Security Basics mailing list archives
Re: TPM against XSS and Phishing
From: "Ali, Saqib" <docbook.xml () gmail com>
Date: Wed, 14 May 2008 09:07:33 -0700
Charis, Here is some background on phishing: Lack of client-machine authentication (mutual authentication) is the root cause of the phishing problem. BofA uses Passmark (see http://www.bankofamerica.com/privacy/passmark/). Passmark technology tries to solve the machine authentication problem using encrypted cookies. Cookies are good, but I would personally wait till Passmark and similar technologies utilize TPM (Trusted Platform Module) to perform a mutual authentication. A TPM does NOT replace a USB cryptographic key device / token. They compliment each other. A USB token/smart card authenticates the user whereas a TPM authenticates a machine. Mutual authentication requires stored secrets on both systems. Stored secrets and the applications that use them are vulnerability. Why??? By definition stored secrets must be stored in persistent storage.Traditionally the options for storing these secrets were: 1) In applications. But applications may be reversed-engieered to reveal the secret 2) In file system /databases. Needs another key to ecrypt these databases. Now where do you store the new key that encrypts the database that holds the 1st key? This is where the tokens and USB cryptogaphics devices helped. 3) Obfuscating. This has proven to be unsecure A software only solution can not address the above issues. Need hardware. Thus the need for TPM, which stores the keys in temper-proof hardware chip. TPM provides cryptographic engine. The keys don't have to leave the TPM. Only the authorized applications can get the data decrypted using TPM. Now to answer your question: Yes, TPM can help in reducing the phishing problem. But by itself secureboot (using TPM) on Vista will not fix this problem. You need a application that supports TPM bound and wrapped secrets for mutual (both client and server) authentication. If you are trying to build a web based application and you want to use TPM for mutual authentication, I can help in the architecture. saqib http://doctrina.wordpress.com/
Current thread:
- TPM against XSS and Phishing Charis (May 14)
- Message not available
- Re: TPM against XSS and Phishing Dennis Li (May 14)
- Message not available
- Re: TPM against XSS and Phishing Ali, Saqib (May 14)
- RE: TPM against XSS and Phishing Marco M. Morana (May 15)