On Dec 27, 2015, at 14:33 , Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 27 December 2015 at 22:08, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote: This is a bit of a tangent, really. The discussion was about authentication factor counts and Baldur tried to use PCI-DSS acceptance of password-encrypted private key authentication as two-factor to bolster his claim that it was, in fact two-factor, when it clearly isn’t actually two-factor as has been stated previously.
I wanted to stay out of this, but Owen you are full of shit here. I am pointing out that your homemade definition does not match up with what others think two factor means. PCI DSS might be utter crap, but they are still more than "Owen DeLong and his personal opinion”.
Dude… It’s not just my opinion. Virtually every one else who chimed in on the thread other than you backed my position on this.
You are utterly confused about the meaning about two factor. You apparently believe the magic words "two factor" is a statement about the security of a system, while it is in fact just a simple property. A property that even an inherently insecure and weak system can have.
No, as I pointed out, you can have very weak security with two weak factors. However, the property two-factor means something and it’s not what you apparently think.
It is not, as you have said, about strengthen the search space of a crypto key (just double the key length if you need that). In fact, many two factor systems do not use crypto keys at all. An example of such a non crypto based system is a credit card with magnetic strip plus pin. The magnetic strip contains just the card number, which can also be read directly from the card and even memorized by the owner.
Actually, the magnetic stripe contains quite a bit more than the card number, but that’s another tangent. I never said you had to have crypto for two-factor, nor did I say that two factor magically made things stronger.
We need two factor because if you have just one factor, say the password, the hacker will simply call the user and ask him to tell the password. And the users will happily obligate. Experience shows this. On the other hand, if you give the users a single factor system with a physical token (a key), that gets stolen, misplaced or "borrowed" far too easily. Therefore industry standard is card + pin to enter a building (=two factor). Secure places require three factor (card + pin + biometric).
Card+pin is an example of two factors… You _HAVE_ the card and you _KNOW_ the PIN. Password-encrypted Key, OTOH, is something you _KNOW_ and something else you _KNOW_. It’s not something you _HAVE_ or something you _ARE_. There are three generally accepted categories of Factors for authentication… 1. Something you HAVE 2. Something you KNOW 3. Something you ARE In order to qualify as 2-factor, a system must require something from two of the categories. Two things from the same category do not qualify.
SSH keys are two factor because people do not in general memorize the key file. Because they do not, you can not gain access to the system with only what you know (=in your mind). Unless the user violated protocols and changed the passphrase to null, you can not gain access just by possession of the key file. That is all that is required to name it two factor. That Owen DeLong believes the system stinks does not change that at all.
Something on disk counts as something you know. A private/public key pair is not something you HAVE because it’s not a physical object and it’s certainly not something you ARE. It’s clearly in the something you KNOW category for all practical purposes, even if you don’t memorize it into your mind. Now, a private key in black box where you feed it encrypted stuff to be decrypted or decrypted stuff to be encrypted and you cannot extract the private key, that could be something you HAVE. But at that point, it’s the black box that is the thing you have, not the key itself. The key in the box and the boxes ability to decrypt/encrypt using that key is merely a mechanism for proving that you have the correct black box.
Historically the banks used to depend on a system that is the same as ssh keys: certificate files you have on your computer to access the bank website. That also is a two factor system. The users did not usually memorize the content of the certificates. The system is weak because bad guys used malware to steal the certificate files and install key loggers to also get the other factor, the password.
Again, real two-factor authentication depends on factors from different categories above. The certificate, like it or not, whether you memorize it or not, is something you KNOW, not something you HAVE. To qualify as something you HAVE, it has to be a unique physical token with some degree of difficulty in duplication. Some physical tokens are easier to duplicate than others. Examples include keys for pin-tumbler locks. Even those come in varying degrees of difficulty (3, 5, or 7 pins, straight or spool pins, angled pin alignments, etc.)
In my country (Denmark) they decided hardware keys are still too expensive, so they developed a two factor system based on paper keys. You will get a piece of paper with a few hundred random numbers. When you log in, you are asked to type one of the numbers in to prove that you are in possession of the key paper. The codes are just 6 digits and infinite weak if you believe them to be part of any crypto scheme. This system has also been broken because now bad guys ask the users to take pictures of the key paper to prove something, and the users happily do just that. Banks are still happy though, because the loss is less than the cost to ship hardware keys to everyone.
Why not just use Google Authenticator (free App) with a unique series on people’s smartphones? I’m pretty sure smartphones are quite common in DK by now.
Only strong two factor systems are really resistant to the users defeating the system by doing stupid things. That does not mean that only strong two factor systems are two factor. That would be silly - Owen what would you then name weak and broken two factor systems? It is a property - nothing more.
Correct. However, calling a system which depends on two “factors” from the same factor category doesn’t meet the requirements of a two factor system. Password protected SSH key is all in the something you KNOW category. Especially when you consider that you aren’t presenting the password and the key to the authenticator, you are using the password to unlock the key that is presented to the authenticator. (yes, I realize the key isn’t actually presented, it’s done differently involving using the key to encrypt a hash which can then be verified as correctly encrypted by decrypting with the public key, but that’s a technicality that isn’t really relevant here). Owen