Xref: utzoo comp.unix.questions:5797 comp.unix.wizards:6683
Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!elroy!cit-vax!oberon!skat.usc.edu!blarson
From: blarson@skat.usc.edu (Bob Larson)
Newsgroups: comp.unix.questions,comp.unix.wizards
Subject: Re: Usenet Security
Message-ID: <7196@oberon.USC.EDU>
Date: 24 Feb 88 20:19:51 GMT
References: <108@tron.UUCP> <2739@codas.att.com> <23504@hi.unm.edu> <7311@brl-smoke.ARPA> <1988Feb22.175256.12780@jarvis.csri.toronto.edu>
Sender: news@oberon.USC.EDU
Reply-To: blarson@skat.usc.edu (Bob Larson)
Organization: USC AIS, Los Angeles
Lines: 31

In article <1988Feb22.175256.12780@jarvis.csri.toronto.edu> flaps@csri.toronto.edu (Alan J Rosenthal) writes:
>In article <7311@brl-smoke.ARPA> gwyn@brl.arpa (Doug Gwyn) writes:
>>One way to not lose an appreciable degree of security due to modem
>>access (assuming telephone line tapping is ruled out) is to have
>>the system check an incoming user ID against an internal list and
>>call back the phone number contained in the internal list to
>>establish the real working connection.

>Doesn't this just put the shoe on the other foot?  If you call the
>other system back, you have to prove that it's you calling back.

This is easy to solve, include a temporary password with the first
call.  The called back system will then know that the system calling it
knows a random password it just generated and sent to one other system.
(There should be an exparation time on the password, related to the
maximum time the call back will take.)

System A calls System B to and says "Hi, I'm system A, use Password
xxxyyyz and call me back."

System B then calls system A and says "I'm system B, someone told me
to call and use password xxxyyyz."

A possible improvement would be to not have system A hang up and not
tell it's password until the other system has called back.

This is NOT secure from phone taps.
--
Bob Larson	Arpa: Blarson@Ecla.Usc.Edu	blarson@skat.usc.edu
Uucp: {sdcrdcf,cit-vax}!oberon!skat!blarson
Prime mailing list:	info-prime-request%fns1@ecla.usc.edu
			oberon!fns1!info-prime-request