Re: [fw-wiz] Username password VS hardware token plus PIN
From: Paul D. Robertson (paul_at_compuwar.net)
To: Kevin Sheldrake <firstname.lastname@example.org> Date: Thu, 24 Feb 2005 08:19:42 -0500 (EST)
On Wed, 23 Feb 2005, Kevin Sheldrake wrote:
> to current systems where it is. I don't know if this is how any token
> systems work; I just thought I'd chuck it in.
That would require a client at the entry point- not usually what folks
want to deploy.
> The main reason for the post is because I have a problem with PINs that
> unlock tokens (or smart cards for that matter) in order for some
> credential from the token to be used for authentication (in isolation of
> the original, or any other, PIN or password). While I appreciate that the
> user requires "something he knows" (to unlock the token) and "something he
> has" (the token) in order to log in, I disagree that an attacker would
> necessarily require both.
> Imagine a token (smartcard, PDA, smart phone, whatever) that usually
> operates in this fashion, but can be made to reveal its workings after it
> has been successful attacked. In this situation, it would be possible for
> the attacker to steal the "something he has" and produce valid
> credentials. In the case where the "something he knows" is transmitted to
> the server (or combined with the OTP and hashed locally) this would not be
Again, implementation dependent- SecureID seems to have done well in 3rd
party reviews, I know Opie had issues at some point- but evaluation is
> BTW, the "something you are" (biometrics) always makes me chuckle. Using
> fingerprints for authentication is like writing your password on every
> surface you touch. It doesn't take much imagination to conceive of
> devices that could scan faces, the iris, the retina, etc, yet appear
> innocuous. It all depends how much you want the credentials.
It's better than that... Denial of Service attacks are now perpetrated by
Guido the DoS expert with a bat. Worse-yet, if an attacker believes that
the biometric alone will allow access, stealing just that part (iris,
finger, head) becomes attractive to them under some circumstances- and it
doesn't matter much to the user if the attacker can't authenticate with
the associated part- the attacker just has to believe that Demolition Man
was true for it to be really bad for the user.
I dislike the failure modes on biometrics because of this.
"Ok, so we need to stop the firewall admin from logging in while we
attack, they use iris scanners don't they?" becomes a bit unsettling...
> Of course, specific biometric implementations do not need to fall foul of
> this vulnerability; when we (the industry) get past the hype and debate
> actual architectures, we might come up with something usable and secure. :)
The implementation doesn't matter if the attacker set believes that they
can breach the system. For instance, if a rumor starts that iris scanners
in ATMs open up if you pop out an eyeball and hold it on the end of a pen,
there will be a bunch of one-eyed victims running around _even if the
premise is untrue_.
I prefer tokens and passphrases to biometrics, attacking the token or
passphrase doesn't have to involve my fingers or eyeballs.
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firewall-wizards mailing list