Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 11-29-2006, 04:51 PM
Michael P.
Guest
 
Posts: n/a
Default User Authentication

I'm looking for a best practices paper on online user authentication.
Currently one of our systems allows people to share a user id and
password and to login with that id at the same time in multiple
locations. I believe that is a poor security practice. Are there any
papers that discuss this situation and why it may or may not be good
practice. I'm creating a paper for the company I work with and would
like documentation to support my findings.

Thank You


Reply With Quote
  #2 (permalink)  
Old 11-29-2006, 07:47 PM
Moe Trin
Guest
 
Posts: n/a
Default Re: User Authentication

On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
<1164819117.330425.308540@h54g2000cwb.googlegroups .com>, Michael P. wrote:

>I'm looking for a best practices paper on online user authentication.
>Currently one of our systems allows people to share a user id and
>password and to login with that id at the same time in multiple
>locations. I believe that is a poor security practice.


No kidding.

>Are there any papers that discuss this situation and why it may or may
>not be good practice. I'm creating a paper for the company I work with
>and would like documentation to support my findings.


No indication of what operating system - possibly windoze. Might seem
off topic to you, but try http://www.ora.com/. The book you are looking
for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
most popular Unix variants, the fundamentals are certainly applicable to
your specific problem. You may even find the book in your library,
and you can read snippets on line at the O'Reilly site.

Old guy

Reply With Quote
  #3 (permalink)  
Old 11-29-2006, 08:08 PM
Anne & Lynn Wheeler
Guest
 
Posts: n/a
Default Re: User Authentication


"Michael P." <michael@michaeljpatterson.com> writes:
> I'm looking for a best practices paper on online user authentication.
> Currently one of our systems allows people to share a user id and
> password and to login with that id at the same time in multiple
> locations. I believe that is a poor security practice. Are there any
> papers that discuss this situation and why it may or may not be good
> practice. I'm creating a paper for the company I work with and would
> like documentation to support my findings.



the basic premise in "shared secret" authentication ... is to have
unique "shared secrets" for unique security domains (countermeasure
for individuals in one security domain attacking another ... i.e.
local garage ISP attacking your place of work or financial
institution).
http://www.garlic.com/~lynn/subintegrity.html#secret

there is trade-off issues involving multiple systems within same
security domain.

the unique "shared secret" guidelines have resulted in individuals
having to deal with large scores of unique "shared secrets" and
finding it impossible to remember them all. this is further aggrevated
by guidelines for "impossible to guess" shared secrets ... which are
also impossible to remember. the whole issue may become further
obfuscated when each system sort of makes believe that they are the
only one in existance ... and therefor the end-user only is dealing
with the one and only password that they required.

so the trade-off involving multiple systems within a single security
domain ... is that a single password compromise can compromise all
systems ... against having large number of different passwords
resulting in the end-user having to write down every one (as an aid to
all the impossible to remember stuff). an attacker getting the written
copy of all passwords can also compromise all systems ... so is a
single password less vulnerable than multiple different passwords (all
recorded in the same place)?

some of the single-sign-on scenarios allow the individual to
authenticate once to the authentication service ... and then the
authentication sevice provides the credentials for all the actual
system connections and authorizations.

one such common facility that is fairly widely deployed is kerberos
originally developed at mit's project athena. there is even a kerberos
specification (pk-init) for allowing for authentication via
verification of digital signature.
http://www.garlic.com/~lynn/subpubkey.html#kerboros

the original pk-init called for just substituting registration of
public key for registration of password ... and then using the registered
public key for verifying any digital signature (w/o requiring any PKI
or digital certificates)
http://www.garlic.com/~lynn/subpubkey.html#certless

later, PKI-mode of operation was added to the pk-init standards
document. my oft repeated comment is that in such environments, the
digital certificates are mostly redundant and superfluous. for whole
lot of reasons (like privacy, security, etc), such digital
certificates tend to only carry information regarding what is
associated with the digital signature being verified ... still
requiring system to lookup in some sort of repository the permissions
and other characteristics. in all such situations, having to make a
repository lookup implies that the registered public key can be
carried in the same repository. if the registered public key can be
carried as part of a repository lookup that is being performed anyway
.... the whole PKI and digital certificate distribution infrastructure
is therefor redundant and superfluous.

of course, the alternative is to avoid a repository lookup and
everybody with any kind of acceptable digital certificate is allowed
all possible permissions and privileges.

for other drift ... note that digital signature verification is also a
countermeasures to "replay attacks" typical of "shared secret" based
paradigms ... i.e. evesdropping the shared secret allows attacker to
replay its. typical digital signature verification operations has the
system presenting some random data to be digitally signed (as a
countermeasure to static data replay attacks).



Reply With Quote
  #4 (permalink)  
Old 11-29-2006, 08:13 PM
Michael P.
Guest
 
Posts: n/a
Default Re: User Authentication


Moe Trin wrote:
> On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
> <1164819117.330425.308540@h54g2000cwb.googlegroups .com>, Michael P. wrote:
>
> >I'm looking for a best practices paper on online user authentication.
> >Currently one of our systems allows people to share a user id and
> >password and to login with that id at the same time in multiple
> >locations. I believe that is a poor security practice.

>
> No kidding.
>
> >Are there any papers that discuss this situation and why it may or may
> >not be good practice. I'm creating a paper for the company I work with
> >and would like documentation to support my findings.

>
> No indication of what operating system - possibly windoze. Might seem
> off topic to you, but try http://www.ora.com/. The book you are looking
> for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
> US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
> most popular Unix variants, the fundamentals are certainly applicable to
> your specific problem. You may even find the book in your library,
> and you can read snippets on line at the O'Reilly site.
>
> Old guy


Thanks, I will take a look at it. The problem is more an in general
problem than specific to anyone technology.

Michael


Reply With Quote
  #5 (permalink)  
Old 12-04-2006, 02:36 PM
Anne & Lynn Wheeler
Guest
 
Posts: n/a
Default Re: User Authentication

Anne & Lynn Wheeler <lynn@garlic.com> writes:
> the basic premise in "shared secret" authentication ... is to have
> unique "shared secrets" for unique security domains (countermeasure
> for individuals in one security domain attacking another ... i.e.
> local garage ISP attacking your place of work or financial
> institution).
> http://www.garlic.com/~lynn/subintegrity.html#secret


re:
http:/www.garlic.com/~lynn/2006v.html#29 User Authentication

news article from today:

UN agency warns of online security risks
http://news.ninemsn.com.au/article.aspx?id=168199

from above:

Computer users who type in the same username and password for multiple
sites - such as online banks, travel agencies and booksellers - are at
serious risk from identity thieves, a United Nations agency said.

.... snip ...

Reply With Quote
  #6 (permalink)  
Old 12-06-2006, 09:57 PM
takis
Guest
 
Posts: n/a
Default Re: User Authentication

I feel one of the best protocol to authenticate the users of a network
against distributed network services is Kerberos 5. A tutorial about that it
is available at http://www.zeroshell.net/eng/kerberos/

Regards



Reply With Quote
Reply


« Is it safe? | Soon other remailer abusers will share the destiny of George F. Spicka »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali comp.security.misc 7 09-07-2006 04:58 PM
[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Shannon Appel comp.security.misc 0 10-19-2005 05:37 AM
Open source two-factor authentication system released owen.nick@gmail.com comp.security.misc 11 09-04-2005 02:41 AM
[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Shannon Appel comp.security.misc 0 08-30-2005 05:26 AM
[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Shannon Appel comp.security.misc 0 07-31-2005 05:25 AM


All times are GMT. The time now is 12:51 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45