Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!rpi!sci.ccny.cuny.edu!phri!cmcl2!kramden.acf.nyu.edu!brnstnd From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: <21948:Oct606:29:2890@kramden.acf.nyu.edu> Date: 6 Oct 90 06:29:28 GMT References: <8685@mirsa.inria.fr> <12438:Oct223:00:3290@kramden.acf.nyu.edu> <651@puck.mrcu> Organization: IR Lines: 36 In article <651@puck.mrcu> paj@uk.co.gec-mrc (Paul Johnson) writes: > >In article <8685@mirsa.inria.fr> jlf@mirsa.inria.fr (Jean-Louis Faraut) writes: > >> What about a two-ways authentication, modifying the getty program to > >> oblige the computer to authenticate itself ? > >Fails. As I've said before, you can't reliably *avoid* a Trojan Horse > >unless you can reliably *detect* a Trojan Horse. If you don't have a > >trusted path, the intruder can masquerade as you, forwarding enough of > >the responses you supply to authenticate itself and then taking control > >of your account. > No it does not. Let's settle on some terminology here. A login spoof pretends to be login, but isn't connected to the real login program. Barry's solution works here; Jean-Louis's solution works here; even the dumb strategy of putting a hostname before the login: lets the user detect a login spoof. But I'm not talking about a spoof. I'm talking about a Trojan Horse. A Trojan Horse pretends to be a *connection directly to your computer*, but is actually a *connection through a hostile program to your computer*. Read the paragraph of mine quoted above. Challenge sequences don't work against a ``proper'' Trojan Horse. Encryption doesn't work---though it can limit the damage that certain types of Trojan Horses can do. *Nothing works*. Unless every communications link provides explicit verification that you're talking to who you think you're talking to, you *cannot* avoid a Trojan Horse. > A plain trojan could not make the correct response: > all it could collect would be the user's challenge. That's a spoof. Read the paragraph quoted above that you're responding to: I'm not talking about a spoof. ---Dan