Fingers vs Fingerprints



It turned out that my "Authentication vs Identification" article was not sufficiently conclusive in the sense that some hardcore biometrics fans still nurture a non-trivial and well justified objection. So I need to address and destroy it, in order to close the topic. My opponents' argument is:

Your analysis narrows the both sides of the problem to a knowledge/ownership claim. Even if you are right, the conclusion is only applicable to the authentication by means of a knowledge token, whereas all the rest relations between the user and the token (suitable for authentication purposes) are set aside. There is one particularly important relation (the one fundamental for the entire biometrics field): «the user is» or other way around «the token is a part of the user» — this relation implies inalienability which makes the token safe for authentication purposes.

It is true. Completely true. It is undeniably true! In the physical realm.
Read more →

Authentication vs Identification



Once again I have to return to the topic of strict antagonism between the authentication and the identification, meaning these very processes and the tokens involved as well. Before I indulge into boring you with tedious decomposition of entities you used to perceive as atomic, I present you a synthetic illustration of the difference in question. A bad guy tries to get a false-negative outcome of identification, and a false-positive outcome of authentication. This is not explanatory, yet very indicative, I hope it gives you an idea of the magnitude of the difference, and we are going to dig into this now.
Read more →

What Makes Your Password YOURS?



Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.

Today I want to address two very basic questions about passwords:

What are characteristic properties of a password? and what makes your password yours?

By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.

I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
Read more →

An Observation About Passphrases: Syntax vs Entropy



I suggested in the article to use passphrases instead of «traditional» passwords, for multiple reasons, including: sheer strength, memorability, and conforming to idiotic password creation policies without actually following detrimental recommendations of the policy authors.

This recommendation gives rise to a reasonable doubt: «what if syntactically correct phrases are as weak as dictionary words in comparison to a random string of symbols?''. Indeed, syntax itself should weaken a passphrase, as it provides some „predictability'' to the phrase. I want to address this problem, by comparing syntactically correct passphrases to random collections of words (which we all consider sufficiently strong… hopefully).
Read more →

Password Strength Explained

This is a scheme of how we define password strength in a strict scientific manner without bullshit and lyrics:

1. we clarify what is a guessing attack and set aside all other types of attacks;

2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords;

3. we demonstrate that password strength (in any practical sense) is a function of an attack;

4. the strength of a given password is the position of this password in the attacker's dictionary;

5. the defender's strategy is an approximation of the attack dictionary order;

6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);

7. thus, the defender's password strength is an expected value for the password strength over the given set of attacks.

You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure". It gives us a feasible meaningful unambiguous measure that everyone can implement.

It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength problem. Entropy is based on the ASSUMPTION of possible outcomes. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.

In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:

Password strength is a function of something unknown to us.

It is time for us to do some trivial maths and terminate the «password strength» nonsense.

Android's Security Policy Is: "All Or Nothing"

This is the essay about the biggest and the most successful infosec profanation campaign in the world. It undermines the very idea of security awareness in each and every aspect, and it does so very subtly too. Initially I wanted to tell you how this profanation works and why it would be successful at cleansing users' minds from any security related thoughts; today I have upgraded my test-bunny Android device and realized that my «prediction» is getting late — Android has entered the final stage of the campaign: after the applications succeeded at damaging users' security awareness, the core system itself openly stepped into the battle, to commit the final blow.
Read more →

Each Security Hole Is Created By Someone Deliberately.

Naked Security reports another (not very special) piece of malware for Android. It is quite sophisticated and effective, it has fooled almost 200K users.

I want to talk about one particular detail, quote:

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

Once again my question is how is it even possible in a mentally sane world??? Who created this bypass and why? No questions asked to Android, everybody is throwing feces at «evil-evil-evil» developers of malware. I believe that the idea of infosec related media is to channel the users' wrath into a safe direction, away from those who made malware possible in the first place, and suppress real inconvenient questions to the «trusted» developers and «respected» vendors.

Within the next few days I will explain you all evils of the android quasi-security — today I am too angry.