0

I saw it in a slide for Mark Stamp. He says:

"Authentication on a stand-alone computer is relatively simple: 1) For example, hash a password with a salt. 2) “Secure path,” attacks on authentication software, keystroke logging, etc., can be issues "

What does a secure path mean? While I find it easy to understand this term in the context of computer networks, I have trouble understanding it in another context (as in protocols or software for example).

schroeder
  • 129,372
  • 55
  • 299
  • 340
osmak
  • 103
  • 1
  • 1
    Could you give a reference to where you see the term used so we have a better idea about the context? – Arminius Jul 21 '18 at 19:04
  • I saw it in a slide for Mark Stamp. He says: "Authentication on a stand-alone computer is relatively simple:
    1. For example, hash a password with a salt.
    2. “Secure path,” attacks on authentication software, keystroke logging, etc., can be issues

    "

     – osmak Jul 21 '18 at 19:11
  • 1
    please provide sources and links to things that you cite - it's all about proper context – schroeder Jul 21 '18 at 19:44

1 Answers1

0

Your question refers to the use of the phrase "secure path" in slide 13 of a talk about Simple Authentication Protocols (or the same/similar slides in several other talks or courses). This context states that "Authentication on a stand-alone computer is relatively simple" but that "attacks on authentication software, keystroke logging, etc., can be issues".

In this context "secure path" refers to the path which leads to the final authentication result, i.e. entering the authentication credentials and validating these credentials. While there can be attacks which affect the security of this path, like key loggers or bugs/backdoors in the authentication software, this path can still be considered sufficiently secure, especially compared to authentication over a network which is the next point on the slide. Thus, "secure path" is meant to be read as not fully secure (that's why it was put in quotes) but comparatively secure in contrast to authentication over a network.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • That slide is found in quite a number of university slide decks. I cannot determine the original source, unfortunately. – schroeder Jul 21 '18 at 19:53
  • @Steffen Ullrich - When referring to "this path can still be considered sufficiently secure, especially compared to authentication over a network", do you mean to suggest that the path is sufficiently secure if it is not occurring over the network i.e. local authentication in that the application attempting to authenticate is on the same endpoint as the authentication realm? – Motivated Jul 22 '18 at 08:08
  • @Motivated: I mean that the path is secure compared to the network. It is probably sufficiently secure for the common use cases. But given that attacks are still possible one cannot claim that it is secure enough for all use cases. – Steffen Ullrich Jul 22 '18 at 08:59
  • Is there a formal definition for this term in computer security? or does it always depend on the context? – osmak Jul 22 '18 at 11:51
  • @osmak: this is just an ad-hoc phrase and it is even explicitly quoted to make clear that it is not really secure. – Steffen Ullrich Jul 22 '18 at 14:37
  • @Steffen Ullrich - If a secure path suggests the start and end of an authentication request and response, how would it be secure compared to the network since it occurs over the network? Do you mean to say if it utilizes secure protocols such as TLS? If so would this be considered sufficient however not in all use cases such as a compromise of an endpoint? – Motivated Aug 05 '18 at 06:20
  • @Motivated: if you look at the slide you'll see that the phrase "secure path" is used in connection with authentication on a stand-alone computer. No network is involved in this. Again, this phrase is explicitly used to mark the contrast in security to network based authentication. – Steffen Ullrich Aug 05 '18 at 09:27