Hitoshi Kokumai

3年前 · 2 分の読書時間 · ~100 ·

ブログ Hitoshi
Advanced Persistent Threats in Digital Identity

Advanced Persistent Threats in Digital Identity











Tram porte




HE services

You may have heard this disturbing news report - Chinese hacker group caught bypassing 2FA - Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers.

 We were amazed by the capability of those cyber attack forces, which might possibly be backed up by huge budgets and irresistible means to bribe and threaten the insiders of target organizations.

 Well, we could make meaningful contributions in such areas as (1) preventing the compromise of an OTP token from affecting the overall security of 2F authentication, to (2) preventing the OTP token from getting compromised in the first place and (3) preventing the inside jobs.

 Below are the conclusions that we reached.

1. Our proposition of the simplest 2F authentication could help. 

 We could consider an extremely simple two factor authentication made of a remembered password (what we remember) and a memo/storage with a long password written/stored on (what we possess), which we can use right away at no cost.

 If properly hashed, the resulting high-entropy hashed value can stand fierce brute force attacks. Theft/copy of the memo/storage alone would not affect when the remembered password is unknown to the criminals.

 Furthermore, ‘Image-to-Password Converter cum Entropy Amplifier’ software could be considered for better balance of security and convenience at a higher level when Expanded Password System becomes readily available. The ‘Image-to-Password Converter cum Entropy Amplifier’ software can be offered as a plug-in module either for the server or the user’s device.

 These schemes are closely explained in the "Proposition on How to Build Sustainable Digital Identity Platform" selected as a finalist for ‘FDATA Global Open Finance Summit & Awards 2019’

2. Our proposition of 2-channel authentication could help. 

 With our 2-channel scheme, the onetime code can be recovered and sent to the server only by the legitimate user who retains the secret credential in their brain.

 Further details are provided in this slide “2-Channel Authentication with No Physical Tokens and No SMS” for the specifics.

 It is also referred to as a powerful phishing deterrent in “Targeted/Spear Phishing and Expanded Password System”

 By the way, this 2-channel scheme is not just a concept, but was actually implemented in the real world for corporate use. 

 3.      Our proposition of Authority-Distributed Authentication could help.

 With this scheme, an encryption key gets reproduced by any combination of 3 registered operators and gets eliminated after operation as outlined in this slide “On-the-fly Key Generation from Our Memory”.  It would be extremely hard to quietly bribe or threaten 3 people at a time

 Again, this scheme is not just a concept but the prototype software proved to work.


 We are confident that we could make significant contributions to mitigating these 3 problems of

 preventing the compromise of an OTP token from affecting the overall security of 2F authentication,

 preventing the OTP token from getting compromised in the first place


 preventing the inside jobs.

< Related Articles >

 History, Current Status and Future Scenarios of Expanded Password System

 Removal of Passwords and Its Security Effect

 #identity #authentication #password #security #fintech #finance #banking #biometrics #ethic #privacy #democracy


Hitoshi Kokumaiの記事

2年前 · 2 分の読書時間

“Expanded Password System is no bad, but we do not need it. · We can rely on password managers that ...

2年前 · 3 分の読書時間

Today's topic is “Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of cr ...

2年前 · 2 分の読書時間

Some friends directed my attention to this news report - · “Biometric auth bypassed using fingerpri ...


  • 株式会社ミスミ 千代田区, 日本 フルタイム

    ------------------------------------------------ · ▼ 仕事内容 · ------------------------------------------------ · ■組織ミッション: · 全社のデータ利活用促進活動を通じ、事業の迅速な意思決定を加速させ、ミスミの源流思想である『時間戦略』に寄与することを目指します。 · 全社のデータ:ミスミ ...

  • Abercrombie and Fitch Stores Sapporo, 日本 フルタイム

    Job Description · A Full-Time Key Holder helps drive the business through leadership and is actively involved in ensuring a differentiated customer experience. Key Holders should be assertive, analyti ...

  • 東海東京フィナンシャル・ホールディングス株式会社


    次の場所にあります: beBee S2 JP - 8時間前

    東海東京フィナンシャル・ホールディングス株式会社 【関東】東京都 中央区, 日本 フリーランス

    募集要項: · 大手証券会社で大型プロジェクトを担当してみませんか。 · 職務概要 · フロントシステム部内の開発プロジェクトのマネージメントを担当していただきます。 · プロジェクトマネージャとして、社内の取り纏めやベンダーコントロールをお任せします。 · ★*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.*+.★ · この企業の良いところ · ★ ...