Nothing is Bulletproof
Blogger: Mark Diodati
Tim Renshaw is a VP at TriCipher, and he has a blog over at http://eyedentityonline.com. TriCipher is a consumer authentication company; its technology provides mobile PKI in various forms, and provides additional security by splitting the private key. He had a post about my two-part interview with Jeff Gould at eWeek (the second part of the interview is here, and Tim’s blog entry is here). Basically, he says I don’t know what I am talking about. How can I resist a reply?
One fact that I have stated continually over the years is that no mainstream authentication method (consumer or enterprise) is bulletproof. Even the PKI solution Tim touts is problematic, and I don't agree with his assessment that it will solve the consumer authentication problem. It's clear from talking to the world's largest financial institutions that most FIs are not prepared to deploy a full-blown client and/or hardware solution - U.S. consumers don't want them (note: the recent VeriSign/eBay announcement is not a bellwether for general consumer usage), and the FIs are unprepared for the onslaught of help desk calls. But, let's assume for the sake of argument that FIs could deploy smart cards on a large scale.
Smart cards offer a highly tamper-resistant storage mechanism for private keys. Most people would agree that smart cards are the most mainstream secure storage mechanism for private keys (after all, the deployment of HSMs to end users is impractical, right?). I like the technology for the right use cases, and I think it is perhaps the best authenticator available from a security perspective (provided, as with any authentication technology, that the identity proofing is done correctly). But even smart cards are subject to attack. Let's say that the client middleware is configured to authenticate the user once via PIN (or biometric), then enable continual access to the private key. User malware can send data down to the smart card for signing by the private key, but the user would never know. Let's kick it up a notch - let's make the user enter the PIN every time a signing function is required (ignoring usability implications). Malware could send down data to the card for signature that is different from what the user is expecting to sign.
Software-based PKI solutions overcome some of the smart card deployment concerns, but they are not as secure as smart cards and are subject to similar attacks as the one Tim specifies for typing biometrics.
Another fact that I have also stated over the years is that authentication solutions must be layered to provide an adequate level of identity assurance that is required for the application. This is why you are seeing the FIs overlay risk analytic engines on top of primary authentication mechanisms. No one technology will do the trick. I’m not summarily dismissing either the typing biometric or PKI technologies. To suggest however, that PKI will solve the consumer authentication problem is disingenuous.
Blackboxes can only work between machines.
If you are involving a human being then their intellect must be involved. You can't simply give them a black box and a pin number that they introduce to another black box and let that be the end of the story. It would be cheaper and just as effective to require the user to cast a spell beforehand in order to assure secured access.
Anyone who thinks humans can authenticate/be authenticated via PKI are delusional. Of course a few humans are up to the task, but these are mathematician/computer scientists able to sustain a continued level of diligence comparable to believing one's life is at stake at every step (and this still requires working with the raw data rather than black boxes).
PKI is not for mortals.
Unfortunately, that doesn't stop it being excellent marketing guff to pull the wool over the eyes of the credulous.
"It would take a thousand years for the world's combined CPUs to crack this"
That is a maths problem, not a secured system.
Posted by: Crosbie Fitch | October 24, 2007 at 03:57 AM
Mark, thanks for carrying on this discussion as I believe it is an important one and contrary to my apparent tone, I do think you know what you are talking about. My frustration continues to be with the industry thought processes at large regarding secure authentication challenges as being too little, too weak and failing the customer.
I certainly agree that PKI is not a silver bullet for the authenticaion problem and that a multi-layered approach is necessary. I've addressed this at length in various posts covering:
* Fraud detection: http://eyedentityonline.com/archives/16
* Transaction authentication: http://eyedentityonline.com/archives/13
* Malware attack: http://eyedentityonline.com/archives/16
There are indeed a variety of attack surfaces at the client to compromise not only PKI (smartcard or not), but also biometrics. Once and for all, let's all agree that we all agree there is no single hit, silver bullet solution. There are just a group of solutions that do different things along three primary axes: ease of use, cost and security. These three axes impact two primary communities: End-users and service / application providers. My main pain point is that not enough is being done to address the end-user's security problems because of what I believe is a complete misperception and deeply held misperception and nearly religious industry tenet: users can't / won't deal with anything involving additional software download or hardware. This point is probably the only thing that you and I really disagree about on this entire topic.
We agree that:
* There is no silver bullet solution.
* that "the only way to be totally protected against man-in-the-middle attacks is to use digital certificates or public key encryption" (Mark Diodati in referenced eWeek article).
* Multi-layered approaches are necessary.
* Smartcard deployments in the U.S. are dead on arrival for consumer adoption.
* Traditional PKI is hard for users, IT departments, security practitioners and on top of that, very costly.
We mostly agree that:
* U.S. FI's are not yet prepared to deploy client or hardware solutions. I can't completely agree with this as several have and continue to deploy several solutions that fall into this category, including TriCipher's, but certainly the numbers are not overwhelming.
We don't agree that:
* "U.S. consumers don't want" client or hardware solutions. Consumers have no problem downloading software that provides them value and do so by the thousands every day. While many will completely dismiss Javelin's Consumer Online Banking Study because TriCipher helped sponsor it, even I was surprised that 62% of consumers said they would be likely to download software for improved security from their bank. I was thinking it might be say, 50%, but the findings were born out given that 69% of the study participants actually did download and use the software in conjunction with the web-study. How much higher would that number have been if it was offered by through their bank site? The number 1 and 2 most popular downloaded items at c/net's download.com site are security related: anti-virus and anti-Spyware. It cannot be argued that users are not actively looking for and open to security solutions to use on their devices.
I merely agree with you that PKI is a solid, strong solution for authentication and beyond (signing, encryption, etc.). Consequently, PKI-based solutions should be more closely studied as part of the overall security solution space for authentication protecting against phishing, man-in-the-middle, man-in-the-browser and a wide variety of, but not all, malware. The main problem with PKI has always been in the implementation of getting keys to the user and managing them from there. "Pitch Alert": This is what TriCipher has solved. Anyone that understands using an ATM card and a PIN without understanding Triple-DES, can get and use PKI properly architected and deployed in a practical manner. We even make it so that what the user wishes to use as their "ATM Card" is flexible and can even be left up to them, so they don't have to be issued any purpose built hardware. Me, I use my MP3 player of choice as my 2nd factor. What would you use?
Time to move past mere "reassure the customer", "feel good" solutions and move to something providing actual security and protections. I hope that clears things up a bit. Mark, we should put together a panel or roundtable on the topic of what consumers will and won't put up with to get real security in their online lives.
Posted by: Tim Renshaw | October 24, 2007 at 02:27 PM
Well yes, touting PKI as the solution to comsumer authentication is indeed disingenuous. So what else is new? Everyone that has an "authentication solution" says the same thing, don't you think?
It's difficult separating out the marketing hype when there's so much of it.
Posted by: Eric Norman | October 24, 2007 at 03:20 PM
Hi Tim,
Many thanks for your thoughtful, insightful, and articulate reply to my blog entry. I agree that this is an important topic and the discourse we are having is a positive thing. To that end, I am posting this comment on both the Burton Group Identity Blog and your blog.
The Javelin user acceptance study is encouraging. The security of consumer authentication would be raised materially if a client were in play. Clientless device identification – while valuable – is readily impersonated. With a client, there can be some cryptographic ‘meat on the bone’ to provider a stronger device ID. Obviously, the security quality of the consumer’s primary authentication would be improved as well.
While software acceptance by consumers is a good thing, I have residual concerns. Will customers tolerate multiple client packages, with the potential for software conflicts or performance issues? This issue is the software analogue of the OTP “token necklace” many of us like to talk about. This is a different use case than deploying a single anti-virus package. To be fair, the customer may get lucky because all of the customer’s FIs may use the same client. Also, as you point out, user acceptance is only one-half of the recipe. FIs must be willing to deploy and support client software, and probably for multiple operating systems (not just Windows).
I agree that we should continue this discourse on the challenges of consumer authentication. I am not sure of the best medium, but I commit to giving it some thought (and I am open to suggestions). Additionally, the Burton Group IdPS team is in the process of defining our 2008 focus areas, and it will certainly include consumer authentication. We’ll wrap-up our planning mid-November. Perhaps we can take the roundtable idea to the next Burton Group Catalyst conference, which will enable a healthy percentage of customers to interactively collaborate with us on the topic.
For the record, I think that TriCipher has some interesting and unique technology in its portfolio, and I have called this out in our research work. The split key technology and variable client footprint options provides good security and mobility features. I like the way that TriCipher does mobile PKI in conjunction with one-time password devices. The use of the private key is tightly coupled to the OTP authentication, more so than any other product I am aware of. It’s also nice that the product transparently supports a mix of vendor OTPs; this capability introduces cost-saving OTP migration options.
As always, I look forward to reading your blog and our additional discussions.
Sincerely,
Mark
Posted by: Mark Diodati | October 25, 2007 at 02:21 PM
Mark:
Your points on the failure of the current authentication solutions, is very salient. All of the current solutions for authentication, including the pure PKI solutieons, are vulnerable for reasons you discuss and one key one you do not.
That is deployability.
In the case of the PKI solutions, because the issue of getting the correct private/public key pair in the hands of the appropriate user has been such a nightmare - pragmatic deployment choices have historically made - which are filled with frightening security flaws. (E.G. userID/password private key registration methods.)
Having designed, with a team of crypto, application and network experts, our own authentication solution from scratch - I am biased.
But let me proceed.
The issue with the stated solutions you detail is their inability to draw on other, off-the-shelve, methodologies and integrate these technologies in a holistic authentication solution.
In the solution the team and I designed, we utilize:
- Private Key signing of message hashes for non-phishability (E.G., identify and mitigate MITM attacks)
- Out-of-Band Registration (SMS and Telephony One-Time-Passwords) for initialization
- Java-Script Keypads to fight key-loggers
- WSE 3.0 WebServices for deployability of certificate authorities
- Direct connection to existing datastores, to fight identity "ghost" and replication issues.
- Direct integration into leading SSO mechanism, for sessioning (Authentication solutions, should NOT try to do SSO - just a personal belief - born out on my days of installing over 100 SSO solutions w/ Netegrity.)
All the best, glad to show you directly.
----
Garret Grajek, CISSP
MultiFactor Corporation
Chief Operating Officer
office: 949.777.6970
mobile: 714.658.0765
ggrajek@multifa.com
www.multifa.com
Posted by: Garret Grajek | February 12, 2008 at 11:01 PM