two-factor authentication problems

[Anne & Lynn Wheeler]

Gabriel Haythornthwaite wrote:
> RSA SecureID and OATH technology have some great virtues:
> - they cost nothing to integrate at the client end - there is no client
> "footprint" so there's nothing to go wrong
> - they are relatively easy to understand and use
> - they're unquestionably better than reliance on user IDs and passwords.

note that there is typically some close relationship between a secureid 
and the relying party .... that if everything is working correctly ... 
the relying party is pretty sure that (most of the times) the response 
originated from a valid token .... although there are various kinds of 
attacks and vulnerabilities associated with originating that information 
and/or transmitting it to the relying party.

most PKIs tend to focus on the integrity of the indiciation arriving at 
the relying party. the digital signature is an indication that something 
occured at the remote end ... namely some entity accessed and used a 
private key. however, almost all PKI descriptions fail to focus on the 
primary event (that a digital signature is suppose to indicate) is that 
some form of 3factor authentication actually occured in the access and 
use of a private key. A lot of PKI has shifted the focus from the 
fundamental authentication business process (the integrity of the access 
and use of a private key) to the integrity of the communication that 
some (any arbitrary) access and use of a private key (while failing to 
establish the there was any fundamental integrity actually associated 
with the actual access and use of the private key).

aka ... digital signatures are a secondary factor associated with the 
primary integrity event of concern. the primary integrity business 
process is the actual access and use of the private key. a digital 
signature is a secondary integrity factor ... the indication or 
communication that some access and use of a private key has occured (w/o 
having any indication about the actual integrity of that access and use).

the actual access and use of the private key would be the primary 
integrity event of concern. the (high integrity) communication that such 
an access and use has concerned is secondary to the actual access and 
use (although both can be considered as attack targets or vulnerabilities).

note that integrity of the actual access and use of the private key, 
establishing some form of 3factor authentication
http://www.garlic.com/~lynn/subpubkey.html#3factor

and the communication that some actual access and use of the private key 
has occured with a digital signature

is orthogonal whether the relying party is relying on a (offline, 
unconnected) PKI model or a certificate-less
http://www.garlic.com/~lynn/subpubkey.html#certless

The PKI model was original met to target the scenario where the relying 
party has had no prior relationship with the originating party and/or
has no access and/or recourse to any other source of information 
(especially online access) about the originating party.

However, PKI descriptions have frequently obfuscated that there is other 
business processes requiring integrity issues (aka anything other than 
those related to certificate generation and use).

The actual core process that everything depends on is the integrity 
surronding the access and use of the private key .... and all other 
processes are scaffolding intended to provide a remote relying party 
some indication that the access and use of a private key has occured.

PKI models frequently fail to even bother to describe that the primary 
integrity issue is the access and use of the private key (and everything 
else is secondary). PKI models also frequently fail to describe that 
they are intended for the offline, unconnected business environment ... 
which has become the small minority of actual business processes in the 
world today.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com