Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 5/3/83 based; site hounx.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxn!ihnp4!houxm!hounx!kort
From: kort@hounx.UUCP (B.KORT)
Newsgroups: net.crypt
Subject: Re: Dialback (Re: Re: foiling password crackers)
Message-ID: <680@hounx.UUCP>
Date: Wed, 12-Mar-86 07:02:55 EST
Article-I.D.: hounx.680
Posted: Wed Mar 12 07:02:55 1986
Date-Received: Fri, 14-Mar-86 04:55:53 EST
References: <974@decwrl.DEC.COM> <262@birtch.UUCP> <210@duts.UUCP> <2904@sunybcs.UUCP>, <2724@reed.UUCP>
Organization: AT&T Bell Labs, Holmdel NJ
Lines: 22

Bart Massey suggests an improvement on the Dialback scheme, wherein
PC's in the user's premises provided the software for the password
protocol.  Bart asks if such a system is vulnerable.

I think every system is ultimately vulnerable, but you have to get
up pretty early in the morning to beat the harder ones.

If you ever watched Mission Impossible, you may have seen an episode
in which the techno-wizard hooked up a box to the bad guy's phone line.
When the unsuspecting dude went off-hook, the box simulated the dial
tone and answer protocol and sucked the information out of the user's
terminal.  A simple audio recording of the phone line signals can
be played back to the main computer.  This means that the logon
handshake has to have a random word from the host, which is responded
to in real time by the PC, so that the handshake is different every
time.  The only way to stay ahead of the nefarious password foilers
is to use a system more complex than will fit in the foiler's system,
but this means frequent evolutionary changes in the password system.
A moving target, especially a receding target is the hardest to hit.

--Barry Kort  ...ihnp4!hounx!kort