Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > User Authentication

Reply
Thread Tools

User Authentication

 
 
Michael P.
Guest
Posts: n/a
 
      11-29-2006
I'm looking for a best practices paper on online user authentication.
Currently one of our systems allows people to share a user id and
password and to login with that id at the same time in multiple
locations. I believe that is a poor security practice. Are there any
papers that discuss this situation and why it may or may not be good
practice. I'm creating a paper for the company I work with and would
like documentation to support my findings.

Thank You

 
Reply With Quote
 
 
 
 
Moe Trin
Guest
Posts: n/a
 
      11-29-2006
On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
<(E-Mail Removed) .com>, Michael P. wrote:

>I'm looking for a best practices paper on online user authentication.
>Currently one of our systems allows people to share a user id and
>password and to login with that id at the same time in multiple
>locations. I believe that is a poor security practice.


No kidding.

>Are there any papers that discuss this situation and why it may or may
>not be good practice. I'm creating a paper for the company I work with
>and would like documentation to support my findings.


No indication of what operating system - possibly windoze. Might seem
off topic to you, but try http://www.ora.com/. The book you are looking
for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
most popular Unix variants, the fundamentals are certainly applicable to
your specific problem. You may even find the book in your library,
and you can read snippets on line at the O'Reilly site.

Old guy
 
Reply With Quote
 
 
 
 
Anne & Lynn Wheeler
Guest
Posts: n/a
 
      11-29-2006

"Michael P." <(E-Mail Removed)> writes:
> I'm looking for a best practices paper on online user authentication.
> Currently one of our systems allows people to share a user id and
> password and to login with that id at the same time in multiple
> locations. I believe that is a poor security practice. Are there any
> papers that discuss this situation and why it may or may not be good
> practice. I'm creating a paper for the company I work with and would
> like documentation to support my findings.



the basic premise in "shared secret" authentication ... is to have
unique "shared secrets" for unique security domains (countermeasure
for individuals in one security domain attacking another ... i.e.
local garage ISP attacking your place of work or financial
institution).
http://www.garlic.com/~lynn/subintegrity.html#secret

there is trade-off issues involving multiple systems within same
security domain.

the unique "shared secret" guidelines have resulted in individuals
having to deal with large scores of unique "shared secrets" and
finding it impossible to remember them all. this is further aggrevated
by guidelines for "impossible to guess" shared secrets ... which are
also impossible to remember. the whole issue may become further
obfuscated when each system sort of makes believe that they are the
only one in existance ... and therefor the end-user only is dealing
with the one and only password that they required.

so the trade-off involving multiple systems within a single security
domain ... is that a single password compromise can compromise all
systems ... against having large number of different passwords
resulting in the end-user having to write down every one (as an aid to
all the impossible to remember stuff). an attacker getting the written
copy of all passwords can also compromise all systems ... so is a
single password less vulnerable than multiple different passwords (all
recorded in the same place)?

some of the single-sign-on scenarios allow the individual to
authenticate once to the authentication service ... and then the
authentication sevice provides the credentials for all the actual
system connections and authorizations.

one such common facility that is fairly widely deployed is kerberos
originally developed at mit's project athena. there is even a kerberos
specification (pk-init) for allowing for authentication via
verification of digital signature.
http://www.garlic.com/~lynn/subpubkey.html#kerboros

the original pk-init called for just substituting registration of
public key for registration of password ... and then using the registered
public key for verifying any digital signature (w/o requiring any PKI
or digital certificates)
http://www.garlic.com/~lynn/subpubkey.html#certless

later, PKI-mode of operation was added to the pk-init standards
document. my oft repeated comment is that in such environments, the
digital certificates are mostly redundant and superfluous. for whole
lot of reasons (like privacy, security, etc), such digital
certificates tend to only carry information regarding what is
associated with the digital signature being verified ... still
requiring system to lookup in some sort of repository the permissions
and other characteristics. in all such situations, having to make a
repository lookup implies that the registered public key can be
carried in the same repository. if the registered public key can be
carried as part of a repository lookup that is being performed anyway
.... the whole PKI and digital certificate distribution infrastructure
is therefor redundant and superfluous.

of course, the alternative is to avoid a repository lookup and
everybody with any kind of acceptable digital certificate is allowed
all possible permissions and privileges.

for other drift ... note that digital signature verification is also a
countermeasures to "replay attacks" typical of "shared secret" based
paradigms ... i.e. evesdropping the shared secret allows attacker to
replay its. typical digital signature verification operations has the
system presenting some random data to be digitally signed (as a
countermeasure to static data replay attacks).


 
Reply With Quote
 
Michael P.
Guest
Posts: n/a
 
      11-29-2006

Moe Trin wrote:
> On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
> <(E-Mail Removed) .com>, Michael P. wrote:
>
> >I'm looking for a best practices paper on online user authentication.
> >Currently one of our systems allows people to share a user id and
> >password and to login with that id at the same time in multiple
> >locations. I believe that is a poor security practice.

>
> No kidding.
>
> >Are there any papers that discuss this situation and why it may or may
> >not be good practice. I'm creating a paper for the company I work with
> >and would like documentation to support my findings.

>
> No indication of what operating system - possibly windoze. Might seem
> off topic to you, but try http://www.ora.com/. The book you are looking
> for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
> US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
> most popular Unix variants, the fundamentals are certainly applicable to
> your specific problem. You may even find the book in your library,
> and you can read snippets on line at the O'Reilly site.
>
> Old guy


Thanks, I will take a look at it. The problem is more an in general
problem than specific to anyone technology.

Michael

 
Reply With Quote
 
Anne & Lynn Wheeler
Guest
Posts: n/a
 
      12-04-2006
Anne & Lynn Wheeler <(E-Mail Removed)> writes:
> the basic premise in "shared secret" authentication ... is to have
> unique "shared secrets" for unique security domains (countermeasure
> for individuals in one security domain attacking another ... i.e.
> local garage ISP attacking your place of work or financial
> institution).
> http://www.garlic.com/~lynn/subintegrity.html#secret


re:
http:/www.garlic.com/~lynn/2006v.html#29 User Authentication

news article from today:

UN agency warns of online security risks
http://news.ninemsn.com.au/article.aspx?id=168199

from above:

Computer users who type in the same username and password for multiple
sites - such as online banks, travel agencies and booksellers - are at
serious risk from identity thieves, a United Nations agency said.

.... snip ...
 
Reply With Quote
 
takis
Guest
Posts: n/a
 
      12-06-2006
I feel one of the best protocol to authenticate the users of a network
against distributed network services is Kerberos 5. A tutorial about that it
is available at http://www.zeroshell.net/eng/kerberos/

Regards


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
802.11 X port-level authentication or user-level authentication zillah Wireless Networking 0 11-09-2006 10:00 AM
Failed Authentication, Status "Unsupported Authentication Algorithm" Rafael Cisco 1 11-26-2004 03:57 PM
ASP.Net Forms authentication with basic authentication popup Brett Porter ASP .Net 2 01-20-2004 02:17 PM
Moving from Baisc Authentication to Forms Authentication raj mandadi ASP .Net 0 12-22-2003 12:16 AM
Forms Authentication, external authentication server, & rerouting to orig. req. URL Andrew Connell ASP .Net 1 10-21-2003 05:41 PM



Advertisments