Discuss: Two Factor Authentication
by Anoop Mangla
Dear Anoop,
Nice article. In the example of PKI given, is not the user's password susceptible to man in the middle attacks since it can be decrypted with this public key, which can be accessed by anyone?
Regards,
d.s.mahanty
Dear Mr. Mahanty,
Thank you for appreciating the article.
Regarding the concern raised by you, using the method of Public Key Cryptography for two-factor authentication is not susceptible to man-in-the-middle attacks. As rightly pointed out by you, a malicious user can very well decrypt a user's password, which is encrypted by his private key, if he knows the user's public key. But as discussed in the article, when using two factor authentication, knowledge of one factor alone, which in discussion is the password, is not sufficient for a malicious user to get access to the application, because he needs the user's private key as well to encrypt the password in order to send it to the application, since the application will only accept passwords encrypted by the user's private key. Supplying the correct password, encrypted by the correct private key, is the only way a user can get access to the application. The correct password, by itself, is not the factor using which a user or someone else can access the application. For man-in-the-middle to succeed, in addition to the password, user's private key is also required, which in this case will not be available with everyone, except for the rightful user.
Another point worth mentioning is that the solution suggested by us uses Public Key Cryptography, which doesn't necessarily mandates using a Public Key Infrastructure (PKI), in which users' public keys are published in public domain. What this implies is that, it is not necessary for applications which use Public Key Cryptography, to have a PKI which makes users' 'public' keys public in the literal sense. In such a scenario even the users' public keys will not be known to everybody since they are not publicly available. The private keys will be known to the users, and the corresponding public keys to the application with no need to make the public keys available to anyone else.
Anoop Mangla
Paladion Networks
Hi Anoop,
Your article on two factor auth was pretty good. Although,the explanation given for Mahanty's query seemed a bit confusing. Could have been simpler. Regarding the public key encoded in the application(which is similar to product keys encoded in MS Applications)..One could always reverse engineer or decode the application to reveal the public key database.
The two factor authentication of using a one time password(like a FOB key by RSA) seems more safer and promising.
Cheers,
Godspeedcapri
In method 2, Asymmetric Key Cryptography, if an attacker can act as a person-in-middle then he need not decrypt the encrypted credentials. The attacker would simply capture the relevant data and then use it in a replay attack. So I guess the communication channel also has to be encrypted to make this method secure.
If the communication channel cannot be made secure further measures are required to ensure the integrity of this transaction. I guess there are many ways to achieve this... actually this article of yours has got me thinking on lots of things.
Of course trying to incorporate 2-factor authentication into web applications is a different ballgame altogether.
Just check out the responses to this thread if you are not convinced :-)
http://seclists.org/lists/webappsec/2006/Apr-Jun/0430.html