authentication and authorization (was: Question on the state of the security industry)
Anne & Lynn Wheeler
lynn at garlic.com
Thu Jul 1 22:40:39 EDT 2004
At 12:26 PM 7/1/2004, John Denker wrote:
>The object of phishing is to perpetrate so-called "identity
>theft", so I must begin by objecting to that concept on two
>different grounds.
there are two sides of this .... some amount of crime statistics call it
ID-theft .... which plausibly could be either identity or identification
... but in general involves situation where criminal is impersonating you
to one degree or another to perform some fraudulent action.
there has been some attempt to distinguish impersonation events between
fraudulently extracting money from existing accounts and fraudulently
creating new accounts in your name.
practically, objecting to the label id-theft may be like objecting to the
label suicide bomber.
in general, the problem is using any kind of static data for
authentication. it applies to name, birthdate, mother's maiden name, pins,
passwords, account numbers .... any kind of static data. it worked for a
long time ... but it was based on assumption that it had characteristics of
1) shared-secret and 2) used uniquely, different static data in different
security domains.
the growth of electronic environments has drastically affected this in lots
of ways (invalidating the core assumptions that was behind the use of such
static data for authentication, it wasn't that static data didn't work ...
but it worked well only as long as the underlying assumptions were valid):
1) drastic increase in number of different electronic environments
requiring unique shared secrets ..... basic human factors making it
impossible to process unique shared secret for every possible (scores of
unique) environment
2) drastic increase in number of different electronic environments ...
drastically increasing the number of places that shared secrets are being
used ... which increasing the places that shared secrets can be harvested
(for criminal purposes)
3) drastic increase in electronic environments that contain information
about individuals ... drastically increasing the number of places that
personal information can be harvested (of the type that is likely to be
used in shared-secret, static authentication information) for criminal
purposes.
minor reference to the account based scenario .... security proportional to
risk
http://www.garlic.com/~lynn/2001h.html#61
and then there is the whole thing about frequent confusion of
identification and authentication:
http://www.garlic.com/~lynn/aepay3.htm#mcomm (my) misc. additional comments
on X9.59 issues.
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities?
Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aadsm9.htm#pkcs12b A PKI Question: PKCS11-> PKCS12
http://www.garlic.com/~lynn/aadsm14.htm#40 The real problem that https has
conspicuously failed to fix
http://www.garlic.com/~lynn/aadsm14.htm#41 certificates & the alternative view
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#16 PKI International Consortium
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and
Identiification?
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing
Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing
Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/2003j.html#47 The Tao Of Backup: End of postings
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list