Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strong Authentication

From: Nick Owen <nickowen () mindspring com>
Date: Tue, 13 May 2008 14:25:59 -0400
comments inline...


Dear All,

On most of the references I've read, strong authentication is defined
as having 2 or more of the following:

Something you know
Something you have
Something you are (or do)

However, after reading some vendor websites, I'm a little more
confused as to the exact interpretation of this.

For example, Comodo touts their digital signature solution as a form
of 2 factor authentication [1]

=================
Comodo Two Factor Authentication Solution

1) Client Digital Certificates to authenticate the user to the bank
(Part 1 of the two factor authentication)
Possession of the digital certificate is the "something you have". If it is protected by a passphrase, then that is considered the "something you know". The risk here is an offline brute-force attack against the passphrase. 


2) Content Verification Certificates (CVC) to authenticate the FI
website to the user (Part 2 of the two factor authentication)
This, if I understand it, is what i would call "mutual authentication" which is some mechanism (beyond trying to make someone understand an SSL certificate chain) that validates the server to the user. Using certificates for this is much better than using images. But it is not a second factor - because it's not even related to the user! 


=================

However, to me, this doesn't seem to fit 2 out of the 3 criteria
listed above.  To be honest, I'm not sure which category a digital
signature would fall under.
A digital signature would be used for transaction authentication. Think of it this way: 

session auth = user to server
mutual auth = session auth + server to user (in an affective way)
transaction auth = digital signature or perhaps just getting a one-time passcode for this transaction. 



Can anyone share their feedback on this?  A different vendor that we
plan on using is telling us that through the use of digital
signatures, we will be implementing strong authentication, but I'm not
too clear on how this accomplishes it.
I think you should look at the whole process (assuming regulation allows you such flexibility :). Using a digital signing or transaction authentication mechanism and using plain passwords for sessions is a great idea, IMO. It matters less if someone can get in if they can't do anything. If you do two-factor for session authentication, then be sure to use a cryptographically distinct method for transaction authentication. That will prevent a MITM from faking a disconnect and requesting a new OTP for a transaction. 

I did an article on some of this stuff a while back:
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1180513,00.html

HTH,

Nick

--
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.
Previous By Date Next
Previous By Thread Next

Current thread: