Re: Device Authentication - The answer to attacks lauched using stolen passwords?

["Saqib Ali" <docbook.xml () gmail com>]

> If you have the host and user strongly authenticated, do you need the
> client device to be authenticated?

What is a good { host <---> user } authentication scheme that can be
used on a "un-trusted" client device?

> nick
>
> Saqib Ali wrote:
> > when you say mutual authentication, do you mean mutual auth between
> >
> > 1)  server and the client device; or
> > 2)  server and the user
> >
> > #2 is already in place. e.g. when you connect to SSL enabled banc
> > website using a OTP. However you DO depend on the user to correctly
> > authenticate the SSL cert offered by the webserver.
> >
> > It is #1 that is missing.
> >
> >
> > On 9/6/06, Nick Owen <nickowen () mindspring com> wrote:
> >> Saqib Ali wrote:
> >> > A recent "self-serving" report by Phoenix Technologies indicated that
> >> > 84 of attacks could have been prevented only if Device Authentication
> >> > was used in addition to user authentication.
> >> >
> >> > - Evidence Abound:
> >> > · Losses from stolen IDs and passwords far exceeded damages from
> >> > worms, viruses, and other attack methods not utilizing logon accounts
> >> > · Vast majority of attackers, 78 percent, committed crimes from their
> >> > home computers; most often using unsanctioned computers with no
> >> > relationship to the penetrated organization
> >> > · 88 percent, of those crimes were committed from a home PC using
> >> > stolen IDs and passwords and following normal logon procedures.
> >> >
> >> > - Link to full report:
> >> > https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf
> >> >
> >> > -Their solution?
> >> >  Use Trusted Platform Module to authenticate devices.
> >> >
> >> > - Problem?
> >> > TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
> >> > to say the least)
> >> >
> >> > - Alternatives?
> >> > 1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
> >> > damage;
> >> > 2) Use software based device authentication. e.g. Passmark as used by
> >> > Bank of America
> >> > 3) Create a world-wide PKI, issue SSL certificates to machines as well
> >> > as users, and then perform client side authentication from the server.
> >> > 4) Use IP addresses to perform machine authentication. <grin>
> >> >
> >> > - Read more at:
> >> > http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243
> >> >
> >> > Any thoughts?
> >>
> >> I don't accept the assumption that device authentication is the way to
> >> go.  I find it more useful to look at what your are trying to
> >> authenticate.  Is it a user for a session?  Is it a  host for mutual
> >> authentication?  Is is a transaction?   I would bet that doing
> >> cryptographically secure mutual authentication would eliminate most of
> >> the *current* phishing attacks, thus it might be more important to
> >> authenticate the host, not the user's device. Of course, that won't last
> >> forever...
> >>
> >> Nick
> >>
> >> --
> >> Nick Owen
> >> WiKID Systems, Inc.
> >> 404.962.8983
> >> http://www.wikidsystems.com
> >> Commercial/Open Source Two-Factor Authentication
> >> https://www.linkedin.com/in/nickowen
> >>
> >
> >
>
> --
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
> https://www.linkedin.com/in/nickowen


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------