Xref: utzoo comp.dcom.modems:9118 sci.crypt:4445 Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!sei.cmu.edu!fs7.ece.cmu.edu!o.gp.cs.cmu.edu!pt.cs.cmu.edu!rochester!kodak!ispd-newsserver!rpi!usc!samsung!munnari.oz.au!metro!dramba!janm From: janm@dramba.neis.oz (Jan Mikkelsen) Newsgroups: comp.dcom.modems,sci.crypt Subject: Re: What do you think about security functions in modems? Message-ID: <1991Apr6.152822.4628@dramba.neis.oz> Date: 6 Apr 91 15:28:22 GMT References: <3888.27f10f22@hayes.uucp> <1991Apr4.144615.22814@dce.ie> Organization: Dramba Holdings, Lindfield, Australia Lines: 44 In article <3888.27f10f22@hayes.uucp> tnixon@hayes.uucp asks for: >... your opinions on the usefulness, >effectiveness, and value of commonly-used techniques such as >call-back security (within a modem; I, for example, think it is more >effective when controlled by an external device so that incoming and >outgoing calls are on different lines), encryption (built into the >modem, like data compression), modem-based passwords (with the >exchange of information handled by the error control protocol, >possibly using an encrypted challenge/response system), etc. What you need in a modem will depend on what you are trying to prevent. If you are trying to keep the entire dialouge on the line secret from someone tapping the line, then data encryption in the modem is useful. This is however not always the case. Commercial users are often more worried about authentication and confidentiality in other places. Cryptography in a modem does not help the data before it enters the sending modem, and after it leaves the receiving modem. It all comes down to a matter of trust. If the only place you mistrust with your data is the telephone line, then modem encryption is useful. Unfortunatly, many people mistrust more than that, and require encryption at a higher level - "end to end". There is also the problem of key management with a modem. They are harder to do, and it is unlikely that the modem will be able to asymmetric key cryptography (like RSA) at any reasonable speed. Modem based passwords and challenge/response could be useful but personally I would put all security functionality into the host where better control can be kept over the secure key storage, logging can be done, and there is greater control over the software. Now, a smart card reader, PIN pad and a modem in a tamperproofed case would be an interesting idea. I don't think anyone has attempted this yet, and it could certainly help with the key management problem. The cost of these things has come down significantly over the past few years also ... -- Jan Mikkelsen janm@dramba.neis.oz.AU or janm%dramba.neis.oz@metro.ucc.su.oz.au "She really is."