Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!rice!sun-spots-request
From: gnu@toad.com
Newsgroups: comp.sys.sun
Subject: Security of Secure NFS
Keywords: Miscellaneous
Message-ID: <3589@brazos.Rice.edu>
Date: 4 Dec 89 07:28:21 GMT
Sender: root@rice.edu
Organization: Sun-Spots
Lines: 19
Approved: Sun-Spots@rice.edu
X-Refs:  Original: v8n129
X-Sun-Spots-Digest: Volume 8, Issue 214, message 5 of 11

Preston Mullen asked back in Sept. whether Secure NFS's security was
"illusion or reality".  The short answer is it's illusion.

One of the ten-minute talks at Crypto '89 in August was on "Cryptanalysis
of Secure NFS" by Andrew Odlyzko (research!amo) and Brian LaMacchie.  They
found that Sun had made errors in the implementation that resulted in the
system being relatively insecure as cryptographic systems go.  Also,
finding discrete logarithms doesn't appear to be as hard as Sun expected
it to be, so the numbers Sun is using aren't big enough to avoid people
simply burning some CPU time to break the system.  Andrew says he "gave
the job of breaking it to a bright summer student" (LaMacchie).  You
should contact them for the full details.

There are also major holes in the way the system starts up; the password
for "root" is stored in a file in the file system, so the system can boot
up without having someone type a password.

John Gilmore      {sun,pacbell,uunet,pyramid}!hoptoad!gnu      gnu@toad.com
    Just say *yes* to drugs.  Use your *no*s for government bullshit.