Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Man-in-the-Middle Attacks: Protection Through Best Practice

by Burt Kaliski on 11/14/2005
Topics: Government Policy | Identity Protection

Since the FFIEC issued its recent guidance on authentication in the Internet banking arena (as blogged by my colleague Shannon Kellogg), a number of articles have rightly weighed up the merits – and deficiencies – of the various two-factor authentication solutions on the market. Many of these articles have drawn on concerns raised back in March by Bruce Schneier, who wrote in his blog that "two-factor authentication doesn't solve anything" when faced with new threats such as man-in-the-middle (MITM) attacks and Trojans. Evidently, some level-setting and clarification is needed. Let's be clear: Real-time MITM attacks (where the attacker is in simultaneous contact both with user and service-provider, intercepting authentication credentials and replaying them in real-time) and Trojans (where the attacker's software eavesdrops on and modifies data on the user's computer) are potential threats to all kinds of authentication, at least in their basic form. Even PKI-based forms of authentication are at risk if the user's computer is corrupted and the attacker's software misdirects the user's PKI credentials to authenticate to a different service provider than the user intended. Passwords, easy to compromise through so many channels, are clearly reaching a breaking point – as the FFIEC has identified. This is why dynamic forms of authentication such as one-time passwords have garnered such broad interest. MITM and Trojans are a significant motivator.

Consider the following scenario: A user is concerned that he or she might have been subject to a phishing, MITM, or Trojan attack, and had a password or other authentication data stolen. The situation is bad – granted – and may require some work to clean up the damage. However, if the user is protected by a dynamic form of authentication, the attack essentially ends there and then. The authentication data cannot be used ever again, and the user has the reassurance that any past compromise will no longer have an impact. (The dynamic authentication offers a degree of "proactive security," to adapt the term from the cryptographic literature.) If the attacker is to target the same individual again, he will have to launch a new attack and rely on the victim's complicity in being duped a second time.

On the other hand, if the same consumer was protected by a static password, the potential for unauthorized access would remain as long as the password remained unchanged. It is also worth observing that since attackers will generally follow the path of least resistance, a static password will always be "lower-hanging fruit" than a dynamic form of authentication such as a one-time password – even if an attacker in theory has the tools to compromise either. Real-time MITM may be practical, but it is also very aggressive. The attacking apparatus has to be in front of both the user and the site at the same time without leaving any evidence that could later be used for prosecution. Offline attacks on passwords are much more discreet: one group of thieves phishes passwords and fences them to a middleman (pun somewhat intended), who sells them to another group of thieves which uses the passwords to steal money and identities. The risk is thus distributed, as well as the evidence. Authentication is not the only leg supporting the platform of user security. Intrusion detection and platform integrity also play an essential part. For a variety of reasons besides authentication, users (and the organizations that support them) need to keep security patches up to date, detect and prevent intrusions, and detect and remove malware. Users' own practice also plays an important role: They need to follow trusted paths when online (i.e., typing in URLs or referencing bookmarks instead of clicking on links), and heed certificate and other security warnings. With such "good hygiene," users also protect themselves against MITM and Trojans, and thereby take advantage of the full strength of the authentication mechanisms they apply. Conversely, authentication technology doesn't solve malware and trust problems by itself. All of this is really a trust issue: Can the user trust the system? Can the system trust the user? That's why, in addition to authentication, we've also been active in exploring new ways in which the interfaces for user authentication can be made more trustworthy – as discussed, for instance, in the TIPPI workshop which I mentioned in a previous blog posting. These improvements, along with protections that users already need for many other reasons against various forms of attacks, will help to ensure ongoing consumer confidence in e-commerce – and industry-wide return-on-investment for stronger authentication solutions.

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication