de-peering for security sake

Baldur Norddahl baldur.norddahl at gmail.com
Sun Dec 27 22:33:17 UTC 2015


On 27 December 2015 at 22:08, Owen DeLong <owen at delong.com> wrote:

> This is a bit of a tangent, really. The discussion was about
> authentication factor
> counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
> private key authentication as two-factor to bolster his claim that it was,
> in fact
> two-factor, when it clearly isn’t actually two-factor as has been stated
> previously.
>

I wanted to stay out of this, but Owen you are full of shit here. I am
pointing out that your homemade definition does not match up with what
others think two factor means. PCI DSS might be utter crap, but they are
still more than "Owen DeLong and his personal opinion".

You are utterly confused about the meaning about two factor. You apparently
believe the magic words "two factor" is a statement about the security of a
system, while it is in fact just a simple property. A property that even an
inherently insecure and weak system can have.

It is not, as you have said, about strengthen the search space of a crypto
key (just double the key length if you need that). In fact, many two factor
systems do not use crypto keys at all. An example of such a non crypto
based system is a credit card with magnetic strip plus pin. The magnetic
strip contains just the card number, which can also be read directly from
the card and even memorized by the owner.

We need two factor because if you have just one factor, say the password,
the hacker will simply call the user and ask him to tell the password. And
the users will happily obligate. Experience shows this. On the other hand,
if you give the users a single factor system with a physical token (a key),
that gets stolen, misplaced or "borrowed" far too easily. Therefore
industry standard is card + pin to enter a building (=two factor). Secure
places require three factor (card + pin + biometric).

SSH keys are two factor because people do not in general memorize the key
file. Because they do not, you can not gain access to the system with only
what you know (=in your mind). Unless the user violated protocols and
changed the passphrase to null, you can not gain access just by possession
of the key file. That is all that is required to name it two factor. That
Owen DeLong believes the system stinks does not change that at all.

Historically the banks used to depend on a system that is the same as ssh
keys: certificate files you have on your computer to access the bank
website. That also is a two factor system. The users did not usually
memorize the content of the certificates. The system is weak because bad
guys used malware to steal the certificate files and install key loggers to
also get the other factor, the password.

In my country (Denmark) they decided hardware keys are still too expensive,
so they developed a two factor system based on paper keys. You will get a
piece of paper with a few hundred random numbers. When you log in, you are
asked to type one of the numbers in to prove that you are in possession of
the key paper. The codes are just 6 digits and infinite weak if you believe
them to be part of any crypto scheme. This system has also been broken
because now bad guys ask the users to take pictures of the key paper to
prove something, and the users happily do just that. Banks are still happy
though, because the loss is less than the cost to ship hardware keys to
everyone.

Only strong two factor systems are really resistant to the users defeating
the system by doing stupid things. That does not mean that only strong two
factor systems are two factor. That would be silly - Owen what would you
then name weak and broken two factor systems? It is a property - nothing
more.

Regards,

Baldur



More information about the NANOG mailing list