Re: Microsoft marries RSA Security to Windows
I can see a number of problems with using mobile phones as a second channel for authentication: 1. It begs the question of tamper resistant hardware. Unless the phone contains a tamper resistant serial number or key, it is relatively easy to clone. And cell phones are merging with PDAs. If you have secure storage, why not implement a local solution on the PDA side? 2. Even if the phone is tamperproof, SMS messages can be intercepted. I can imagine a man-in-the-middle attack where the attacker cuts the user off after getting the SMS message, before the user has a chance to enter their code. 3. Cell phones don't work everywhere. Geographic coverage is limited. Most U.S. phones don't work overseas. Reception can fail inside buildings and cell phone use is prohibited on commercial airplanes in-flight (the airlines are planning to offer Internet access in the near future). And what happens if I choose to TEMPEST shield my facility? 4. The cell phone network can get clogged in times of high stress, e.g. a snow storm at rush hour, a natural disaster or a terrorist incident. Presumably some people who use two factor authentication have important work to do. Do you want them to be locked out of their computers at such critical times? 5. Cell phones are vulnerable to denial of service attacks. A simple RF jammer could prevent an individual or an entire building from accessing their computers. 6. People are generally cavalier about their cell phones. They wear them on belt pouches, leave them in cars and gym lockers, let strangers borrow them. I left mine in a coat pocket that I checked at a restaurant and ended up with a $40 long distance bill. Habits like that are hard to change. On the other hand, a token that goes on a key chain or is worn as jewelry taps into more security conscious cultural behavior. Human factors are usually the weak link in security, so such considerations are important. 7. It's a tax on logins. SMS messages aren't free. 8. If I lose my token, I can use my cell phone to report it promptly. If I lose my cell phone... 9. Improved technology should make authentication tokens even more attractive. For one thing they can be made very small and waterproof. Connection modes like USB and Bluetooth can eliminate the need to type in a code, or allow the PIN to be entered directly into the token (my preference). 10. There is room for more innovative tokens. Imagine a finger ring that detects body heat and pulse and knows if it has removed. It could then refuse to work, emit a distress code when next used or simply require an additional authentication step to be reactivated. Even implants are feasible. Arnold Reinhold At 8:56 AM -0700 10/9/02, Ed Gerck wrote: Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served. Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Microsoft's move is good, RSA gets a good ride too, and the door may open for a standards-based two-channel authentication method. Cheers, Ed Gerck Roy M.Silvernail wrote: On Tuesday 08 October 2002 10:11 pm, it was said: Microsoft marries RSA Security to Windows http://www.theregister.co.uk/content/55/27499.html [...] The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
eliminate the need to type in a code, or allow the PIN to be entered directly into the token (my preference). It's costly, makes you carry an additional thing and -- most important of all -- needs that pesky interface at the other end. 10. There is room for more innovative tokens. Imagine a finger ring that detects body heat and pulse and knows if it has removed. It could then refuse to work, emit a distress code when next used or simply require an additional authentication step to be reactivated. Even implants are feasible. There is always room for evolution, and that's why we shan't run out of work ;-) However, not everyone wants to have an implant or carry a ring on their finger -- which can be scanned and the subject targeted for a more serious threat. My general remark on biometrics applies here -- when you are the key (eg, your live fingerprint), key compromise has the potential to be much serious and harmful to you. BTW, what is the main benefit of two-channel (as opposed to just two-factor) authentication? The main benefit is that security can be assured even if the user's credentials are compromised -- for example, by writing their passwords on stick-it notes on their screen, or under their keyboards, or by using weak passwords, or even having their passwords silently sniffed by malicious sofware/hardware, problems that are very thorny today and really have no solution but to add another, independent, communication channel. Trust on authentication effectiveness depends on using more than one channel, which is a general characteristic of trust ( http://nma.com/papers/it-trust-part1.pdf ) Cheers, Ed Gerck Arnold Reinhold At 8:56 AM -0700 10/9/02, Ed Gerck wrote: Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served. Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Microsoft's move is good, RSA gets a good ride too, and the door may open for a standards-based two-channel authentication method. Cheers, Ed Gerck Roy M.Silvernail wrote: On Tuesday 08 October 2002 10:11 pm, it was said: Microsoft marries RSA Security to Windows http://www.theregister.co.uk/content/55/27499.html [...] The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
On Wed, 9 Oct 2002, Joseph Ashwood wrote: Unfortunately, SecurID hasn't been that way for a while. RSA has offered executables for various operating systems for some time now. I agree it destroys what there was of the security, and reduces it to basically the level of username/password, albeit at a more expensive price. But I'm sure it was a move to improve their bottom line. Good grief. This is an old, old story by now, and it's starting to really piss me off. It seems like every last attempt to implement security of any kind in a commercial product gets compromised for the sake of convenience/marketability, etc. A system that is *actually* secure is inconvenient, or requires mental effort to manage keys, or offline key storage, or won't interact transparently with known insecure programs, or some other basic fundamental constraint they're not willing to live with -- so they take a component (RSA in this case) that could have been used to build a secure system, use its presence as a point to *claim* that that's what they're building, and build something else. It's irresponsible. It makes *actual* security into a rare, specialized, and arcane field. It creates expectations that you can do insecure things with secure software. It gives users a *FALSE* sense of security and deters them from getting products that are actually secure. It uses fraudulent (or, to be very charitable, perhaps mistaken) claims of security to compete unfairly with actual secure software which, of course, has constraints on its operation. I think somebody needs to start assigning security grades based on the theory that it's the weakest link (PRNG with state value out in the open) rather than the strongest (we use whizbang patented strong encryption algorithm!) that determines security. It's basically a matter of consumer protection, and it's really something that security and crypto people need to do within the industry. It has to be within the industry, because this is stuff that is well outside a layman's ability to judge. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
At 8:40 AM -0700 10/11/02, Ed Gerck wrote: Arnold G. Reinhold wrote: I can see a number of problems with using mobile phones as a second channel for authentication: Great questions. Without aspiring to exhaust the answers, let me comment. 1. It begs the question of tamper resistant hardware. Unless the phone contains a tamper resistant serial number or key, it is relatively easy to clone. And cell phones are merging with PDAs. If you have secure storage, why not implement a local solution on the PDA side? Cloning the cell phone has no effect unless you also have the credentials to initiate the transaction. The cell phone cannot initiate the authentication event. Of course, if you put a gun to the user's head you can get it all but that is not the threat model. If we're looking at high security applications, an analysis of a two-factor system has to assume that one factor is compromised (as you point out at the end of your response). I concede that there are large classes of low security applications where using a cell phone may be good enough, particularly where the user may not be cooperative. This includes situations where users have an economic incentive to share their login/password, e.g. subscriptions, and in privacy applications (Our logs show you accessed Mr. Celebrity's medical records, yet he was never your patient. Someone must have guessed my password. How did they get your cell phone too?) Here the issue is preventing the user from cloning his account or denying its unauthorized use, not authentication. A local solution on the PDA side is possible too, and may be helpful where the mobile service may not work. However, it has less potential for wide use. Today, 95% of all cell phones used in the US are SMS enabled. What percentage are enabled for downloadable games? A security program would be simpler than most games. It might be feasible to upload a new game periodically for added security. 2. Even if the phone is tamperproof, SMS messages can be intercepted. I can imagine a man-in-the-middle attack where the attacker cuts the user off after getting the SMS message, before the user has a chance to enter their code. Has no effect if the system is well-designed. It's possible to make it mandatory (under strong crypto assurances) to enter the one-time code using the *same* browser page provided in response to the authentication request -- which page is supplied under server-authenticated SSL (no MITM). You may be right here, though assuming SSL lets one solve a lot of security problems associated with traditional password login. 3. Cell phones don't work everywhere. Geographic coverage is limited. Most U.S. phones don't work overseas. Reception can fail inside buildings and cell phone use is prohibited on commercial airplanes in-flight (the airlines are planning to offer Internet access in the near future). And what happens if I choose to TEMPEST shield my facility? No solution works everywhere. Cell phones are no exception. But it is possible to design the system in a such a way that the user can use a different access class (with less privileges, for example) if the cell phone does not work. After all, the user is authenticated before the message is sent to the cell phone. That said, cell phone coverage is becoming ubiquitous and the solution also works with pagers (while they still exist), email accounts (blackberrys) and other means of communication -- including voice. Security tokens work everywhere I can think of. I'm not sure the cell companies are spending much to push into rural areas given the current economy. Might be a new market for Iridium, but that doesn't work well inside buildings. 4. The cell phone network can get clogged in times of high stress, e.g. a snow storm at rush hour, a natural disaster or a terrorist incident. Presumably some people who use two factor authentication have important work to do. Do you want them to be locked out of their computers at such critical times? Let's be careful with generalizations. During the tragic events of 9/11, cell phones emerged as the solution for communication under a distributed terrorist attack. The WTC collapse took out a major portion of lower Manhattan's landline capacity. Cell phones were better than nothing, but many people experienced difficulty placing calls. It is simply too expensive to design a switched system to handle all the calls people want to make in a major crisis. Military systems include priority tags to deal with this. This does raise an interesting possibility: giving SMS messages priority over voice could be very useful in an emergency. SMS messages take much less bandwidth than voice and the entry mechanism on most cell phones is very slow. So existing cell infrastructure might be able to handle all the SMS traffic generated a crisis. Anyone know if cell phone companies are doing this? Second, as I hint somewhere above, the
Re: Microsoft marries RSA Security to Windows
[I'm reducing the reply level to 2, for context please see former msg] Arnold G. Reinhold wrote: At 8:40 AM -0700 10/11/02, Ed Gerck wrote: Cloning the cell phone has no effect unless you also have the credentials to initiate the transaction. The cell phone cannot initiate the authentication event. Of course, if you put a gun to the user's head you can get it all but that is not the threat model. If we're looking at high security applications, an analysis of a two-factor system has to assume that one factor is compromised (as you point out at the end of your response). I concede that there are large classes of low security applications where using a cell phone may be good enough, particularly where the user may not be cooperative. This includes situations where users have an economic incentive to share their login/password, e.g. subscriptions, and in privacy applications (Our logs show you accessed Mr. Celebrity's medical records, yet he was never your patient. Someone must have guessed my password. How did they get your cell phone too?) I like the medical record dialogue. But please note that what you wrote is much stronger than asking How did they get your hardware token too? because you could justifiably go for days without noticing that the hardware token is missing but you (especially if you are an MD) would almost immediately notice that your cell phone is missing. Traffic logs and call parties for received and dialed calls could also be used to prove that you indeed used your cell phone both before and after the improper access. Also, if you lose your cell phone you are in a lot more trouble. The point made here is that the aggregate value associated with the cell phone used for receiving a SMS one-time code is always higher than that associated with the hardware token (it is token +), hence its usefulness in the security scheme. Denying possession of the cell phone would be harder to do -- and easier to disprove -- than denying possession of the hardware token. Here the issue is preventing the user from cloning his account or denying its unauthorized use, not authentication. The main objective of two-channel, two-factor authentication (as we are discussing) is to prevent unauthorized access EVEN if the user's credentials are compromised. This includes what you mentioned, in addition to assuring authentication (i.e., preventing the user from cloning his account; allowing enterprises to deny the unauthorized use of user's accounts). Now, why should the second channel be provided ONLY by a hardware token? There is no such need, or security benefit. The second channel can be provided by a hardware token, by an SMS- enabled cell phone, by a pager or by ANY other means that creates a second communication channel that is at least partially independent from the first one. There is no requirement for the channels to be 100% independent. Even though 100% independency is clearly desirable and can be provided in some systems, it is hard to accomplish for a number of reasons (indexing being one of them). In RSA SecurID, for example, the user's PIN (which is a shared secret) is used both in the first channel (authenticating the user) as well as in the second channel (authenticating the passcode). Note also that in SecurID systems without a PIN pad, the PIN is simply prefixed in plain text to the random code and both are sent in the passcode. The second channel could even be provided, for example, by an HTTPS (no MITM) response in the same browser session (where the purported user entered the correct credentials) if the response can be processed by an independent means that is inacessible to others except the authorized user (for example, a code book, an SMS query-response, a crypto calculator, etc.) and the result fed back into the browser (i.e., as a challenge response). A local solution on the PDA side is possible too, and may be helpful where the mobile service may not work. However, it has less potential for wide use. Today, 95% of all cell phones used in the US are SMS enabled. What percentage are enabled for downloadable games? A security program would be simpler than most games. It might be feasible to upload a new game periodically for added security. There is nothing dowloaded on the cell phone. Mobile RSA SecurID and NMA ZSentryID are zero foot print applications. BTW, requiring the download of a game or code opens another can of worms -- whether the code is trusted by both sender and receiver (being trusted by just one of them is not enough). 2. Even if the phone is tamperproof, SMS messages can be intercepted. I can imagine a man-in-the-middle attack where the attacker cuts the user off after getting the SMS message, before the user has a chance to enter their code. Has no effect if the system is well-designed. It's possible to make it mandatory (under strong crypto assurances) to enter the one-time code using the *same* browser page
Re: Microsoft marries RSA Security to Windows
- Original Message - From: Roy M.Silvernail [EMAIL PROTECTED] And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. Unfortunately, SecurID hasn't been that way for a while. RSA has offered executables for various operating systems for some time now. I agree it destroys what there was of the security, and reduces it to basically the level of username/password, albeit at a more expensive price. But I'm sure it was a move to improve their bottom line. Joe - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served. Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Thanks for the pointers. I've also received some off-list mail encouraging me not to dismiss this so quickly. Time to study up a bit. (and this, folks, is why I love the net) -- Roy M. Silvernail [ ] [EMAIL PROTECTED] DNRC Minister Plenipotentiary of All Things Confusing, Software Division PGP fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from [EMAIL PROTECTED] I charge to process unsolicited commercial email - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
Roy M.Silvernail [EMAIL PROTECTED] writes: The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. SecurityDynamics/RSA Security have sold SecurID for Palms for several years. Some previous discussion can be found in the mailing list archives around the release date in spring of 1999. They also sell software implementations of SecurID for Windows. Now M$ wants to put the PRNG out in plain view It's already out here--the algorithm for the SecurID hash function was published on Bugtraq by a third party (allegedly Russian) in late 2000. along with its seed value. They did make some attempt to make the seed difficult to recover on the Palm. No doubt it could be reverse engineered with some effort, and software SecurID on networked devices does change the threat model. -dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
Tamper-resistant hardware is out, second channel with remote source is in. Trust can be induced this way too, and better. There is no need for PRNG in plain view, no seed value known. Delay time of 60 seconds (or more) is fine because each one-time code applies only to one page served. Please take a look at: http://www.rsasecurity.com/products/mobile/datasheets/SIDMOB_DS_0802.pdf and http://nma.com/zsentry/ Microsoft's move is good, RSA gets a good ride too, and the door may open for a standards-based two-channel authentication method. Cheers, Ed Gerck Roy M.Silvernail wrote: On Tuesday 08 October 2002 10:11 pm, it was said: Microsoft marries RSA Security to Windows http://www.theregister.co.uk/content/55/27499.html [...] The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft marries RSA Security to Windows
On Tuesday 08 October 2002 10:11 pm, it was said: Microsoft marries RSA Security to Windows http://www.theregister.co.uk/content/55/27499.html [...] The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. And here, I thought that a portion of the security embodied in a SecurID token was the fact that it was a tamper-resistant, independent piece of hardware. Now M$ wants to put the PRNG out in plain view, along with its seed value. This cherry is just begging to be picked by some blackhat, probably exploiting a hole in Pocket Outlook. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Microsoft marries RSA Security to Windows
--- begin forwarded text Status: RO From: Elyn Wollensky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: William Knowles [EMAIL PROTECTED] Subject: Microsoft marries RSA Security to Windows Date: Tue, 8 Oct 2002 17:44:57 -0400 Sender: [EMAIL PROTECTED] Microsoft marries RSA Security to Windows http://www.theregister.co.uk/content/55/27499.html Microsoft has signed a wide-ranging deal to incorporate RSA encryption technology into its applications and services. The agreement, announced today (without financial details, is pitched as a key component in Microsoft's Trustworthy computing push. The first initiatives will centre on Microsoft's licensing of RSA SecurID two-factor authentication software and RSA Security's development of an RSA SecurID Software Token for Pocket PC. This will allow Windows Pocket PC-powered devices to function as RSA SecurID authenticators, so eliminating the need for users to carry separate hardware tokens. Used in conjunction with RSA ACE/Server authentication management software, RSA SecurID authenticators positively identify users and prevent unauthorised access to networks and systems. The technology is typically, and widely, used for remote access log-ins to corporate mail servers and secure sites. RSA Security has given Microsoft a license for the RSA ACE/Agent component of its two-factor authentication software, allowing Microsoft the option of directly integrating the RSA SecurID agent into Microsoft applications. The next enhancement of Microsoft's Internet Security and Acceleration (ISA) Server 2000 will be the first to feature this capability. ISA Server, Microsoft's first security product, is positioned against enterprise software firewalls. Security professionals expressed sceptism about the produt but then again many careers are based on fixing security holes which Microsoft overlooked. Passport stamped Last, and perhaps most ambitiously, RSA today announced a strategic relationship with software developer iRevolution to provide two-factor authentication to Microsoft Passport. The two firms are developing technology designed to allow Passport users to sign-on using RSA Mobile software to provide stronger and more secure authentication. RSA Mobile software uses mobile phones and the SMS (short messaging service) infrastructure to quickly deliver one-time access codes to end users for secure entry into Passport enabled sites. This is a real head spinner and we'll only scratch the surface on at this pass. First, Passport was never designed with two factor authentication in mind, so will Microsoft have to revisit the whole concept? Second, and easier to address, aren't SecureID access codes supposed to change every 30 seconds - less than the time it might take to receive an SMS message and then type in the relevant code? The mind boggles. In any case, the relationship with Microsoft is a real fillip for RSA Security, which in recent years has struggled to build sales in the becalmed Public Key Infrastructure market. Now it's a Web access management company, clearly tied into Microsoft's .Net vision - even to the extent of signing up wholeheartedly to Passport, its flakiest component. The announcements came during RSA Security's conference in Paris this week. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]