[Tfug] Authentication procedures

Fri Mar 20 17:39:24 MST 2009

Hi, James,

--- On Fri, 3/20/09, James Hood <ebenblues at gmail.com> wrote:

> > But, if this becomes "standardized", then virii can just be written
> > to sit and watch for the next "authentication cycle" and snarf
> > your credentials, etc.  I.e., people would be just as bad at
> > guarding that "secret" (credential) as they are about their
> > "passwords".
> 
> I'm talking about key-based authentication via public/private key
> pairs. The key that's shared is the public key. The private key never
> leaves the local client. If you're talking about viruses on
> the client PC that read your private key off of the flash drive, then
> that is an exposure.

Exactly!  You can't let the key leave any device that can
be compromised.  I.e., it has to stay *on* the "flash drive"
accessed by an "agent" that talks the authentication protocol
so *only* that agent (which is part of the "flash drive"
and not just a piece of software that is executed by the
"client" -- who could "peek" during the process) sees the
private key.

E.g., if the existing "secret password" protocol was implemented
*in* the flash drive, the problem goes away just as easily.

BW, aren't these called "smart cards"?  ;-)

> But there should be ways to mitigate that, such
> as putting
> more logic in the key itself (it doesn't have to be just a
> plain flash
> drive) such that the private key is never shared with the
> client system.

There are devices that work like this.  The problem is they
are *tangible* and thus cost more to produce than a simple
"password".  Likewise, they aren't standardized.

E.g., a friend who works for a big bank carries a small
assortment of "authentication devices" with him when he
travels in case he has to log in to his system while
traveling.  At least one of them is a cryptographic,
*time-based* password generator in a sealed case -- just
read the time & password off the displays and "carry
that" to the keyboard via your fingertips.

> > I don't see that as any more secure.  That's like
> keeping
> > your car key in a standardized place in/on the car
> and
> > hoping only "authorized valets" actually go and use
> it...
> 
> If you make it so the private key never leaves the flash
> drive (not
> even to the client PC), which never leaves your keychain,
> then it is
> more secure.
> 
> > I think the problem is that people can understand
> what's at risk when
> > they "give out" the key to their house.  They can
> form a mental
> > image of all the things inside the house that they are
> making
> > vulnerable by doing so.
> >
> > But, they can't put a value on what the password is protecting.
> 
> Agreed. But I argue that attaching a software key to their physical
> key chain will cause the person to guard their software key the same
> way they would guard their physical keys, which is better than how
> people currently guard passwords.

Dunno.  People have to carry driver's licenses yet they don't
always respect what *they* represent.

As I said, I think people just don't "grok" the importance of
the "asset" that the secret is safeguarding.  Note how many
people think software is "valueless" -- there is nothing wrong
with unauthorized copying, etc.  It's too ethereal (as is the
idea of privacy of personal records, etc.).

<shrug>

Today, I don't worry about the piss-poor mechanisms that are
in place -- I can just opt out of those "systems" or adapt their
security schemes to my expectations.  My real concern is that
people *never* grasp the significance of these issues and,
when the time comes where I can no longer "opt out", *I* will
end up saddled with the same crappy protections that others
have accepted.  :<