|
TriCipher TACS prevents "man in the middle" phishing attacks
By Bernard Cole
iApplianceWeb
(03/23/05, 2:12:13 PM GMT)
San Mateo, Ca. -- TriCipher, Inc., has just released its TriCipher Armored Credential System (TACS) designed to prevent so-called “man in the middle” phishing attacks -- a security threat that has become top of mind as businesses and consumers become increasingly reliant on the Internet for conducting essential business transactions.
According to Ravi Sandhu, Chief Scientist, TriCipher and professor of Information Security and Assurance at George Mason University, to protect themselves, enterprises have increasingly turned to one-time passwords, a form of two factor authentication believed to prevent successful attacks.
“However, industry experts have called into question the effectiveness of this type of authentication in protecting against phishing,” he said, pointing to research from Infidel, Inc., demonstrating that all one-time password systems, such as time synchronous tokens, can be easily compromised by man in the middle phishing attacks and which require very little technical sophistication on the part of the phisher.
He said TriCipher's approach to strong authentication leverages the Internet's existing SSL infrastructure, combining it with a unique multi-part credential to foil proxied man in the middle attacks.
"Recent articles have spawned a lot of talk amongst security experts about the role two factor authentication plays in protecting against man in the middle phishing," said Rebecca Bace, President of Infidel, Inc. "It's true that one time password systems are not an adequate defense, but that is only one flavor of two factor authentication, and an outdated one at that.
“The key to protecting against these attacks is to take advantage of the existing SSL infrastructure to authenticate the client. SSL was designed to prevent man in the middle attacks and doesn't require the user to reveal the credential -- only to prove that she has it. Ideally, you would also like to make it impossible to steal the entire credential from the user.
In such attacks, users are lured to a phishing site by an email or DNS caching hack, where they enter their username, password, and the number from a one-time password token. The phisher's server automatically uses this information to immediately log in to the legitimate site, then either keeps the session open automatically until the phisher is ready to hijack the session or simply alters the user's transaction to benefit the phisher.
What TACS does, said Sandhu, is create a multi-part credential, splitting the user's credential between the user and a secure appliance kept in the enterprise's data center. “Since the user doesn't have the entire credential, he or she can't give it away to the phisher, nor can the phisher steal it from their desktop,” he said.
In addition, TACS’ credentials use SSL client authentication, which prevents a phisher from sitting in the middle of the user's session with the web server. Further, using SSL means no new software at the web server, making deployment fast and easy.
"The SSL infrastructure is out there and it's very robust," commented Eric Greenberg, one of the developers of the SSL protocol and current CTO of NetFrameworks, Inc. "As an industry we've only been using half of it because legacy PKI systems were too complex to implement.
To learn more, go to www.tricipher.com.
For more information about topics, issues and technologies mentioned in this story go to the flashing icon in the upper left corner on any page or go to the iAppliance Web Views page and call up the associatively-linked Java/XML-based Web map of the iApplianceWeb site.
Enter the appropriate key word, product or company name to list instantly every news and product story, product review and product database entry relating to the topic since the beginning of the 2002.
|
