Kapil Sachdeva's Blog - SmartCard Serenity

Meaning to put a link for this for a while.

Enjoy:

The attack was a Man-in-the-middle (MIM) attack where smart tactics were employed to even produce errors originally generated at citibank web site.

http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html : "The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real"

http://isc.sans.org/diary.php?storyid=1478 : "Overall, two factor authentication will reduce the risk of attacks by raising the effort of the attacker to compromise the accounts, but it might not have the level of security enhancement that some people believed. In the man-in-the-middle attack, the flaw happens due to the lack of verification of the bank's website by the victim, the victim are simply tricked into yielding credentials to a web site without authentication. This is really outside of the protection zone of the extra authentication factor.

To further extend this, two factor authentication also does NOT protect the end host security, a malware (such as keylogger, BHO) could be installed on the client's machine and effectively gather the credential and login on behalf of the victim instead of letting the victim login.

This is a classic problem of "you are only as secure as the weakest link". Two factor authentication is good for secure authentication but does not take care of mutual authentication or endpoint security. From the financial organization perspective, maybe further investment into mutual authentication and ensuring client's computer being free of malware would be necessary to protect the client's online transactions."

In the above blog entry at sans.org (Handler's diary) Jason mentions that 2 factor authentication is good for secure authentication but does not take care of mutual authentication or endpoint security. This is partly true as it really depends on the 2 factor authentication device being used. Most of the time consumers and enterprises consider one-time-password generating device (such as RSA Secure ID) to be the 2-factor authentication device as they do satisfy the notion "something you know and something you have" but there are 2 factor authentication devices such as smart cards which have lot to offer in terms of end-to-end security and thus are helpful in tackling man-in-the-middle attack.

Handler's diary points out that to fight against MIM mutual authentication is required and this is where smart cards (especially that of current generation where they are capable of getting easily plugged with enterprises following new standards such as Liberty Alliance and WS-*) distinguish themselves from just being the user authentication device and can also perform (even customized) web site/portal/server authentication.

In one of the his article (Authentication : The Pitfall of Two factor authentication) Jason says:
"In the phishing scenario, challenge response type of second factor seems to be problematic to the phishers. However, that really isn't stopping all the attackers. The desperate ones can still leverage Man in the middle type of attack. There are a few ways for man in the middle attacks to work. One is to put up a look-alike malicious site which is basically a proxy to the actual bank's website. When the victim login with proper credentials, the attacker can simply ride on that established online banking session. Notice that even challenge-response type of token would work in this case because the attacker (or the man in the middle) is passively observing the connection between the bank and the victim. The challenge will reach the victim, who will then send in the response. The attack simply proxies the traffic until the session is establish and then sends in the fraud transaction."

I would say that key here is to do all the transactions that need security over 2 way SSL where mutual authentication is required between device (& thus the user) and web server and all communication happens encrypted with a session key negotiated between device and web server. This way session hijacks could be prevented (correct me if I am missing something).

Solution lies in the mutual authentication and communication over secure channel between a smart device (such as smat card) and web server.

Today in keio University, Tokyo, Japan at W3C workshop on Ubiquitous web I gave the talk on device coordination with web applications. The position paper can be found here and presentation is hosted here.

The position is basically to standardize the interface to communicate with the security devices which are network addressable and are discoverable using standard discovery protocols such as UPnP, Bonjour or ZeroConf and are locally connected to the user's machine, from the web page and script from remote web site rendered by browsers.

Microsoft is betting big on smart cards for its own employees while working to make the technology more palatable for the masses.

Read the full article  by Karen Epper Hoffman at http://redmondmag.com

Everyone is giving its wish list for WSE 3.0 with WS-Reliable messaging being the foremost requirement so I _wish_ WSE 3.0 would have support for SAML 2.0 & WS-Federation support. Given the extensible nature of WSE its not difficult (technically). Sometime back I had written an implementation of WS-Federation for Plumbwork at GDN (now moved to SourceForge) for my identity management demo at Burton-catalyst, WSE team may take that as a starting point.

Plumbwork Orange workspace has been moved from GDN to Sourceforge. You can find implementations of various WS-* specifications there including one from me called WS-Federation.

Its been on mind for some days to express my gratitude to guys (teams) who make the most wonderful developement environment on planet. In college I used to program primarily in Visual Studio 6.0 with MFC, ATL etc and never saw the importance of IDE until I switched to Java when I started working on JavaCards at Schlumberger (now Axalto Inc). I simply loved Java. Its a revolutionary language and paved the way to another great technology (.NET) & fantastic language C# ...... (pioneers should be given there respect).

Anyways, things were okay with Java but what I missed always was an IDE, I think I tried almost all the IDEs .... from Borland, to disgusting Forte (from SUN) , Visual Cafe, JCreator, Eclipse but none come close to VS.NET.

Forte was the worst with zillions of windows. I think I liked Visual Cafe the most. I loved the simplicty of JCreator and admired its creator for making the IDE in C++ than in Java as most Java-IDE developers do. They simply do not understand Java is not a language to make IDEs.

I recently used Eclipse, for an open source effort its a great IDE but again once you have been charmed by Visual Studio it get tough to be pleased by others.

With Visual studio.NET my love story began when we started our .NET SmartCard effort in 2002 and since then its tough to imagine life with out it. Lot of thanks to VS teams at MSFT for such great IDE.

http://www.mindtree.com/ping_me.html

MindTree, a great consulting firm based in Banglore,India is running this seminar where lectures will be delivered by its founder & COO, Surbroto Bagchi. The first one in the series is posted at the site. Title of this lecture is : 9 Key Factors behind a successful technical career.

The lecture is really good and must say I did learn from the experience and guidance of Mr. Surbroto and specially loved the notion of Followership which I must say I have never heard before (although have followed it time and again :) ).

Regards to Mr. Surbroto Bagchi and thanks to MindTree for such a great effort.

Its bit hard for me to digest that IBM being the WS-Federation standard founder went for a deal with France telecom (one of the founders of Liberty alliance) to conform to Libery standard for identity federation. Not to mention that Libery group members must also be in uncomfortable position as IBM being competitor in the authoring the federation standards.

Read more about the contract here.

At Burton catalyst last week to whomsoever I talked about the religious war between libery and WS-Federation every body has an opinion that they should merge. Most of them were looking to support both though.

.NET SmartCard will be supporting both the standards but definitely its a pain for vendors.

this is the new home for my blog...... i have been blogging since june 2004 at http://ksachdeva.blogspot.com but decided to buy a domain reflecting the domain I work in  . I will be posting interesting stuff on SmartCards technology & applications, WebServices security, Identity management etc etc.