Security 3257

lots of past posts on shared-secret "something you know" authentication.

part of the issue in static data, shared-secret authentication paradigms ... is not only can static data be evesdropped and reproduced in replay attacks ... but the same information is used for both origination and verification. as a result, you are required to have a unique shared-secret for every different security domain ... as countermeasure to cross-domain compromises (aka you local garage isp and your place of employment or online banking). this has been further aggrevated by requirement for hard to guess (and impossible to remember) pbuttwords that are changed on frequent basis (potentially scores of different, impossible to remember pbuttwords at any one moment)

in the 3-factor authentication paradigm

* something you have * something you know * something you are

... the last two tend to be (relatively) static data that are vulnerable to evesdropping-harvesting and replay attacks.

unique physical tokens for "something you have" authentication that involve unique data for every operation (like digital signature as countermeasure to evesdropping and replay attacks) and different data for origination and verification (like public-private key as countermeasure to cross-domain compromises).

the issue then is that "something you have" authentication may be vulnerable to lost-stolen tokens ... and multi-factor authentication, with "somthing you know" or "somthing you are" then is countermeasure to lost-stolen tokens (and tokens are countermeasure to the static data evesdropping against "something you know" or "something you are" and replay attacks).

Security 3259
ref: one of the ancillary issues in havesting-skimming-evesdropping of static data shared secrets or any kind of static...

a somewhat implicit buttumption in multi-factor authentication is that the different methods are vulnerable to different threats. the buttumption in multi-factor authentication (in something like pin-debit) can be subverted where both the "something you have" (magstripe) and "something you know" (pin) are both subject to the same, common skimming-harvesting vulnerability(and replay attack)

the next scenario ... even with relatively high integrity multi-factor authentication is the compromise of the authentication environment (where token-viruse can reproduce static data authentication and any physical token can be be induced to perform multiple operations ... w-o the owners knowledge). recent posting on this in thread on multi-factor authentication vulnerabilities

Security 3258
the really old, ancient "new" thing that has been bubbling off and on in the press for at least the past year (much more recently), is virtualization as security ... stuff like turns...

the above mentions that "something you know" authentication can either involve a "shared-secret" (that is typically registered at some insbreastutional, security domain repository) or plan "secret". In the plan secret method, the "secret" is registered in a "something you have" token and required for correct token operation. Since the "secret" isn't registered at specific insbreastutional, security domain repositories ... there is much less a threat of cross-domain compromises (and therefor the same authentication mechanisms could be used in multiple different security domains).

start of the thread mentioning a number of different security related weaknesses https:--www.financialcryptography.com-mt-archives-00068 plus 11.html

and man-in-the-middle attacks

lots of past posts on exploits, threats, and vulnerabilities

List | Previous | Next

Security 3258

Alt Folklore Computers from Newsgroups

The #1 Usenet Provider on the Internet

Security 3256

PLEX86 x86- Virtual Machine (VM) Program


	CVS \| Mailing List \| Download \| Newsgroups

		Security 3257 lots of past posts on shared-secret "something you know" authentication. part of the issue in static data, shared-secret authentication paradigms ... is not only can static data be evesdropped and reproduced in replay attacks ... but the same information is used for both origination and verification. as a result, you are required to have a unique shared-secret for every different security domain ... as countermeasure to cross-domain compromises (aka you local garage isp and your place of employment or online banking). this has been further aggrevated by requirement for hard to guess (and impossible to remember) pbuttwords that are changed on frequent basis (potentially scores of different, impossible to remember pbuttwords at any one moment) in the 3-factor authentication paradigm * something you have * something you know * something you are ... the last two tend to be (relatively) static data that are vulnerable to evesdropping-harvesting and replay attacks. unique physical tokens for "something you have" authentication that involve unique data for every operation (like digital signature as countermeasure to evesdropping and replay attacks) and different data for origination and verification (like public-private key as countermeasure to cross-domain compromises). the issue then is that "something you have" authentication may be vulnerable to lost-stolen tokens ... and multi-factor authentication, with "somthing you know" or "somthing you are" then is countermeasure to lost-stolen tokens (and tokens are countermeasure to the static data evesdropping against "something you know" or "something you are" and replay attacks). Security 3259 ref: one of the ancillary issues in havesting-skimming-evesdropping of static data shared secrets or any kind of static... a somewhat implicit buttumption in multi-factor authentication is that the different methods are vulnerable to different threats. the buttumption in multi-factor authentication (in something like pin-debit) can be subverted where both the "something you have" (magstripe) and "something you know" (pin) are both subject to the same, common skimming-harvesting vulnerability(and replay attack) the next scenario ... even with relatively high integrity multi-factor authentication is the compromise of the authentication environment (where token-viruse can reproduce static data authentication and any physical token can be be induced to perform multiple operations ... w-o the owners knowledge). recent posting on this in thread on multi-factor authentication vulnerabilities Security 3258 the really old, ancient "new" thing that has been bubbling off and on in the press for at least the past year (much more recently), is virtualization as security ... stuff like turns... the above mentions that "something you know" authentication can either involve a "shared-secret" (that is typically registered at some insbreastutional, security domain repository) or plan "secret". In the plan secret method, the "secret" is registered in a "something you have" token and required for correct token operation. Since the "secret" isn't registered at specific insbreastutional, security domain repositories ... there is much less a threat of cross-domain compromises (and therefor the same authentication mechanisms could be used in multiple different security domains). start of the thread mentioning a number of different security related weaknesses https:--www.financialcryptography.com-mt-archives-00068 plus 11.html and man-in-the-middle attacks lots of past posts on exploits, threats, and vulnerabilities -- List \| Previous \| Next



		Security 3258 Alt Folklore Computers from Newsgroups The #1 Usenet Provider on the Internet Security 3256