Can mutual authentication beat phishing or man-in-the-middle attacks?

BROWSE BY TAG Identity Management and Access Control,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

RELATED CONTENT Identity Management and Access Control How to find and remove keyloggers and prevent spyware installation How to encrypt passwords using network security certificates Prevent meet-in-the-middle attacks with TDES encryption How to use single sign-on (SSO) for a server configuration Choosing management for Active Directory user provisioning LDAP signing requirements for various directory configurations User account best practices for an investment management website How to determine password strength for a website The pros and cons of implementing smart cards Keep files from being deleted by assigning read and execute permission Web Authentication and Access Control Yahoo login credentials at risk to hijacking attack Group to shed light on secure identity management threats IT business justification to limit network access How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Could someone place a rootkit on an internal network through a router? Email and Messaging Threats (spam, phishing, instant messaging) Sophos researchers warn of new Amazon phishing scam Social networks, financial firms getting used in phishing, brand abuse Medical identity fraudsters target health care info, experts say Microsoft takes legal action to shut down Waledac botnet How secure is an email with a .pdf attachment? MAAWG documents spam statistics stalemate How to turn off Google Buzz and avoid privacy issues Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Panda warns of American Express phishing scam Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: David Griffeth, past SearchSecurity.com expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED October 2008:

Let me address the second part of your question first, and then discuss the benefits of mutual authentication.

Man-in-the-middle attacks are able to defeat one-way SSL authentication because only one party in this transaction is absolutely assured of the other party's identity. Take the following scenario: You (the client) log in to your bank's online website (the server) to pay some bills. If your bank uses one-way SSL, the only party issuing a certificate is the bank's server, which it issues to you. The bank's server is not asking you to issue a certificate authenticating your identity as a legitimate customer. This is the gap. If there is someone listening between you and the bank's server for traffic, they can intercept your request to the server and, unbeknownst to you or the bank, carry on both sides of the conversation.

Let's look at how a man-in-the-middle attack is conducted. The first step is for the bad guy to capture your request to the bank's server, and forward it on your behalf. Next, the bad guy requests a certificate from the bank's server. Once the certificate is received, the attacker will parse out most of the information from the bank's certificate and use it to generate a convincing replica. The last step is to send you, the unsuspecting customer, a certificate that appears authentic. Your browser may issue some vague warnings, but to someone who isn't mindful of the dangerous possibilities of Internet transactions, these warnings are often dismissed by a simple click of the 'OK' button.

Now the bad guy is set up as the man in the middle between you and your bank. He simply sits back and waits for you to input some key pieces of information, such as your user name and password, and he has the keys to the kingdom.

How can this be stopped? One way is by using mutual authentication. The reason the alarming scenario detailed above could work is because the bad guy makes the request on your behalf, and there is no way for the bank to know that it isn't really you. Mutual authentication means that you and the bank are mutually assured of the authenticity of the other's identity. In this transaction, your browser and the bank's server would prove to each other your identity by swapping certificates. Now when you ask for the server's certificate, it would be sure that you were really you, and not the bad guy trying to imitate you.

More information:

• How effective are phishing links that refer to FTP sites? Read more.
• Learn about the risks associated with connecting a Web service to to an external system via SSL.