|
|
|
| Authored by: JamesK on Tuesday, September 04 2012 @ 01:08 PM EDT |
Security is a process. PKI, disk encryption, firewalls etc. are just tools to
implement that process. You can never rely on just one thing, if you really
need security.
---
The following program contains immature subject matter. Viewer discretion is
advised.[ Reply to This | Parent | # ]
|
| |
| Authored by: jesse on Tuesday, September 04 2012 @ 05:18 PM EDT |
I was doing some "proof-of-concept" using the Governments idea of PKI
(the CAC)...
Seemed to be ok... until I accidentally captured my PIN through a debugging
option.
Entering ANY PIN on a non-trusted device causes the CAC to fail by extension.
For any captured PIN, all that is necessary is to associate the corresponding
public key from the CAC. Then, whenever the CAC is inserted, the CAC can be used
at will - whether the person is there to enter the PIN or not. As far as the
card goes, the PIN would be viewed as entered by the owner... even if it is
presented by malware.
The resulting effect is the same as capturing any password.
Since the PIN is the password, the CAC provides no additional security - only a
little access control.
The problem with access control is obvious when you include things like
distributed filesystems and/or "cloud" functions (aka centralized
processing by any other name) - positive identification is useless. It is
useless because if it were actually enforced, you would have to resupply the PIN
for each access - and any time you access a distributed database, each node
would require you to authenticate.
And that defeats single sign on in the first place.
This has been known ever since about 1985-88 during the original development of
Kerberos.
Kerberos solves the problem by presenting limited credentials after
authenticating. The credentials are only good for gaining access credentials
(otherwise they are useless). The access credentials are limited by time. Where
I worked different systems would permit different credential lifetimes depending
on time of day, network path used for the connection, who you were identified
as, and how you were identified (choice of encryption methods).
One of the advantages of IPv6 NOT being published is that it is unnecessary for
network address translation used to window the limited IPv4 addresses. I say not
being published because one feature of Kerberos is that the initial
authentication should (and used to) include the users IP address used during the
authentication process. Use of the granted credential (with the embedded IP
address in the encrypted data)used to be useless from any other address. To work
around the NAT problems caused them to create "addressless"
credentials - which meant that they could now be used from any machine in the
world.
In fact, this WAS one of the attack vectors actively used.[ Reply to This | Parent | # ]
|
|
|
|
|
