By "mutual" authentication, I mean that the user is authenticated *to*
the server (the implication is strongly authenticated) and that the host
is also strongly authenticated to the user to prevent a
man attack.

If you have the host and user strongly authenticated, do you need the
client device to be authenticated?

nick

Saqib Ali wrote:
when you say mutual authentication, do you mean mutual auth between

1) server and the client device; or
2) server and the user

#2 is already in place. e.g. when you connect to SSL enabled banc
website using a TP. However you D depend on the user to correctly
authenticate the SSL cert offered by the webserver.

It is #1 that is missing.

9/6/06, Nick <nickowen (AT) mindspring (DOT) comwrote:
>Saqib Ali wrote:
>A recent "self-serving" report by Phoenix Technologies indicated that
>84 of attacks could have been prevented only if Device Authentication
>was used in addition to user authentication.
>>
>- Evidence Abound:
> Losses from stolen IDs and passwords far exceeded damages from
>worms, viruses, and other attack methods not utilizing logon accounts
> Vast majority of attackers, 78 percent, committed crimes from their
>home computers; most often using unsanctioned computers with no
>relationship to the penetrated organization
> 88 percent, of those crimes were committed from a home PC using
>stolen IDs and passwords and following normal logon procedures.
>>
>- Link to full report:
>
>>
>-Their solution?
>Use Trusted Platform Module to authenticate devices.
>>
>- Problem?
>TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
>to say the least)
>>
>- Alternatives?
>1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
>damage;
>2) Use software based device authentication. e.g. Passmark as used by
>Bank of America
>3) Create a world-wide PKI, issue SSL certificates to machines as well
>as users, and then perform client side authentication from the server.
>4) Use IP addresses to perform machine authentication. <grin>
>>
>- Read more at:
>
>>
>Any thoughts?
>>
>I don't accept the assumption that device authentication is the way to
>go. I find it more useful to look at what your are trying to
>authenticate. Is it a user for a session? Is it a host for mutual
>authentication? Is is a transaction? I would bet that doing
>cryptographically secure mutual authentication would eliminate most of
>the *current* phishing attacks, thus it might be more important to
>authenticate the host, not the user's device. course, that won't last
>forever
>>
>Nick
>>
>--
>Nick
>WiKID Systems, Inc.
>404.962.8983
>http://www.wikidsystems.com
>Commercial/ Source Two-Factor Authentication
>
>>

when you say mutual authentication, do you mean mutual auth between

1) server and the client device; or
2) server and the user

#2 is already in place. e.g. when you connect to SSL enabled banc
website using a TP. However you D depend on the user to correctly
authenticate the SSL cert offered by the webserver.

It is #1 that is missing.

9/6/06, Nick <nickowen (AT) mindspring (DOT) comwrote:
Saqib Ali wrote:
A recent "self-serving" report by Phoenix Technologies indicated that
84 of attacks could have been prevented only if Device Authentication
was used in addition to user authentication.

- Evidence Abound:
Losses from stolen IDs and passwords far exceeded damages from
worms, viruses, and other attack methods not utilizing logon accounts
Vast majority of attackers, 78 percent, committed crimes from their
home computers; most often using unsanctioned computers with no
relationship to the penetrated organization
88 percent, of those crimes were committed from a home PC using
stolen IDs and passwords and following normal logon procedures.

- Link to full report:

-Their solution?
Use Trusted Platform Module to authenticate devices.

- Problem?
TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
to say the least)

- Alternatives?
1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
damage;
2) Use software based device authentication. e.g. Passmark as used by
Bank of America
3) Create a world-wide PKI, issue SSL certificates to machines as well
as users, and then perform client side authentication from the server.
4) Use IP addresses to perform machine authentication. <grin>

- Read more at:

Any thoughts?

I don't accept the assumption that device authentication is the way to
go. I find it more useful to look at what your are trying to
authenticate. Is it a user for a session? Is it a host for mutual
authentication? Is is a transaction? I would bet that doing
cryptographically secure mutual authentication would eliminate most of
the *current* phishing attacks, thus it might be more important to
authenticate the host, not the user's device. course, that won't last
forever

Nick

Saqib Ali wrote:
A recent "self-serving" report by Phoenix Technologies indicated that
84 of attacks could have been prevented only if Device Authentication
was used in addition to user authentication.
- Evidence Abound:
Losses from stolen IDs and passwords far exceeded damages from
worms, viruses, and other attack methods not utilizing logon accounts
Vast majority of attackers, 78 percent, committed crimes from their
home computers; most often using unsanctioned computers with no
relationship to the penetrated organization
88 percent, of those crimes were committed from a home PC using
stolen IDs and passwords and following normal logon procedures.
- Link to full report:

-Their solution?
Use Trusted Platform Module to authenticate devices.
- Problem?
TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
to say the least)
- Alternatives?
1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
damage;
2) Use software based device authentication. e.g. Passmark as used by
Bank of America
3) Create a world-wide PKI, issue SSL certificates to machines as well
as users, and then perform client side authentication from the server.
4) Use IP addresses to perform machine authentication. <grin>
- Read more at:

Any thoughts?

I don't accept the assumption that device authentication is the way to
go. I find it more useful to look at what your are trying to
authenticate. Is it a user for a session? Is it a host for mutual
authentication? Is is a transaction? I would bet that doing
cryptographically secure mutual authentication would eliminate most of
the *current* phishing attacks, thus it might be more important to
authenticate the host, not the user's device. course, that won't last
forever

Nick

Saqib Ali wrote:
>If you have the host and user strongly authenticated, do you need the
>client device to be authenticated?

What is a good { host <user } authentication scheme that can be
used on a "un-trusted" client device?

I believe that most for most financial services activity, it wouldn't
matter - typical risk management techniques should get fraud down to a
very manageable level. For risky transactions, some form of transaction
authentication is more realistic (and less problematic for many as you
mention) than a trusted platform. It might actually be better to use
passwords for the session authentication and an TP for the transaction.


>>
>nick
>>
>Saqib Ali wrote:
>when you say mutual authentication, do you mean mutual auth between
>>
>1) server and the client device; or
>2) server and the user
>>
>#2 is already in place. e.g. when you connect to SSL enabled banc
>website using a TP. However you D depend on the user to correctly
>authenticate the SSL cert offered by the webserver.
>>
>It is #1 that is missing.
>>
>>
>9/6/06, Nick <nickowen (AT) mindspring (DOT) comwrote:
>>Saqib Ali wrote:
>>A recent "self-serving" report by Phoenix Technologies indicated
>that
>>84 of attacks could have been prevented only if Device
>Authentication
>>was used in addition to user authentication.
>>>
>>- Evidence Abound:
>> Losses from stolen IDs and passwords far exceeded damages from
>>worms, viruses, and other attack methods not utilizing logon
>accounts
>> Vast majority of attackers, 78 percent, committed crimes from
>their
>>home computers; most often using unsanctioned computers with no
>>relationship to the penetrated organization
>> 88 percent, of those crimes were committed from a home PC using
>>stolen IDs and passwords and following normal logon procedures.
>>>
>>- Link to full report:
>>
>>>
>>-Their solution?
>>Use Trusted Platform Module to authenticate devices.
>>>
>>- Problem?
>>TPM can also be used to force DRM. (EFF and ACLU member don't
>like DRM
>>to say the least)
>>>
>>- Alternatives?
>>1) Be a sitting duck. Passwords WILL stolen and USED to cause
>financial
>>damage;
>>2) Use software based device authentication. e.g. Passmark as
>used by
>>Bank of America
>>3) Create a world-wide PKI, issue SSL certificates to machines as
>well
>>as users, and then perform client side authentication from the
>server.
>>4) Use IP addresses to perform machine authentication. <grin>
>>>
>>- Read more at:
>>
>>>
>>Any thoughts?
>>>
>>I don't accept the assumption that device authentication is the way to
>>go. I find it more useful to look at what your are trying to
>>authenticate. Is it a user for a session? Is it a host for mutual
>>authentication? Is is a transaction? I would bet that doing
>>cryptographically secure mutual authentication would eliminate most of
>>the *current* phishing attacks, thus it might be more important to
>>authenticate the host, not the user's device. course, that won't
>last
>>forever
>>>
>>Nick
>>>
>>--
>>Nick
>>WiKID Systems, Inc.
>>404.962.8983
>>http://www.wikidsystems.com
>>Commercial/ Source Two-Factor Authentication
>>
>>>
>>
>>
>>
>--
>Nick
>WiKID Systems, Inc.
>404.962.8983
>http://www.wikidsystems.com
>Commercial/ Source Two-Factor Authentication
>
>>

If you have the host and user strongly authenticated, do you need the
client device to be authenticated?

What is a good { host <user } authentication scheme that can be
used on a "un-trusted" client device?

nick

Saqib Ali wrote:
when you say mutual authentication, do you mean mutual auth between

1) server and the client device; or
2) server and the user

#2 is already in place. e.g. when you connect to SSL enabled banc
website using a TP. However you D depend on the user to correctly
authenticate the SSL cert offered by the webserver.

It is #1 that is missing.
--
9/6/06, Nick <nickowen (AT) mindspring (DOT) comwrote:
>Saqib Ali wrote:
>A recent "self-serving" report by Phoenix Technologies indicated that
>84 of attacks could have been prevented only if Device Authentication
>was used in addition to user authentication.
>>
>- Evidence Abound:
> Losses from stolen IDs and passwords far exceeded damages from
>worms, viruses, and other attack methods not utilizing logon accounts
> Vast majority of attackers, 78 percent, committed crimes from their
>home computers; most often using unsanctioned computers with no
>relationship to the penetrated organization
> 88 percent, of those crimes were committed from a home PC using
>stolen IDs and passwords and following normal logon procedures.
>>
>- Link to full report:
>
>>
>-Their solution?
>Use Trusted Platform Module to authenticate devices.
>>
>- Problem?
>TPM can also be used to force DRM. (EFF and ACLU member don't like DRM
>to say the least)
>>
>- Alternatives?
>1) Be a sitting duck. Passwords WILL stolen and USED to cause financial
>damage;
>2) Use software based device authentication. e.g. Passmark as used by
>Bank of America
>3) Create a world-wide PKI, issue SSL certificates to machines as well
>as users, and then perform client side authentication from the server.
>4) Use IP addresses to perform machine authentication. <grin>
>>
>- Read more at:
>
>>
>Any thoughts?
>>
>I don't accept the assumption that device authentication is the way to
>go. I find it more useful to look at what your are trying to
>authenticate. Is it a user for a session? Is it a host for mutual
>authentication? Is is a transaction? I would bet that doing
>cryptographically secure mutual authentication would eliminate most of
>the *current* phishing attacks, thus it might be more important to
>authenticate the host, not the user's device. course, that won't last
>forever
>>
>Nick
>>
>--
>Nick
>WiKID Systems, Inc.
>404.962.8983
>http://www.wikidsystems.com
>Commercial/ Source Two-Factor Authentication
>
>>
>
>
>

mention) than a trusted platform. It might actually be better to use
passwords for the session authentication and an TP for the transaction.
but weren't there attacks on TP recently:
I think client device authentication would have prevented these attacks.

Saqib Ali wrote:
>mention) than a trusted platform. It might actually be better to use
>passwords for the session authentication and an TP for the transaction.

but weren't there attacks on TP recently:

I think client device authentication would have prevented these attacks.

Perhaps - I assume you mean with a trusted platform, not easily spoofed
cookies and ip addresses etc. But, they are MITM attacks, so host
authentication would *definitely* have stopped the attacks.

It is much easier to do host authentication than to do secure device
authentication. There a number of ways to do host authentication
available today. We validate the SSL certificate of the site before
delivering the TP, for example. There are a limited number of trusted
platforms available today and it will take forever to replace all the
PCs out there, so it makes sense to me to do host authentication.

nick