Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!uunet!mcsun!inria!mirsa!jlf
From: jlf@mirsa.inria.fr (Louis Faraut)
Newsgroups: comp.unix.internals
Subject: Re: Finding Passwords
Message-ID: <8685@mirsa.inria.fr>
Date: 2 Oct 90 13:01:44 GMT
Reply-To: jlf@mirsa.inria.fr (Jean-Louis Faraut)
Organization: ESSI, Sophia-Antipolis (Fr)
Lines: 37

Hello interns !

Here is my little contribution to the logins Trojan issue .  It seems
to me that the problem happens because authentication is one-way only,
user -> computer . In the present login protocol, user could possibly
be a bad guy, computer is always "a good guy" . This is clearly a
false assumption :-(

What about a two-ways authentication, modifying the getty program to
oblige the computer to authenticate itself ?

This could be achieved the following way, by use of a secret keyword, 
sort of secondary passwd :

	- CPU prompts "login:"
	- type your login name
	- CPU uncrypts your secret keyword and display it on screen .
(Each user keeps up his own secret keyword encrypted in a personal file ;
only the owner and root can read/modify this file )
	- CPU prompts "passwd:"
	- Now you can either type your usual passwd if the secret
keyword was right, or do anything else possibly aborting the session .

So, is there an easy way to attack this protocol ?

                           @
                          ,  ,,     ,,_._.
        	         /  //     //          Jean-Louis Faraut
        	        /  //     //--         
                  //   /  //     //            Administrateur Systeme
                 ((_._'  ((_._. //                   de l'ESSI
        	        	 
E-mail :             +-----------------------------------------------------+
jlf@cerisi.cerisi.fr | ESSI (Ecole Superieure des Sciences Informatiques)  |
jlf@mirsa.inria.fr   |               Sophia-Antipolis (France)             |
Tel. : 93 95 44 37   +-----------------------------------------------------+

Sorry for bad English, I'm French, nobody is perfect :-)