[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SecurID(r) tokens and multi-step authentication exchanges

Yaron Sheffer writes:
> in my opinion your proposal reduces the security of getcert, in that it now
> relies on ASP scripts, not just TLS and HTTP authentication. I think from a

ASP scripts? I didn't mention anything about APS scripts. I was
talking about the server sending web page and processing normal form
with normal methods available for it. I myself definately would not
use ASP for this kind of system.

Anyways, I propably wouldn't trust normal web-server either for this
kind of service, but I would use minimal web-server instead. 

> security point of view, it is better to support the majority of
> authentication methods and "most" of SecureID functionality, than to
> introduce such a major hole.

If sending forms to the web-server is a security hole, then I think
you should use some other web-server. I is used by all web banking
systems I have seen, it is used by almost all other web system that
requires authentication too. Nobody is using http-authentication
anymore. I don't even remember when I last time saw real
http-authentication request anywhere. 

> Just to clarify: EAP, the authentication method underlying PIC, does support
> multiple rounds, and thus could be used for the SecureID Next PIN mode, etc.

But it needs much bigger piece of code than is needed to be made
secure than that small piece of code that is required to parse and
verify the password sent in the html-form. If you do not trust that
people can write secure ~50 line program parsing and checking the
html-form, how can you trust they can write ~5000 line program to run
kivinen@xxxxxx                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/