« February 2007 | Main | April 2007 »

March 08, 2007

The futility of secrets

My view point on this subject just appeared in the March 2007 issue of Information Security. For those of you that do not wish to subscribe to this excellent magazine, I provide it below.


I agree with Ranum that we must stop living in denial about the futility of using easy-to-compromise secrets to authenticate people and transactions. However, the fix he proposes is futile too: one-time passwords of this kind are susceptible to well-known attacks. There are much stronger available technologies for user and transaction authentication.



Yes, Schneier has it right in pointing out that the problem is mainly economic but he is wrong in saying we should give up on fixing the authentication of people.  The payment card industry has introduced smart cards in Europe where, for example, a person paying at a restaurant is presented with a portable wireless payment terminal and must insert the card and then enter a PIN before the transaction is approved. This eliminates the possibility for the waiter to go in the back room and record the card details so that he can place a fraudulent transaction later; something that still happens on this side of the Atlantic. There is no other way to explain the resistance of the payment card industry to introducing this technology here than to paraphrase Bill Clinton’s election slogan: “It is the economy, stupid.”



Just try to imagine what a horrible reality we could be living in if the auto industry in this country had the luxury of using the approaches of the payment card industry: the number of people in the United States involved in car accidents compared to the total number of people driving is small; it is also a fact that the society is not at risk as a whole, even if all traffic accidents were fatal; so, what if the auto industry skipped safety technologies such as seat belts, airbags, anti-lock brakes, traction control, etc?



Indeed, let’s work on fixing the economic problems first and then introduce comprehensive privacy laws.


March 01, 2007

ViewStateUserKey final verdict

I did some more investigation on this subject and found a proper way to use this mechanism and add layered security to your Web site. The solution is to use ViewStateUserKey only after the user identity is authenticated. I.e. the proper code segment looks like this:

   if (User.Identity.IsAuthenticated)
      ViewStateUserKey = Session.SessionID;

This protects against the well-known one-click attack and can be used in combination with TLS/SSL for protecting the access to your site. It may seem as an overkill when TLS/SSL is used and if performance improvement is badly needed, this added protection may be sacrificed. However, in general it is a good security measure.

The reason it does not work as I tried earlier is because the system uses a different key to decrypt the ViewStateUserKey for authenticated and unauthenticated identities. So setting the key for the unauthenticated identity on the account page before the redirect occurs and returning back to it when authenticated breaks the mechanism

OK, I felt it is important to set the record straight and that's all I wanted to say. 

Hosting by Yahoo!