WebApp Sec mailing list archives
Re: ual Factor/Adaptive Authentication
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Thu, 4 May 2006 21:06:19 -0700
Passmark technology tries to solve the machine authentication problem using encrypted cookies. The idea looks good, but I don't know how safe it is.
One thing I forgot to explain is why storing secrets is a vulnerability. Here is my $ 0.0002 Mutual authentication requires stored secrets on both systems. Stored secrets and the applications that use them are vulnerability. Why??? By definition stored secrets must be stored in persistent storage. Traditionally the options for storing these secrets were: 1) In applications. But applications may be reversed-engieered to reveal the secret 2) In file system /databases. Needs another key to ecrypt these databases. Now where do you store the new key that encrypts the database that holds the 1st key? This is where the tokens and USB cryptogaphics devices helped. 3) Obfuscating. This has proven to be unsecure A software only solution can not address the above issues. Need hardware. Thus the need for TPM, which stores the keys in temper-proof hardware chip. TPM provides cryptographic engine. The keys don't have to leave the TPM. Only the authorized applications can get the data decrypted using TPM. -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- ual Factor/Adaptive Authentication Casey DeBerry (May 04)
- Re: ual Factor/Adaptive Authentication Saqib Ali (May 04)
- Re: ual Factor/Adaptive Authentication Saqib Ali (May 05)
- <Possible follow-ups>
- RE: ual Factor/Adaptive Authentication Casey DeBerry (May 10)
- Re: ual Factor/Adaptive Authentication Saqib Ali (May 10)
- Re: ual Factor/Adaptive Authentication Saqib Ali (May 04)