On Saturday 08 December 2001 13:44, Crispin Cowan wrote: > Alan wrote: > >>Dr. > >>Crispie's recomended recipies for proper authentication: > >> > >> * Never use plain old passwords sent in the clear. Common examples > >> include: > >> * telnet > >> * non-SSL web forms > > > >Also "authenticated pages" on web sites that use "Basic Authentication". > > The password is encoded, not encrypted. (Base-64, if I remember > > correctly.) > > I'm not familiar with "Basic Authentication"; how would I know when > someone is pushing it at me? Good question. It is set on the server side and I don't know of a browser that warns you of basic v.s digest authentication. (Mozilla does not and I cannot remember one that does.) The only way I know is through the headers of the transaction. (A sniffer or debugging browser is useful here.) > >Also avoid protocols that have been broken, like 802.11b wireless > > encryption. > > Just assume that the transitive closure of all machines connected to > 802.11b are outside of your firewall, and you'll be fine :-) Firewalls > have had degrading security values for years, and 802.11b is a great big > pothole in their security value. It is hugely convenient to wire an > office with WaveLAN, but (since 802.11b authentication was cracked) it > is now impractical to firewall such a LAN. Therefore, all machines that > are on a network that has 802.11b on it should: > > * use VPNs or crypto tunnels such as SSH for anything sensitive > * be "naked on the Internet" secure against attack I have yet to see anyone with wireless in a production environment (that was not a Cypherpunk(tm)) to do this. (Which is a bad thing.) > Anyone wanna buy an Immunix system? :-) > > >Unless the server is comprimised. They you are SOL. > > Agreed. Buy Immunix :-) Is 2.4.x available for it yet? (With the proper patches. I know Greg made one without, for testing purposes.) > >I thought they found weaknesses in SecureID. i will have to check my > >archives. > > They did, but it's pretty arcane. With a big pile of hardware, you can > extract the private key from a stolen secureID card, based on watching > the chip's power consumption as it does the thousand-bit multiplies for > RSA modular exponentiation. Practical solution: freak out if a user > reports a card stolen and revoke their key on all your servers. You can > probably get this done before the attacker cracks the card. > > >There are also hardware ID devices like iButton and smart card > > authentication combined. > > There are also USB dongles that claim to be secure storage for PKI keys. > However, I'm unclear on how the human authenticates to the iButton or > the dongle. If there is no such authentication, then the attacker can > just steal the token to get access, i.e. it's not really 2-factor. > Anyone actually tried one? Is there a 2nd factor to authenticate the > human to the token? I would think it would depend on the implementation. Authenticating humans is always difficult. (So few authentic humans out there, especially in Sales, Marketing and on television.) Having some sort of knowledge-based token (password or the like) is the most common usage, but can be discovered by others. (Especially when posted on the terminal with sticky notes.) Physical token can be stolen. Rubber hoses can be applied to force biotetric authentication. (Biometrics just ups the ante of what they will do to get the token. Instead of just stealing your wallet, they will take something more valuable to you. Family and/or body parts usually.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:55 PDT