"Zero Knowledge Authentication"? (was Cryptolog Unicity Software-Only Digital Certificates)

Joseph Ashwood ashwood at msn.com
Fri Dec 12 18:51:18 EST 2003 

----- Original Message ----- 
From: "R. A. Hettinga" <rah at shipwright.com>
To: <cryptography at metzdowd.com>
Sent: Wednesday, December 10, 2003 8:47 AM
Subject: "Zero Knowledge Authentication"? (was Cryptolog Unicity
Software-Only Digital Certificates)


> Launch Marks the First Commercial Use of "Zero-Knowledge" Authentication

I've snipped the rest, because it is primarily not useful beyond this. They
are highly incorrect about their lauch being the "first commercial use" of
ZKA, as a matter of fact I was involved in implenting one for commercial
use, and I was a part of a "mandatory workfoce reduction" (aka laid off)
from that company 2 1/2 years ago. I will admit we never referred to it as
"Zero Knowledge Authentication" which just sounds like a mass of crap thrown
together to sound geeky. Instead we used zero knowledge proof of knowledge
(in particular a PIN), and used that proof to provide authentication. I can
also tell you that if you're dealing with some high security requirements
(such as the claim of "high security" in the press release), there are some
very tricky situations and I found a number of unpublished attacks against
such systems (all were addressed before the product shipped, except the one
I address below which is inherent). So to anyone looking at such a system, I
recommend that they give it at least 2 years to mature and be attacked, and
even then make sure that a number of worthwhile names have actually looked
at the protocols involved, and the implementation.

With that said, I see little reason that such systems need to exist, you
continually end up coming back to "but what is it actually good for" the
truth is that with a small piece of knowledge, only a small number of
accounts need their existance known to compromise the system. An example,
simple PIN-based system, e.g. ATM bank card network, PIN must be at least 4
digits, and a maximum of 6. First, statistically the vast majority of PINs
will be 4 digits. Now contrary to reality, we will assume that the pins are
chosen randomly (most people choose a pattern). The fact is that with 4
digits there are only 10,000 possible pins, so only 5000 guesses need to be
made to on average have broken into one account. From there the standard is
that each account is given 3 guesses before disabling, so only 1667 cards
have to be uncovered in order to break into an account. Now realistically,
how long will this take? Here in the US ATM cards can be uniquely identified
by 16 digits (it's been linked into the Visa network), this makes acquiring
the card number easy. Acquiring the number of 1667 cards is almost trivial.

On such "high security" systems, they invariably have further problems. The
base information required for a user to log in can be downloaded free of
security (for roaming), this allows an attacker to simply download all the
login credentials for the entire enterprise. In many cases large companies
will have more than 1667 people who have root access on the network. This is
a fatal flaw for the design, and unfortunately for such systems this is a
flaw that cannot be addressed except by switching to passphrases, something
that would lower their usability (their biggest selling point) to the same
level of all other "secure" systems.
                Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list