Can mutual authentication beat phishing or man-in-the-middle attacks?

BROWSE BY TAG Identity Management and Access Control,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Should a new user have to confirm an email address to gain access? Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Let me address the second part of your question first, and then discuss the benefits of mutual authentication.

Man-in-the-middle attacks are able to defeat one-way SSL authentication because only one party in this transaction is absolutely assured of the other party's identity. Take the following scenario: You (the client) log in to your bank's online website (the server) to pay some bills. If your bank uses one-way SSL, the only party issuing a certificate is the bank's server, which it issues to you. The bank's server is not asking you to issue a certificate authenticating your identity as a legitimate customer. This is the gap. If there is someone listening between you and the bank's server for traffic, they can intercept your request to the server and, unbeknownst to you or the bank, carry on both sides of the conversation.

Let's look at how a man-in-the-middle attack is conducted. The first step is for the bad guy to capture your request to the bank's server, and forward it on your behalf. Next, the bad guy requests a certificate from the bank's server. Once the certificate is received, the attacker will parse out most of the information from the bank's certificate and use it to generate a convincing replica. The last step is to send you, the unsuspecting customer, a certificate that appears authentic. Your browser may issue some vague warnings, but to someone who isn't mindful of the dangerous possibilities of Internet transactions, these warnings are often dismissed by a simple click of the 'OK' button.

Now the bad guy is set up as the man in the middle between you and your bank. He simply sits back and waits for you to input some key pieces of information, such as your user name and password, and he has the keys to the kingdom.

How can this be stopped? One way is by using mutual authentication. The reason the alarming scenario detailed above could work is because the bad guy makes the request on your behalf, and there is no way for the bank to know that it isn't really you. Mutual authentication means that you and the bank are mutually assured of the authenticity of the other's identity. In this transaction, your browser and the bank's server would prove to each other your identity by swapping certificates. Now when you ask for the server's certificate, it would be sure that you were really you, and not the bad guy trying to imitate you.

More information:

• How effective are phishing links that refer to FTP sites? Read more.
• Learn about the risks associated with connecting a Web service to to an external system via SSL.