security

lumiwa · 2006-04-11 11:48:21

Hi!

I found something interesting about security:

http://groups.google.com/group/comp.os. … 8754ce3d2d
http://groups.google.com/group/comp.os. … 329991ba7b

LB06 · 2006-04-12 19:56:52

I still don't see how a man in the middle could decrypt the messages sent with a public & private keypair.

But regardless of that, security is more than just "what you know" (login, password), it's also about what you have (e.g. a dongle, iris-scan fingerprint scan, pin code, random reader etc) and what you are (don't know examples).

Most people do not realize that, especially not in the US. Just look at the online banking services. All you need is a login and password. That's just plain insecure. I know there's a guy from the Netherlands who had a zombie network (2 till 15 million computers) running that was gathering login info from mostly US banking accounts. And from each comprised account he withdrew $4 or $5, nothing that most people would miss.

Here is the Netherlands we have system that are FAR more secure. If I want to login I have to put my bank card in a little device and enter my pin code on it. Then I get an 8 digit combination with which I can, together with my account number, log into my account. Any man in the middle or login data sniffer could gather as much data as he wants, but he will not be to access your data.

Another example is that you get an SMS when you want to login. So you need to enter a login/password combo (which on itself is highly insecure), but you also need to enter the combination that is SMS'ed to you. This way it'll be much much harder to get authorized, because you need to comprise 2 separate channels.

cactus · 2006-04-13 00:52:46

the big three are indeed:
-What you know (password, passphrase)
-What you have (some type of token, key, big nonce, etc)
-Who you are (retina, fingerprint, voice print, etc)

When combined, pretty secure. Alone, each unit is fairly easy to duplicated. (a soft gummy bear can duplicate a fingerprint, a picture can fool a retinal scan, etc).

The more of the above you can use, the more trutworthy the *authentication*. You can authenticate someone against everthing in the universe, many times over, and still pass data in the clear. Not very secure at all.

Still..public key cryptography is pretty damn secure (based of factors of VERY LARGE primes). Your isp can collect that data, and possibly try forcing you to decrypt it for them at a later time in court, but they aren't going to be able to on their own.

The NSA with their super huge computers *might* be able to do it in human time, but by the time they get around to it...it probably isn't worth a snit to them anyway.

Again though..cryptography is a solid science, with very strong algorithms. It is the implementation of those algorithms that most of the time falls on its face.

An interesting model, is the SANS security cube (I think that is what it is called..cant remember the name exactly). Interesting if you are feeling security-geeky. I will try to find a link..but don't bet on it....feeling a bit lazy today.

Just my 2cents on the issue.

jfryman · 2006-04-15 19:30:57

Most people do not realize that, especially not in the US. Just look at the online banking services. All you need is a login and password. That's just plain insecure. I know there's a guy from the Netherlands who had a zombie network (2 till 15 million computers) running that was gathering login info from mostly US banking accounts. And from each comprised account he withdrew $4 or $5, nothing that most people would miss.
Here is the Netherlands we have system that are FAR more secure. If I want to login I have to put my bank card in a little device and enter my pin code on it. Then I get an 8 digit combination with which I can, together with my account number, log into my account. Any man in the middle or login data sniffer could gather as much data as he wants, but he will not be to access your data.
Another example is that you get an SMS when you want to login. So you need to enter a login/password combo (which on itself is highly insecure), but you also need to enter the combination that is SMS'ed to you. This way it'll be much much harder to get authorized, because you need to comprise 2 separate channels.

LB06-You've just hit on the major problem that exists with the current US banking system. I have a friend that works with Foundstone who did an interview with some of the top banking officials in the US. The problem that this is not implemented is because 'it would cause too many problems with users'.

The problem currently is not with authenticaion, but authorization. Even with a two-factor system... not having a system where an authorization code is implemented still can defeat a two-factor or multi-factor auth system. However, having the SMS message come OOB (out-of-band) prevents trojans that may hijack a session and verifies a transactions authenticity.

I digress.... as cactus mentioned

Still..public key cryptography is pretty damn secure (based of factors of VERY LARGE primes). Your isp can collect that data, and possibly try forcing you to decrypt it for them at a later time in court, but they aren't going to be able to on their own.

public-private crypto (or asymmetric keypairs) is very secure... the only way that a keypair can be broken in any lifetime would be if the keysize would be >1024, or quantium computers were utilized (We're not there yet). Crypto works because it is freely availiable, and the math exists for others to hack at and it *still* keeps our data secure.

Arch Linux

#1 2006-04-11 11:48:21

security

#2 2006-04-12 19:56:52

Re: security

#3 2006-04-13 00:52:46

Re: security

#4 2006-04-15 19:30:57

Re: security

Board footer