Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Your opinions ... last request
From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Wed, 1 Nov 2000 21:59:36 -0600

Hash: SHA1

-----Original Message-----
From: Jim Miller [mailto:MillerJ () FABSSB COM]
Sent: Wednesday, November 01, 2000 9:10 AM

The client side security is less than adequate, and the bank
intends to protect itself using legal stipulations in signed
client contracts.  But this obvious step will be pointless if
the system we deploy to the customer is easily hacked.  For
the customer, physical security is a recommended control, and
necessary to prevent the obvious hack, theft of the hardware.

But if the certificate itself is easily removed from the
client and can be transported and installed on another PC,
the client is even more easily hacked.  It would not do the
bank any good to deploy the system to any customer if the
certificate is readily accessible by any employee with a fair
technical knowledge.

This begs [the last and final] question:  can the certificate
be exported to another PC without re-issuance by the bank?
Where does the certificate reside on the client?  How easily
is it hacked, copied, transported, and / or re-installed?


you might want to check with other banks and see how they are
tackling this. I know of a few who actually use tokens (Vasco's
tokens being their favorite). With under $50 per token it is
affordable. Certificates are just not easy to control. You give the
client a certificate, have him install it and sign a legal agreement
taking full responsibility. Months later that same client will sell
his old computer to a friend, having forgotten the long-time-ago
installed certificate.

A token is different. A token is physically present, just like an ATM
card. The client won't loose it without noticing (even if he does,
the token is protected by a PIN), the client won't make inadvertent
copies of it (You know, the backup of the public/private certificate
keypair on ZIP drive/CD-Rom/Tape that every forgets about), the
client won't need to reinstall it when his OS crashes and he has to
reinstall, etc. The main advantage is that it is something the client
will hold in his hand while logging on to his account. From a
psychological point of view, it reminds the client about security.

Use the token to have the client authenticate his session, then rely
on SSL and secure session cookies for the rest of the session. Oh,
and when the client forgets his PIN and/or locks-out the token, your
helpdesk can re-enable it remotely (of course after identifying the
client in an appropriate manner). Much easier than revoking the
certificate and issuing a new one.

Let me know if you like more info about the token thing. Seems to
work out great for several large banks.


Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]