User Authentication

User Authentication
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
User Authentication Michael P. 11-29-2006
---> Re: User Authentication Anne & Lynn Whe...11-29-2006
| `--> Re: User Authentication Anne & Lynn Whe...12-04-2006
Posted by Michael P. on November 29, 2006, 11:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm looking for a best practices paper on online user authentication.
Currently one of our systems allows people to share a user id and
password and to login with that id at the same time in multiple
locations. I believe that is a poor security practice. Are there any
papers that discuss this situation and why it may or may not be good
practice. I'm creating a paper for the company I work with and would
like documentation to support my findings.

Thank You


Posted by Moe Trin on November 29, 2006, 2:47 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article

>I'm looking for a best practices paper on online user authentication.
>Currently one of our systems allows people to share a user id and
>password and to login with that id at the same time in multiple
>locations. I believe that is a poor security practice.

No kidding.

>Are there any papers that discuss this situation and why it may or may
>not be good practice. I'm creating a paper for the company I work with
>and would like documentation to support my findings.

No indication of what operating system - possibly windoze. Might seem
off topic to you, but try http://www.ora.com/. The book you are looking
for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
most popular Unix variants, the fundamentals are certainly applicable to
your specific problem. You may even find the book in your library,
and you can read snippets on line at the O'Reilly site.

Old guy

Posted by Michael P. on November 29, 2006, 3:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Moe Trin wrote:
> On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
>
> >I'm looking for a best practices paper on online user authentication.
> >Currently one of our systems allows people to share a user id and
> >password and to login with that id at the same time in multiple
> >locations. I believe that is a poor security practice.
>
> No kidding.
>
> >Are there any papers that discuss this situation and why it may or may
> >not be good practice. I'm creating a paper for the company I work with
> >and would like documentation to support my findings.
>
> No indication of what operating system - possibly windoze. Might seem
> off topic to you, but try http://www.ora.com/. The book you are looking
> for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
> US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
> most popular Unix variants, the fundamentals are certainly applicable to
> your specific problem. You may even find the book in your library,
> and you can read snippets on line at the O'Reilly site.
>
> Old guy

Thanks, I will take a look at it. The problem is more an in general
problem than specific to anyone technology.

Michael


Posted by Anne & Lynn Wheeler on November 29, 2006, 3:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> I'm looking for a best practices paper on online user authentication.
> Currently one of our systems allows people to share a user id and
> password and to login with that id at the same time in multiple
> locations. I believe that is a poor security practice. Are there any
> papers that discuss this situation and why it may or may not be good
> practice. I'm creating a paper for the company I work with and would
> like documentation to support my findings.


the basic premise in "shared secret" authentication ... is to have
unique "shared secrets" for unique security domains (countermeasure
for individuals in one security domain attacking another ... i.e.
local garage ISP attacking your place of work or financial
institution).
http://www.garlic.com/~lynn/subintegrity.html#secret

there is trade-off issues involving multiple systems within same
security domain.

the unique "shared secret" guidelines have resulted in individuals
having to deal with large scores of unique "shared secrets" and
finding it impossible to remember them all. this is further aggrevated
by guidelines for "impossible to guess" shared secrets ... which are
also impossible to remember. the whole issue may become further
obfuscated when each system sort of makes believe that they are the
only one in existance ... and therefor the end-user only is dealing
with the one and only password that they required.

so the trade-off involving multiple systems within a single security
domain ... is that a single password compromise can compromise all
systems ... against having large number of different passwords
resulting in the end-user having to write down every one (as an aid to
all the impossible to remember stuff). an attacker getting the written
copy of all passwords can also compromise all systems ... so is a
single password less vulnerable than multiple different passwords (all
recorded in the same place)?

some of the single-sign-on scenarios allow the individual to
authenticate once to the authentication service ... and then the
authentication sevice provides the credentials for all the actual
system connections and authorizations.

one such common facility that is fairly widely deployed is kerberos
originally developed at mit's project athena. there is even a kerberos
specification (pk-init) for allowing for authentication via
verification of digital signature.
http://www.garlic.com/~lynn/subpubkey.html#kerboros

the original pk-init called for just substituting registration of
public key for registration of password ... and then using the registered
public key for verifying any digital signature (w/o requiring any PKI
or digital certificates)
http://www.garlic.com/~lynn/subpubkey.html#certless

later, PKI-mode of operation was added to the pk-init standards
document. my oft repeated comment is that in such environments, the
digital certificates are mostly redundant and superfluous. for whole
lot of reasons (like privacy, security, etc), such digital
certificates tend to only carry information regarding what is
associated with the digital signature being verified ... still
requiring system to lookup in some sort of repository the permissions
and other characteristics. in all such situations, having to make a
repository lookup implies that the registered public key can be
carried in the same repository. if the registered public key can be
carried as part of a repository lookup that is being performed anyway
... the whole PKI and digital certificate distribution infrastructure
is therefor redundant and superfluous.

of course, the alternative is to avoid a repository lookup and
everybody with any kind of acceptable digital certificate is allowed
all possible permissions and privileges.

for other drift ... note that digital signature verification is also a
countermeasures to "replay attacks" typical of "shared secret" based
paradigms ... i.e. evesdropping the shared secret allows attacker to
replay its. typical digital signature verification operations has the
system presenting some random data to be digitally signed (as a
countermeasure to static data replay attacks).



Posted by Anne & Lynn Wheeler on December 4, 2006, 9:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> the basic premise in "shared secret" authentication ... is to have
> unique "shared secrets" for unique security domains (countermeasure
> for individuals in one security domain attacking another ... i.e.
> local garage ISP attacking your place of work or financial
> institution).
> http://www.garlic.com/~lynn/subintegrity.html#secret

re:
http:/www.garlic.com/~lynn/2006v.html#29 User Authentication

news article from today:

UN agency warns of online security risks
http://news.ninemsn.com.au/article.aspx?id=168199

from above:

Computer users who type in the same username and password for multiple
sites - such as online banks, travel agencies and booksellers - are at
serious risk from identity thieves, a United Nations agency said.

... snip ...

Similar ThreadsPosted
Cisco warns over serious authentication bug September 10, 2005, 11:00 pm
password versus pin in application authentication May 29, 2006, 8:38 pm
Biometric access systems for online website authentication? December 19, 2005, 5:00 am
Device Authentication - The answer to attacks lauched using stolen passwords? September 2, 2006, 7:44 pm
PREVX user rating April 15, 2006, 4:59 am
strange user account July 24, 2006, 9:24 pm
DCPP user password?! September 16, 2007, 1:56 pm
My user accounts now have very limited rights October 18, 2005, 5:14 pm
Re: Anti-malware on Win2K: Run as administrator or user February 4, 2006, 6:48 am
Windows Firewall Exception May Not Display in the User Interface September 1, 2005, 8:55 pm

The site map in XML format XML site map

Contact Us | Privacy Policy