Re: subtext search in encrypted text

From: Ernst Lippe (ernstl-at-planet-dot-nl_at_ignore.this)
Date: 05/26/04 

Date: Wed, 26 May 2004 10:29:44 +0200

On Wed, 26 May 2004 09:15:52 +0200, Orjan Austvold wrote:

> I haven't actually tried to describe threats to the system in so many
> words, and I probably should have done so before posting to this list.
>
> Anyhow, here is a short list of the main parameters describing the
> system and its configuration:
>
> * clients to the system are software on cellular phones (but could of
> course be an intruders software),
>
> * clients communicate with the system on a protocol carried on either
> HTTP or HTTPS (WSP if on the mobile network),
>
> * clients are authorized either by plaintext username/password, by
> challenge-response (md4/5/6,SHA), or by the mobile network),
>
> * clients access the system by communication with a application server
> through a firewall
>
> * only the business software on the application server have access to
> the database (keys are stored on the application servers business logic
> (obfuscated?)),

Ok, it looks like the major weak point in your system are the
clients. Of course, you should also secure the servers but that
seems all very standard.

The main problem seems to be: how you can authenticate legitimate
clients. A few ideas:
* All cellular phones have a SIM that can securely hold keys.
Is there any way that you could use them?
* The "obvious" solution in this case would be to use SSL with
both a client certificate and a server certificate. Does the
phone have enough processing power and memory to do this? Is
there any way that you could put the private keys plus the certificate
on the phone? How secure is the memory of the phone?
* The risk that a phone will be stolen is high. It seems wise
to use a separate password or PIN to protect your application
(in addition to other forms of authentication).
* Can you trust the information about the identity of the
caller that you receive from the phone company? AFAIK the normal
ANI number information is not reliable.

It is an interesting application, like I said it cannot be
very secure, but there are several things that you could do
to make life more difficult for attackers.

Ernst Lippe

Relevant Pages

  • RE: 802.1x Authentication Fails
    ... Reason = The authentication request was not processed because the ... a default certificate is being sent to ... I queried the product team about this and they feel the server certificate ... which is causing the problem that the clients cannot ...
    (microsoft.public.internet.radius)
  • Re: Can this be done? Wireless Access w/o the use if CERTs
    ... a default certificate is being sent to user ... Could not retrieve the Remote Access Server's certificate due to the ... to use EAP-TLS but you don't have a server certificate. ... EAP-TLS requires certificates on clients and on the IAS server. ...
    (microsoft.public.internet.radius)
  • Re: trouble using SSL on WSUS
    ... clients according to the deployment guide. ... I configured the client to use the WSUS server through https. ... Schemes used: ... I've read on serveral sites that the server certificate has to be imported ...
    (Focus-Microsoft)
  • Re: Basic WEP/RADIUS/802.11 (Cisco/MS) question
    ... but I am interested in this whole Radius ... > I see that I can pull a Radius server out of the Microsoft Windows ... Cisco 1200 APs would be the RADIUS clients. ... a third party CA for your server certificate that your clients already ...
    (microsoft.public.internet.radius)
  • Re: is HTTPS crackable
    ... As soon as you install a server certificate, configure a secure website ...
    (microsoft.public.inetserver.iis.security)