User Authentication

Discussion in 'Computer Security' started by Michael P., Nov 29, 2006.

  1. Michael P.

    Michael P. Guest

    I'm looking for a best practices paper on online user authentication.
    Currently one of our systems allows people to share a user id and
    password and to login with that id at the same time in multiple
    locations. I believe that is a poor security practice. Are there any
    papers that discuss this situation and why it may or may not be good
    practice. I'm creating a paper for the company I work with and would
    like documentation to support my findings.

    Thank You
    Michael P., Nov 29, 2006
    #1
    1. Advertising

  2. Michael P.

    Moe Trin Guest

    On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, Michael P. wrote:

    >I'm looking for a best practices paper on online user authentication.
    >Currently one of our systems allows people to share a user id and
    >password and to login with that id at the same time in multiple
    >locations. I believe that is a poor security practice.


    No kidding.

    >Are there any papers that discuss this situation and why it may or may
    >not be good practice. I'm creating a paper for the company I work with
    >and would like documentation to support my findings.


    No indication of what operating system - possibly windoze. Might seem
    off topic to you, but try http://www.ora.com/. The book you are looking
    for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
    US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
    most popular Unix variants, the fundamentals are certainly applicable to
    your specific problem. You may even find the book in your library,
    and you can read snippets on line at the O'Reilly site.

    Old guy
    Moe Trin, Nov 29, 2006
    #2
    1. Advertising

  3. "Michael P." <> writes:
    > I'm looking for a best practices paper on online user authentication.
    > Currently one of our systems allows people to share a user id and
    > password and to login with that id at the same time in multiple
    > locations. I believe that is a poor security practice. Are there any
    > papers that discuss this situation and why it may or may not be good
    > practice. I'm creating a paper for the company I work with and would
    > like documentation to support my findings.



    the basic premise in "shared secret" authentication ... is to have
    unique "shared secrets" for unique security domains (countermeasure
    for individuals in one security domain attacking another ... i.e.
    local garage ISP attacking your place of work or financial
    institution).
    http://www.garlic.com/~lynn/subintegrity.html#secret

    there is trade-off issues involving multiple systems within same
    security domain.

    the unique "shared secret" guidelines have resulted in individuals
    having to deal with large scores of unique "shared secrets" and
    finding it impossible to remember them all. this is further aggrevated
    by guidelines for "impossible to guess" shared secrets ... which are
    also impossible to remember. the whole issue may become further
    obfuscated when each system sort of makes believe that they are the
    only one in existance ... and therefor the end-user only is dealing
    with the one and only password that they required.

    so the trade-off involving multiple systems within a single security
    domain ... is that a single password compromise can compromise all
    systems ... against having large number of different passwords
    resulting in the end-user having to write down every one (as an aid to
    all the impossible to remember stuff). an attacker getting the written
    copy of all passwords can also compromise all systems ... so is a
    single password less vulnerable than multiple different passwords (all
    recorded in the same place)?

    some of the single-sign-on scenarios allow the individual to
    authenticate once to the authentication service ... and then the
    authentication sevice provides the credentials for all the actual
    system connections and authorizations.

    one such common facility that is fairly widely deployed is kerberos
    originally developed at mit's project athena. there is even a kerberos
    specification (pk-init) for allowing for authentication via
    verification of digital signature.
    http://www.garlic.com/~lynn/subpubkey.html#kerboros

    the original pk-init called for just substituting registration of
    public key for registration of password ... and then using the registered
    public key for verifying any digital signature (w/o requiring any PKI
    or digital certificates)
    http://www.garlic.com/~lynn/subpubkey.html#certless

    later, PKI-mode of operation was added to the pk-init standards
    document. my oft repeated comment is that in such environments, the
    digital certificates are mostly redundant and superfluous. for whole
    lot of reasons (like privacy, security, etc), such digital
    certificates tend to only carry information regarding what is
    associated with the digital signature being verified ... still
    requiring system to lookup in some sort of repository the permissions
    and other characteristics. in all such situations, having to make a
    repository lookup implies that the registered public key can be
    carried in the same repository. if the registered public key can be
    carried as part of a repository lookup that is being performed anyway
    .... the whole PKI and digital certificate distribution infrastructure
    is therefor redundant and superfluous.

    of course, the alternative is to avoid a repository lookup and
    everybody with any kind of acceptable digital certificate is allowed
    all possible permissions and privileges.

    for other drift ... note that digital signature verification is also a
    countermeasures to "replay attacks" typical of "shared secret" based
    paradigms ... i.e. evesdropping the shared secret allows attacker to
    replay its. typical digital signature verification operations has the
    system presenting some random data to be digitally signed (as a
    countermeasure to static data replay attacks).
    Anne & Lynn Wheeler, Nov 29, 2006
    #3
  4. Michael P.

    Michael P. Guest

    Moe Trin wrote:
    > On 29 Nov 2006, in the Usenet newsgroup alt.computer.security, in article
    > <>, Michael P. wrote:
    >
    > >I'm looking for a best practices paper on online user authentication.
    > >Currently one of our systems allows people to share a user id and
    > >password and to login with that id at the same time in multiple
    > >locations. I believe that is a poor security practice.

    >
    > No kidding.
    >
    > >Are there any papers that discuss this situation and why it may or may
    > >not be good practice. I'm creating a paper for the company I work with
    > >and would like documentation to support my findings.

    >
    > No indication of what operating system - possibly windoze. Might seem
    > off topic to you, but try http://www.ora.com/. The book you are looking
    > for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
    > US$54.95 ISBN 0-596-00323-4, 984 pages. While it's aimed at the four
    > most popular Unix variants, the fundamentals are certainly applicable to
    > your specific problem. You may even find the book in your library,
    > and you can read snippets on line at the O'Reilly site.
    >
    > Old guy


    Thanks, I will take a look at it. The problem is more an in general
    problem than specific to anyone technology.

    Michael
    Michael P., Nov 29, 2006
    #4
  5. Anne & Lynn Wheeler <> writes:
    > the basic premise in "shared secret" authentication ... is to have
    > unique "shared secrets" for unique security domains (countermeasure
    > for individuals in one security domain attacking another ... i.e.
    > local garage ISP attacking your place of work or financial
    > institution).
    > http://www.garlic.com/~lynn/subintegrity.html#secret


    re:
    http:/www.garlic.com/~lynn/2006v.html#29 User Authentication

    news article from today:

    UN agency warns of online security risks
    http://news.ninemsn.com.au/article.aspx?id=168199

    from above:

    Computer users who type in the same username and password for multiple
    sites - such as online banks, travel agencies and booksellers - are at
    serious risk from identity thieves, a United Nations agency said.

    .... snip ...
    Anne & Lynn Wheeler, Dec 4, 2006
    #5
  6. Michael P.

    takis Guest

    I feel one of the best protocol to authenticate the users of a network
    against distributed network services is Kerberos 5. A tutorial about that it
    is available at http://www.zeroshell.net/eng/kerberos/

    Regards
    takis, Dec 6, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Blake

    Can we do without user authentication?

    Al Blake, Oct 5, 2004, in forum: Wireless Networking
    Replies:
    5
    Views:
    865
    Chris Gual [MSFT]
    Oct 12, 2004
  2. Jeff
    Replies:
    4
    Views:
    4,390
  3. Rafael
    Replies:
    1
    Views:
    3,190
  4. Johnny
    Replies:
    11
    Views:
    3,076
    Cerebrus
    Aug 4, 2006
  5. zillah
    Replies:
    0
    Views:
    714
    zillah
    Nov 9, 2006
Loading...

Share This Page