Member
hello,
I believe an open network is highly unsecure against outside threats. I want to ask how can I perform mutual authentication securely ? Is there any trick or method to prevent mutual authentication from phishing ? Can anybody give any ideas regarding this ?
Member
Phishing is nothing but a man-in-the-middle attack. In this, the user is mis-directed by social engineering or DNS-cache poisoning, to a fraud site. Since the user doesn't have any knowlegde on how to validate SSL certificates, this phishing trick works quite well.
Different efforts are implemented to prevent this.....but the efforts such as Extended Validation certificates are bound to fail in many cases because they rely on inconsistent visual aids and not strong cryptography. One-time passwords alone have also proven to be vulnerable to real-time MITM attacks.
To consistently prevent phishing, it requires strong mutual authentication - validating the host to the user and the user to the host.
Member
In order to prevent mutual authentication from phishing - we can configure a JSP application to work with WiKID's open-source one-time password and mutual authentication system.
Here's how this method works -
- When a user wants to login to the target site, they start the WiKID token client and enter their PIN.
- The PIN is encrypted by the server's public key and sent to the server.
- If the PIN is correct, the encryption valid and the account active, a package of the OTP, the target site URL and a hash of the target site's SSL certificate are sent to the token client.
- The token client goes out over the user's internet connection to the target site URL and gets the SSL certificate, hashes it and compares it to the validated certificate hash.
- If the two hashes match, the token client presents the OTP and (on supported platforms) launches the default browser to the site for the user.
- Add a domain on the WiKID server for the application.
- Create a network client for JSP page.
- Add the login code for WiKID to the JSP page.
- Test it from a token client.
Member
One of the easiest ways to defeat one-way SSL authentication is by Man-in-the attacks. This is because in the one-way SSL authentication scenario, only one party is absolutely sure about the identity of another party. Another party thinks that there is an authorised party at the other end which might be not true always.....
Consider a scenario where a person X is been accessing his bank website to pay some bills online. Here he might require to delver his crucial details like bank account number, creditcard / debitcard details etc....and he might be delivering this very crucial details deliberately under the impression that this details are been passes to bank personnels only.....but if man-in-the-middle attack would be taking place, a person X might be completely unaware of it....
The only way to prevent this is to establish very strong and secure mutual authentication or two-way SSL authentication.....
Posting Permissions
Reply With Quote
Bookmarks