Entrust - Identity Guard - Any experience?
0 views
Skip to first unread message
SB
Aug 19, 2005, 11:21:58 AM8/19/05
to weba...@securityfocus.org
Hi!
I am looking for insights from you security professionals into
implementing a two factor option that does not require shipping a
token. Something similar to
http://www.entrust.com/identityguard/index.htm
has anyone had experience with this? Any known security issues with
this approach. This will be in addition to the person's user name and
password.
Thanks very much for your help.
Sri Balaji.
I am looking for insights from you security professionals into
implementing a two factor option that does not require shipping a
token. Something similar to
http://www.entrust.com/identityguard/index.htm
has anyone had experience with this? Any known security issues with
this approach. This will be in addition to the person's user name and
password.
Thanks very much for your help.
Sri Balaji.
Dwayne Taylor
Aug 19, 2005, 1:05:53 PM8/19/05
to SB, weba...@securityfocus.org
The product link below shows something that focuses more on using a combination of direct authentication and challenge/response rather than two factor authentication. True two factor authentication based both on what a user knows and what a user has (such as an X.509 cert/private key or device that produces one-time passwords) "black boxes" the "what a user has" element, so that the user requires the device to satisfy the requirement of something they have for the second authentication factor. This product's form of "what a user has" is risky because the challenge/response values can be easily obtained and used by an attacker without actually possessing the object required to satisfy the requirement. Understandably, it looks like this company is trying to get into the market niche of those who want something stronger than username/password but something more cost effective than the smartcard/key fob type solutions that require more $$$$.
My $.02
________________________________
My $.02
________________________________
Ellis, Steven
Aug 19, 2005, 2:03:57 PM8/19/05
to weba...@securityfocus.org
Of course you just drop the "what you have" card on the nearest
photocopier and now there are two or more of you. The truth is security
costs and that cost must be justifiable. I could not see this technology
in use at companies that have high value data but a small or medium size
business where money is tight.
Just my $.02
photocopier and now there are two or more of you. The truth is security
costs and that cost must be justifiable. I could not see this technology
in use at companies that have high value data but a small or medium size
business where money is tight.
Just my $.02
Saqib Ali
Aug 19, 2005, 2:27:11 PM8/19/05
to Dwayne Taylor, SB, weba...@securityfocus.org
Maybe I am missing something, but I don't think Entrust - Identity
Guard provides 2-factor authentication.
It is a more like twice-the-effort (twice-the-trouble) authentication. :)
> I am looking for insights from you security professionals into
> implementing a two factor option that does not require shipping a
> token. Something similar to
> http://www.entrust.com/identityguard/index.htm
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Guard provides 2-factor authentication.
It is a more like twice-the-effort (twice-the-trouble) authentication. :)
> I am looking for insights from you security professionals into
> implementing a two factor option that does not require shipping a
> token. Something similar to
> http://www.entrust.com/identityguard/index.htm
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Mary Ann Burns
Aug 19, 2005, 6:10:17 PM8/19/05
to Saqib Ali, Dwayne Taylor, SB, weba...@securityfocus.org
two-factor authentication is (1) something physical (USB key) with
(2)something you know (pin) There is no such thing as 2-Factor
authentication without a physical device. Plus a USB key is easy to use and
deploy and it works vs trying a cheap short ends up being twice the trouble
because it takes twice the effort since it can take allot of time, wastes
allot of money and does not work in the end. Know what I mean.......
(2)something you know (pin) There is no such thing as 2-Factor
authentication without a physical device. Plus a USB key is easy to use and
deploy and it works vs trying a cheap short ends up being twice the trouble
because it takes twice the effort since it can take allot of time, wastes
allot of money and does not work in the end. Know what I mean.......
Rishi Pande
Aug 19, 2005, 2:50:30 PM8/19/05
to weba...@securityfocus.org
I guess the big question that you have to answer is why you do not want a
token solution. Is it because tokens have to be maintained or is it just
cost prohibitive?
There are solutions that can do two-factor without a token. You may want to
look into those.
Good luck!
token solution. Is it because tokens have to be maintained or is it just
cost prohibitive?
There are solutions that can do two-factor without a token. You may want to
look into those.
Good luck!
Saqib Ali
Aug 19, 2005, 8:26:24 PM8/19/05
to Mary Ann Burns, Dwayne Taylor, SB, weba...@securityfocus.org
Exactly. When it comes to authentication, you can choose between
"higher cost" and "higher risk". Hardware token is higher cost, while
Entrust Identity Guard is higher risk.
On 8/19/05, Mary Ann Burns <mab...@safenet-inc.com> wrote:
> two-factor authentication is (1) something physical (USB key) with
> (2)something you know (pin) There is no such thing as 2-Factor
> authentication without a physical device. Plus a USB key is easy to use and
> deploy and it works vs trying a cheap short ends up being twice the trouble
> because it takes twice the effort since it can take allot of time, wastes
> allot of money and does not work in the end. Know what I mean.......
>
"higher cost" and "higher risk". Hardware token is higher cost, while
Entrust Identity Guard is higher risk.
On 8/19/05, Mary Ann Burns <mab...@safenet-inc.com> wrote:
> two-factor authentication is (1) something physical (USB key) with
> (2)something you know (pin) There is no such thing as 2-Factor
> authentication without a physical device. Plus a USB key is easy to use and
> deploy and it works vs trying a cheap short ends up being twice the trouble
> because it takes twice the effort since it can take allot of time, wastes
> allot of money and does not work in the end. Know what I mean.......
>
Ralf Durkee
Aug 19, 2005, 8:38:56 PM8/19/05
to Mary Ann Burns, Saqib Ali, Dwayne Taylor, SB, weba...@securityfocus.org
Mary Ann Burns wrote:
> two-factor authentication is (1) something physical (USB key) with
> (2)something you know (pin) There is no such thing as 2-Factor
> authentication without a physical device.
>
*should be* something you have and something unique to the individual
and something difficult to duplicate. However I've found in most
situations other "security professionals" are classifying the following
as 2nd-factor authentication (when combined with a password).
1. Electronic certificates, X.509, SSL client certificates, SSH keys,
pgg keys whatever.
2. Software version of RSA secure-id, other software generated tokens or
on-time-passwords.
My own opinion is that these are certainly better than 1 factor, but
higher risk than the have it your hand 2-factor authentication. Maybe
they should be called 1.5 factor! However I have generally found myself
in the minority. What do people think?
-- Ralf Durkee, CISSP, GSEC, GCIH
http://rd1.net
Lyal Collins
Aug 20, 2005, 1:25:01 AM8/20/05
to Mary Ann Burns, Saqib Ali, Dwayne Taylor, SB, weba...@securityfocus.org
I beg to differ slightly.
Two-factor means, to many of us, that there is something in addition to
something-you-know. A hardware token, a printed OTP list, biometric, or a
secured terminal with unique identifying keys/tools.
Digital certs only act as a two-factor tool in the case of 'secured
terminal' models, in all other cases the digitial signature is a remotely
generated flag that a password was verfied at once. Even digital-certs and
smartcards fall into the remote password verification category in many
implementations.
Lyal
Two-factor means, to many of us, that there is something in addition to
something-you-know. A hardware token, a printed OTP list, biometric, or a
secured terminal with unique identifying keys/tools.
Digital certs only act as a two-factor tool in the case of 'secured
terminal' models, in all other cases the digitial signature is a remotely
generated flag that a password was verfied at once. Even digital-certs and
smartcards fall into the remote password verification category in many
implementations.
Lyal
Ned Fleming
Aug 22, 2005, 2:05:43 PM8/22/05
to weba...@securityfocus.org
On Sun, 21 Aug 2005 07:48:47 -0700, Saqib Ali <docbo...@gmail.com>
wrote:
>> Two-factor means, to many of us, that there is something in addition to
>> something-you-know. A hardware token, a printed OTP list, biometric, or a
>> secured terminal with unique identifying keys/tools.
>
>The problem with a Printed List of OTPs and Entrust Identity Guard is
>that they give false sense of security in case they are stolen and
>duplicated. Someone can easily duplicate these without the knowledge
>of the owner.
Not really. The card is something a person carries around. Besides the
cards can be made to be difficult to photocopy. And if stolen, they
can be treated the same as a stolen token: invalidated and a new one
generated as easy as kiss my hand.
And the owner still thinks that he/she is the sole owner
>of Entrust Identity Guard. Whereas a hardware token (e.g. RSA
>SecureID) is a lot harder to duplicate. It might be easy to steal a
>hardware token, but NOT without the knowledge of the owner. Once the
>owner find out that the hardware token is stolen, he/she can get it
>de-activated.
I like the Entrust thingamabob. Think Pareto's Law: It gives 80
percent of the functionality of a secure token for 20 percent of the
cost. (Actually, I think it gives 96 percent of the functionality of a
secure token for 20 percent of the cost -- Pareto squared.)
Ned
wrote:
>> Two-factor means, to many of us, that there is something in addition to
>> something-you-know. A hardware token, a printed OTP list, biometric, or a
>> secured terminal with unique identifying keys/tools.
>
>that they give false sense of security in case they are stolen and
>duplicated. Someone can easily duplicate these without the knowledge
>of the owner.
Not really. The card is something a person carries around. Besides the
cards can be made to be difficult to photocopy. And if stolen, they
can be treated the same as a stolen token: invalidated and a new one
generated as easy as kiss my hand.
And the owner still thinks that he/she is the sole owner
>of Entrust Identity Guard. Whereas a hardware token (e.g. RSA
>SecureID) is a lot harder to duplicate. It might be easy to steal a
>hardware token, but NOT without the knowledge of the owner. Once the
>owner find out that the hardware token is stolen, he/she can get it
>de-activated.
I like the Entrust thingamabob. Think Pareto's Law: It gives 80
percent of the functionality of a secure token for 20 percent of the
cost. (Actually, I think it gives 96 percent of the functionality of a
secure token for 20 percent of the cost -- Pareto squared.)
Ned
Saqib Ali
Aug 23, 2005, 11:14:32 AM8/23/05
to Ned Fleming, weba...@securityfocus.org
> Not really. The card is something a person carries around. Besides the
> cards can be made to be difficult to photocopy. And if stolen, they
> can be treated the same as a stolen token: invalidated and a new one
> generated as easy as kiss my hand.
hmmm.
> cards can be made to be difficult to photocopy. And if stolen, they
> can be treated the same as a stolen token: invalidated and a new one
> generated as easy as kiss my hand.
how do you know when to replace/regenerate the card, if the attacker
only duplicated the card, and returned the original to your wallet???
static human-legible information can be duplicated using vaious
fotografic techniques.
> I like the Entrust thingamabob. Think Pareto's Law: It gives 80
> percent of the functionality of a secure token for 20 percent of the
> cost. (Actually, I think it gives 96 percent of the functionality of a
> secure token for 20 percent of the cost -- Pareto squared.)
Wall, Kevin
Aug 24, 2005, 9:59:33 AM8/24/05
to Saqib Ali, Ned Fleming, weba...@securityfocus.org
Saqib Ali wrote...
> > Ned Fleming wrote...
two-factor authentication make us miss the main point, which is that
certainly this is a LOT more secure than just a plain password--even
if the users already uses strong passwords.
Sure this Entrust Identity Guard is nothing more than an glorified Bingo
card with coordinates printed along the Y-axis, but that doesn't mean
it can't serve a similar purpose of a "what you have" factor of
authentication.
The point is that most people KNOW how to secure physical things. They
do this all the time with their wallets, their credit cards, small
pieces of jewelery, etc. If they are taught that this Identity Guard
needs to be protected just like a credit card, most of them will
afford it SUFFICIENT (not perfect) protection. So can it be duplicated?
Yes. Does it matter? Not as much as you might think, since the risk
of duplication is relatively low.
From a risk management perspective, in reality there is little difference
between this Identity Guard vs. somone securing an SSL client-certificate
on a removable media such as a floppy or a thumb drive. The removable media
can be stolen, copied, and put back as well. So if you don't secure your
private keys with a passphrase (and by observation, most people don't),
and this happens, you're screwed. And I doubt if most people protect that
floppy as well as they protect one of the credit cards. I've seen many
cases where all people do is eject the floppy with their certificate,
but leave it in the floppy drive bay. (There are probably the same people
who don't secure it with a passphrase either.)
Rather than arguing semantics of definitions, we ought to acknowledge
that this is substantially less risk than a password alone and is likely
to be deployed at a fraction of the cost of a smart card, key fob, etc.
While it definitely isn't the most secure solution, IMO, it still is a
good idea.
Just my $.02,
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin...@qwest.com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
> > Ned Fleming wrote...
> > Not really. The card is something a person carries around. Besides the
> > cards can be made to be difficult to photocopy. And if stolen, they
> > can be treated the same as a stolen token: invalidated and a new one
> > generated as easy as kiss my hand.
>
> hmmm.
>
> how do you know when to replace/regenerate the card, if the attacker
> only duplicated the card, and returned the original to your wallet???
>
> static human-legible information can be duplicated using vaious
> fotografic techniques.
>
> > [Ned Fleming]
> > cards can be made to be difficult to photocopy. And if stolen, they
> > can be treated the same as a stolen token: invalidated and a new one
> > generated as easy as kiss my hand.
>
> hmmm.
>
> how do you know when to replace/regenerate the card, if the attacker
> only duplicated the card, and returned the original to your wallet???
>
> static human-legible information can be duplicated using vaious
> fotografic techniques.
>
> > I like the Entrust thingamabob. Think Pareto's Law: It gives 80
> > percent of the functionality of a secure token for 20 percent of the
> > cost. (Actually, I think it gives 96 percent of the functionality of a
> > secure token for 20 percent of the cost -- Pareto squared.)
>
> This maybe true, but i would still like to see some data to support this claim.
I think that one is we are all letting the formal definition of an
> > percent of the functionality of a secure token for 20 percent of the
> > cost. (Actually, I think it gives 96 percent of the functionality of a
> > secure token for 20 percent of the cost -- Pareto squared.)
>
> This maybe true, but i would still like to see some data to support this claim.
two-factor authentication make us miss the main point, which is that
certainly this is a LOT more secure than just a plain password--even
if the users already uses strong passwords.
Sure this Entrust Identity Guard is nothing more than an glorified Bingo
card with coordinates printed along the Y-axis, but that doesn't mean
it can't serve a similar purpose of a "what you have" factor of
authentication.
The point is that most people KNOW how to secure physical things. They
do this all the time with their wallets, their credit cards, small
pieces of jewelery, etc. If they are taught that this Identity Guard
needs to be protected just like a credit card, most of them will
afford it SUFFICIENT (not perfect) protection. So can it be duplicated?
Yes. Does it matter? Not as much as you might think, since the risk
of duplication is relatively low.
From a risk management perspective, in reality there is little difference
between this Identity Guard vs. somone securing an SSL client-certificate
on a removable media such as a floppy or a thumb drive. The removable media
can be stolen, copied, and put back as well. So if you don't secure your
private keys with a passphrase (and by observation, most people don't),
and this happens, you're screwed. And I doubt if most people protect that
floppy as well as they protect one of the credit cards. I've seen many
cases where all people do is eject the floppy with their certificate,
but leave it in the floppy drive bay. (There are probably the same people
who don't secure it with a passphrase either.)
Rather than arguing semantics of definitions, we ought to acknowledge
that this is substantially less risk than a password alone and is likely
to be deployed at a fraction of the cost of a smart card, key fob, etc.
While it definitely isn't the most secure solution, IMO, it still is a
good idea.
Just my $.02,
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin...@qwest.com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
Reply all
Reply to author
Forward
0 new messages