[3349] in cryptography@c2.net mail archive
RE: Arcot
daemon@ATHENA.MIT.EDU (Lucky Green)
Wed Sep 23 00:40:46 1998
From: "Lucky Green" <shamrock@netcom.com>
To: "Ryan Lackey" <ryan@systemics.ai>
Cc: <cypherpunsk@algebra.com>, <cryptography@c2.net>
Date: Tue, 22 Sep 1998 21:35:50 -0700
In-Reply-To: <19980922143341.C363@mises.systemics.ai>
While I agree with most of Ryan's arguments, I believe the issue below
deserves additional clarification.
> -----Original Message-----
[...]
> 4) Bruce Schneier, one of the firm's technical advisors, says "it's not
> [sufficient for] online real estate [presumably meaning high value
> transactions with no recourse]", but that it is for "ninny net users in
> chat rooms". The apps Bruce Schneier seems to propose the Arcot
> system for
> ("systems like AOL" (read: porn sites on the WWW)) are more
> concerned with
> their users not being able to share passwords than anything else.
[...]
> I do not see how the system is provably higher in security or any
> other worthwhile features than the following widely deployable, standard,
> free system:
> * online password checking of user passwords, optionally changing in
> some kind of one-time-pad system, passed through an SSL-encrypted link
> to the server, such that if a password guess attempts were made, the
> account could be locked out.
>
> * encrypted local certificates, encrypted with optionally a different
> passphrase, which do *not* need to be kept secret.
>
> This provides "two factor" authentication to the same extent as the Arcot
> system, is easy to implement using standard systems, and is conceptually
> simple.
Unfortunately, neither authentication method would meet the requirements of
a company such as AOL. Nor would Arcot's hardware token-fee authentication
method meet said requirements. Here is why:
AOL has a tremendous theft-of-service problem. The annual revenue lost due
to fraudulently obtained access is an order of magnitude higher than even my
most pessimistic estimate had been.
The most frequently employed means of obtaining unauthorized access to AOL's
services is by emailing legitimate users, pretending to represent AOL, and
simply requesting the users to email back the login password. Despite the
numerous warnings against this fraud scheme in AOL signup material and user
information, the method remains highly successful. It is not believed that
the situation will improve on its own.
While it has been speculated that users susceptible to such an attack may
not be sufficiently computer savvy to follow attacker's instructions to
email the pretenders an SSL certificate file or perhaps Arcot key database,
few would dispute that such users will be capable of following instructions
directing the users to double-click on the included attachment to install a
"crucial security upgrade".
The installed Trojan then can take care of extracting any SSL client certs
or Arcot keys and return the information to the attackers.
Consequently, only a hardware based solution - such a smartcard - that
requires physical possession of a physical token would meet AOL's true
security requirements.
--Lucky
