Authentication in ' context'


con·text/ˈkäntekst/

The circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed.

authenticate [ɔːˈθɛntɪˌkeɪt]
vb (tr)
 to establish as genuine or valid

What does context have to do with authentication?

When you log on to a web site and enter your user name and password so as to ‘authenticate’ yourself all you are presenting are self reported credentials to the site.  If you present the correct credentials then the site accepts you as - who you say you are.   It takes you at face value.  It identifies you.  Liken it to a knight of old arriving at castle and announcing himself.   When you log on to a web site and it asks you to log in with a user name and password – you are in effect – announcing yourself – identifying yourself.  

What happens if someone steals your password?   Then they can log on as you – the site is none the wiser – the thief has presented the correct credentials.  The credentials  are by definition – static.   They remain valid whether you do so from one of many devices unless of course the site is using a device recognition credential – a cookie,  a Javascript based device identification or certificate solution.    But again that credential is also static as it is re-used again and again no matter what the ‘context’.

A hacker can harvest your credentials by one of many methods be they social engineering, key logging, Trojans,  Man in the Middle or Browser  attacks and so on.  The hacker can re-use those credentials in a different ‘context’ (e.g. from another device in another country) but still be regarded as ‘valid’ by the site.

This is where most so called authentication solutions even two factor authentication solutions fail.   They ‘work’  irrespective of the context.  Even when an OOB OTP is sent via SMS and the PIN is entered into the browser the same vulnerability exists.  A hacker can intercept the PIN and replay the session in real time posing as the ‘real’ person.  In other words the OOB pin can be used on a different browser or even session, device or IP address from which they were requested.   In other words – a different context.

So why is context so important.?   Context is a function of three elements:

time (i.e. the moment of authentication – when it happens, the session  ) ;

Method/mode is the context of origination and transmission – things that dial into the location of the source i.e. the device.   Hence the popularity of some device based solutions.  Most of which fail because they rely on persistent data ( cookies or Javascript or  downloaded software ) because they are easy to fool or copy.

Meaning is the literal value, or meaning of the credentials.  This is usually the total sum of the traditional login:  User name and password;   sometimes ‘beefed’ up perhaps with a time element (timeout) and source (ssl handle, cookie).    This is the value of the token or OTP/OOB, the value of the challenge response, etc., i.e. the "thing you know".   The site controls the value, the user must know it, get it and repeat  it back.  ( A shared secret ) which is usually the only unique element to the mix, as the other two are re-used, or known.

The timing of the event is important because the session commences only when all of the key players/participants in the authentication puzzle come together in context  for the act of ‘authentication’.   The key constituents are: the user,  the device,  the site and  the session.

Only when all of these parties (the correct /valid parties) come together i.e. in the right context - can true authentication take place.  None of these elements or even values associated with them like U/P, cookies,  JVscript  fingerprint or certificate should be able to be used in isolation in another session.  In other words in another context differentiated by time or device.  They all need to come together dynamically and uniquely for each session ( context)  to ensure integrity.

So a proper authentication solution is one where all elements (and more) are combined into a single context - whereby any of the elements in isolation, or out of context, are meaningless. In addition any element inspected in isolation should not be the key to unlocking or accessing (or guessing) any of  the others. They should be dissociative.

Finally none of the elements from this or any other context are re-used, at least in their native form.   It's okay to re-use a password, or re-challenge the device , but it has to be different by nature of it's membership in the context, and not meaningful outside of that (which is the source for most MITM, MITB, social engineering, phishing/ pharming, etc).






Comments

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002
Read more