[vpn] Re: Schneir's 'Weak Link' Observation (was Two Factor Authentication)
Rick Smith at Secure Computing
rick_smith at securecomputing.com
Fri Apr 12 10:38:49 EDT 2002
At 01:46 PM 4/11/2002, Christopher Gripp wrote:
>Schneir often seems stuck on the concept of 'the weakest link' when discussing security issues. It's a valid point but he tends to focus on, what I consider to be an elementary topic, quite a bit.
One of the things I've found rather interesting about Schneier's security sensibilities is that they're heavily influenced by (or at least, they're heavily consistent with) NSA's security traditions. This includes the "weakest link" notion, which is founded in a concern with identifying the whole set of abstract risks. Despite this, the only NSA-related comments I've seen of his have been critical of the NSA.
>The problem with policies and procedures is that they require COMPLIANCE to be effective and the bad guys don't usually COMPLY with the rules.
And it's impractical to train all good guys to be security wonks and understand *why* a breach of silly rules is a bad thing. In fact, sometimes the rules *are* silly and the company does better by breaking them than by complying with them.
>I don't believe there are ANY full proof authentication mechanisms.
>Unless there is a piece of information known only by one person, such as a PIN, and that person is willing to go to the grave vs. revealing it, then multiple factors of authentication are only slightly more difficult to subvert.
Unless a TV camera is watching the person type the PIN in. Or if the PIN travels over an unsecured wire, or if the crypto key protecting the PIN during transmission has been compromised, or if the PIN is stored in cleartext on the destination system, which is then compromised, or...
My favorite strong authentication device is a hard-to-duplicate token containing an internally generated public key pair and a built-in input device to pick up a second factor. Generally the second factor turns out to be a fingerprint reader, as with the Sony Puppy, and there are some PCMCIA cards that do a similar thing. They're not perfect, either, but they pose interesting challenges to an attacker.
VPN is sponsored by SecurityFocus.com
More information about the VPN