committed from a home PC using
> > > > > stolen IDs and passwords and following normal logon procedures.
> > > > >
> > > > > - Link to full report:
> > > > > https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf
> > > > >
> > > > > -Their solution?
> > > > >  Use Trusted Platform Module to authenticate devices.
> > > > >
> > > > > - Problem?
> > > > > TPM can also be used to force DRM. (EFF and ACLU member don't
> > like DRM
> > > > > to say the least)
> > > > >
> > > > > - Alternatives?
> > > > > 1) Be a sitting duck. Passwords WILL stolen and USED to cause
> > financial
> > > > > damage;
> > > > > 2) Use software based device authentication. e.g. Passmark as
> > used by
> > > > > Bank of America
> > > > > 3) Create a world-wide PKI, issue SSL certificates to machines as
> > well
> > > > > as users, and then perform client side authentication from the
> > server.
> > > > > 4) Use IP addresses to perform machine authentication. <grin>
> > > > >
> > > > > - Read more at:
> > > > > http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243
> > > > >
> > > > > Any thoughts?
> > > >
> > > > I don't accept the assumption that device authentication is the way to
> > > > go.  I find it more useful to look at what your are trying to
> > > > authenticate.  Is it a user for a session?  Is it a  host for mutual
> > > > authentication?  Is is a transaction?   I would bet that doing
> > > > cryptographically secure mutual authentication would eliminate most of
> > > > the *current* phishing attacks, thus it might be more important to
> > > > authenticate the host, not the user's device. Of course, that won't
> > last
> > > > forever...
> > > >
> > > > Nick
> > > >
> > > > --
> > > > Nick Owen
> > > > WiKID Systems, Inc.
> > > > 404.962.8983
> > > > http://www.wikidsystems.com
> > > > Commercial/Open Source Two-Factor Authentication
> > > > https://www.linkedin.com/in/nickowen
> >
> > -- 
> > Nick Owen
> > WiKID Systems, Inc.
> > 404.962.8983
> > http://www.wikidsystems.com
> > Commercial/Open Source Two-Factor Authentication
> > https://www.linkedin.com/in/nickowen

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------