two-person login?
mark seiden-via mac
mis at seiden.com
Tue Jan 29 12:41:01 EST 2008
another term you might look for (used in physical security and
financial controls) is "dual custody" or sometimes "double custody".
(if you're searching, add " -child" or "security" for better search
quality)
i don't see why the analogies are not apt.
one question is whether the two people can both perform their
respective act independently
or whether they need to perform their act within a bounded time.
in the case of auditcon locks, for example, often used on the money
safe part of atms:
http://www.kaba.co.uk/products/auditcon-2-series-model-252.asp
these features are called
"Supervisor/Subordinate Mode
Allows access by a subordinate only after being enabled by a
supervisory combination. Once enabled, a subordinate user has access
to the lock during any valid opening time."
[for example, this would be used in a supermarket if a manager wants
to allow a subordinate to open the safe the next morning]
or
"Dual Custody
Two Person Integrity, which requires two users to open the lock."
the x-09 (approved for use in us top secret) has three modes:
A-single combination code
b-Dual combination mode which allows access only when two different
three number combinations are dialed within 10 seconds of one another
c-Supervisory/subordinate mode
On Jan 28, 2008, at 2:56 PM, John Denker wrote:
> Hi Folks --
>
> I have been asked to opine on a system that requires a
> "two-person login". Some AIX documents refer to this as
> a "common method of increasing login security"
> http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf
>
> However, I don't think it is very common; I get only five hits
> from
> http://www.google.com/search?q=two-person-login
>
> By way of not-very-apt analogy:
> -- I am aware of business checks that require two signatures;
> -- I am aware that purchase orders are commonly signed by
> two persons (the initiator and the approver);
> -- I am aware of missile-launch procedures that require two
> persons using two keys;
> -- I am aware of software development procedures where a patch
> is submitted (and signed) by one person, tested (and signed
> off) by another, and committed to the official repository by
> a third person.
> -- et cetera.
>
> However, it is important to note that the aforementioned examples
> all share an important property, as we see from the following:
> *) The parties give their approval _after_ the semantics has
> been fully determined. It would defeat all security if two
> signatures were attached to a blank check or a blank PO.
> *) As a related point, the approval is attached to a particular
> transaction. The approver is not merely certifying that Joe
> is really Joe, and is generally allowed to write checks
> (mere identification); the approver is certifying that this
> particular check is OK.
> *) To say the same thing another way, there is no pretexting.
> There is no pretext for turning the keys on the missile launcher
> unless you intend to launch a missile. The semantics of the
> keys is clear.
>
> We need to talk about threat models:
> a) The purveyors of the system in question don't have any clue
> as to what their threat model is. I conjecture that they might
> be motivated by the non-apt analogies itemized above.
> b) In the system in question, there are myriad reasons why Joe
> would need to log in. If Joe wanted to do something nefarious,
> it would take him less than a second to come up with a seemingly
> non-nefarious pretext. When the approver approves Joe's login,
> the approver has no idea what the consequences of that approval
> will be. The two-person login requires the approver to be
> present at login time, but does not require the approver to
> remain present, let alone take responsibility what Joe does
> after login.
> c) The only threat model I can come up with is the case where
> Joe's password has been compromised, and nobody else's has.
> Two-person login would provide an extra layer of security
> in this case. This threat is real, but there are other ways
> of dealing with this threat (e.g. two-factor authentication)
> ... so this seems like quite a lame justification for the
> two-person login.
> d) Or have I overlooked something?
>
>
>> From the foregoing, you might conclude that the two-person login
> system is worthless security theater ... but harmless security
> theater, and therefore not worth worrying about either way.
>
> But the plot thickens. The purveyors have implemented two-person
> login in a way that manifestly /reduces/ security. Details
> available on request.
>
> So now I throw it open for discussion. Is there any significant
> value in two-person login? That is, can you identify any threat
> that is alleviated by two-person login, that is not more wisely
> alleviated in some other way?
>
> If so, is there any advice you can give on how to do this right?
> Any DOs and DON"Ts?
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list