Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!rphroy!caen!uwm.edu!bionet!agate!dog.ee.lbl.gov!nosc!crash!lairdb From: lairdb@crash.cts.com (Laird Broadfield) Newsgroups: comp.dcom.modems Subject: Re: What do you think about security functions in modems? Message-ID: <8242@crash.cts.com> Date: 28 Mar 91 20:51:08 GMT References: <3888.27f10f22@hayes.uucp> Organization: "Well, a head on top, an arm on each side, two legs...." Lines: 57 In <3888.27f10f22@hayes.uucp> tnixon@hayes.uucp writes: >I am studying the issue of increasing security and privacy of modem >communications at the physical layer, and would appreciate hearing >any comments or ideas you might have. I'm not looking for new >_inventions_ (please DON'T send me anything you consider to be >confidential or trade secret), but your opinions on the usefulness, >effectiveness, and value of commonly-used techniques such as >call-back security (within a modem; I, for example, think it is more >effective when controlled by an external device so that incoming and >outgoing calls are on different lines), encryption (built into the >modem, like data compression), modem-based passwords (with the >exchange of information handled by the error control protocol, >possibly using an encrypted challenge/response system), etc. I'm >also interested in your opinion on whether new techniques such >as modem-based decoding of caller-ID information would be useful. IMO: Callback security is a Good Thing, but given the current (low) level of communication between CPE and the CO, far too easy to defeat if it goes out on the same line. Therefore (as you point out) this one should be handled outside the modem. The rest of the techniques you mention, however, gain substantially by being built into the modem. The tamper-ability factor is reduced hugely by embedding all that stuff. Modem-based passwords and encryption would seem to go hand-in-hand, though, with both devices implementing an encryption scheme and refusing to talk unless they both have the same key(s). The value of a user giving a modem a password seems dubious. The one scenario I can see this being useful, is in a challenge-response scenario, with one of those little keypad/display gadgets (type in the challenge, give back the displayed response.) This might be useful if the callers are expected to be using a variety of equipment to call in. An intermediate step might be a dongle-type device that could be put inline with a non-secure modem that would allow modem commands through, but when awoken by the secure modem, it would get into the act. Physical "keys" are another approach, so are centrally distributed keys, so is the combination of both (e.g. the way an STU3 works.) The physical key business presents vendor-compatibility problems, but the central issuer business could be cross-standardized. (Didn't I see something here or in c.d.telecom a few months ago about the Bells providing a "registered call" service (never mind the MFJ, eh?)) Caller-ID reading would be useful for other reasons, as well as security, and should be implemented *ASAP* without waiting for a "security" confab. It's not that useful for serious security since it could be spoofed without much difficulty. $0.02! -- -- Laird P. Broadfield | Year after year, site after UUCP: {akgua, sdcsvax, nosc}!crash!lairdb | site, and I still can't think INET: lairdb@crash.cts.com | of a funny enough .sig.