Security Basics mailing list archives
Re: Device Authentication - The answer to attacks lauched using stolen passwords?
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Wed, 6 Sep 2006 13:44:37 -0700
If you have the host and user strongly authenticated, do you need the client device to be authenticated?
What is a good { host <---> user } authentication scheme that can be used on a "un-trusted" client device?
nick Saqib Ali wrote: > when you say mutual authentication, do you mean mutual auth between > > 1) server and the client device; or > 2) server and the user > > #2 is already in place. e.g. when you connect to SSL enabled banc > website using a OTP. However you DO depend on the user to correctly > authenticate the SSL cert offered by the webserver. > > It is #1 that is missing. > > > On 9/6/06, Nick Owen <nickowen () mindspring com> wrote: >> Saqib Ali wrote: >> > A recent "self-serving" report by Phoenix Technologies indicated that >> > 84 of attacks could have been prevented only if Device Authentication >> > was used in addition to user authentication. >> > >> > - Evidence Abound: >> > · Losses from stolen IDs and passwords far exceeded damages from >> > worms, viruses, and other attack methods not utilizing logon accounts >> > · Vast majority of attackers, 78 percent, committed crimes from their >> > home computers; most often using unsanctioned computers with no >> > relationship to the penetrated organization >> > · 88 percent, of those crimes were committed from a home PC using >> > stolen IDs and passwords and following normal logon procedures. >> > >> > - Link to full report: >> > https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf >> > >> > -Their solution? >> > Use Trusted Platform Module to authenticate devices. >> > >> > - Problem? >> > TPM can also be used to force DRM. (EFF and ACLU member don't like DRM >> > to say the least) >> > >> > - Alternatives? >> > 1) Be a sitting duck. Passwords WILL stolen and USED to cause financial >> > damage; >> > 2) Use software based device authentication. e.g. Passmark as used by >> > Bank of America >> > 3) Create a world-wide PKI, issue SSL certificates to machines as well >> > as users, and then perform client side authentication from the server. >> > 4) Use IP addresses to perform machine authentication. <grin> >> > >> > - Read more at: >> > http://www.xml-dev.com/blog/index.php?action=viewtopic&id=243 >> > >> > Any thoughts? >> >> I don't accept the assumption that device authentication is the way to >> go. I find it more useful to look at what your are trying to >> authenticate. Is it a user for a session? Is it a host for mutual >> authentication? Is is a transaction? I would bet that doing >> cryptographically secure mutual authentication would eliminate most of >> the *current* phishing attacks, thus it might be more important to >> authenticate the host, not the user's device. Of course, that won't last >> forever... >> >> Nick >> >> -- >> Nick Owen >> WiKID Systems, Inc. >> 404.962.8983 >> http://www.wikidsystems.com >> Commercial/Open Source Two-Factor Authentication >> https://www.linkedin.com/in/nickowen >> > > -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 05)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 07)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 08)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali (Sep 06)
- Re: Device Authentication - The answer to attacks lauched using stolen passwords? Nick Owen (Sep 06)