Re: public key vs passwd authentication?

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 10/01/03 

Date: Wed, 01 Oct 2003 14:55:58 GMT

Anne & Lynn Wheeler <lynn@garlic.com> writes:
> frequently there is reference to 3-factor authentication:
> * something you have
> * something you know
> * something you are

note that in the generic description of 3-factor authentication, there
is nothing about private keys, public keys, digital signatures, etc.

digital signatures are a useful technology since they can both
demonstrate that you posses the private key container (authenticating
that the electronic transmission originated from you) as well as the
integrity of the message in a single operation. As a result the same
exact digital signature technology can be used in both a strong form
of challenge/response where the challenge can be both

unpredictable and
dynamically change

The use of digital signatures is a particularly efficient method of
establishing the "something you have" (and at the same time being able
to demonstrate message integrity).

The actual "something you have" ... can vary on an account by account
basis ... meeting specific business needs and risk management
profiles. In this scenario, the degree of risk counter measures for a
specific account can be based on the selection of private key
container.

Note that none of these considerations and factors either require PKI,
certification authorities, and/or certificates .... which can be
considered a totally orthogonal business issue. It is trivially
possible to deploy a digital signature based two-factor authentication
mechanism w/o resorting to PKI business infrastructure in anyway what
so ever ... i.e. certificate-less radius, certificate-less kerberos,
and/or certificate-less ssh.
http://www.garlic.com/~lynn/2003m.html#49 public key vs passwd authentication
http://www.garlic.com/~lynn/2003m.html#50 public key vs passwd authentication
http://www.garlic.com/~lynn/2003m.html#51 public key vs passwd authentication

Once something like a digital signature, two-factor authentication
infrastructure is deployed (radius, kerberios, ssh, x9.59, etc), it is
then possible for individuals to select the integrity of their private
key container (pc file or hardware token) w/o impacting other aspects
of the protocol (it can become purely an individual security/risk
decision). For instance, it is possible to obtain a hardware token
that manages a private key such that it can never become known
(exploits require obtaining physical possesion of the hardware token).

Again, none of this specific digital signature factors related to the
structure and/or security operation even remotely involve PKI,
certification authorities and/or certificates. PKIs, CAs, and
certificates are a business process (analogous to the letters of
credit from sailing ship days) that were designed to create some trust
for two, otherwise, totally unrelated entities that had no previous
business interaction and no direct and/or online way of referring to
mutually trusted party. They are trivially shown to be redundant and
superfluous in almost all present day business interactions involving
an existing business relationship (bank/customer, employee/employer,
IPS/customer, etc) or have timely-access to trusted third party (POS
online debit and credit transactions). 

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ 
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm

Relevant Pages

  • Re: IPSEC wireless router ?
    ... > The main advantage of IPSec is the Sec part, ... digital certificates issued by these organizations called certification ... SSL implementation at the time was one-way authentication between the ... supporting digital signature authentication ... ...
    (alt.internet.wireless)
  • Re: Logon with Digital Siganture (PKI/OCES - or what else theyre called)
    ... > Has anyone got the least experience in integrating the Digital Signature ... One of the issues has been confusing identification and authentication. ... there is business process defined called public key ... ... digitally0signed digital certificates that contains the certified ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Single User: Password or Certificate
    ... > I've read numerous threads debating the merits of client certificates ... i tend to strongly favor public/private key for authentication ... ... verify the digital signature. ... the validation of the digital signature can imply "something you ...
    (comp.security.ssh)
  • Re: PEAP-TLS vs EAP-TLS
    ... MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. ... select authentication method there are two choices - secured password ... certificates for both server authentication and client authentication; ... I think this means that there's a PEAP-TLS that's separate from EAP-TLS ...
    (microsoft.public.windows.server.security)
  • Re: REVIEW: "Biometrics for Network Security", Paul Reid
    ... the correpsonding public key is registered with the relying party ... pin to decrypt the software file in order that the digital signature ... place in a digital signature are digital certificates. ...
    (comp.security.misc)