Path: utzoo!mnetor!uunet!husc6!bloom-beacon!gatech!hubcap!ncrcae!ncr-sd!hp-sdd!ucsdhub!jack!nusdhub!rwhite From: rwhite@nusdhub.UUCP (Robert C. White Jr.) Newsgroups: news.admin Subject: Re: Forgeries: a suggestion for bringing them under control Message-ID: <586@nusdhub.UUCP> Date: 10 Feb 88 00:57:18 GMT References: <1861@epimass.EPI.COM> <14276@oddjob.UChicago.EDU> Organization: National University, San Diego Lines: 105 Summary: Authentication headder... a simple method, if you want to waste the effort. Hi, If everybody really cares about authentication of messages, and message delivery, this is a _simple_ method of true user and path authentication. The major drawback of this scheme is an unknown level of system overhead. [Watch out, this is another idea off the top of my head.... you saw it here live folks!!!] The header is of the form: Authent: ### ### ### The information used is: 1) the four [or less] characters directly proceding the "@" in the message id. 2) the first four [or less] characters of the poster's login id. 3) the first four [or less] of the name of the originating system's name. 4) the first four [or less] characters of the second-to-left- most entry on the "Path:" line 5) the first four [or less] characters of the left-most entry on the "Path:" line 6) the first four [or less] characters of the current system's name, 7) several constants coded into the software. [These items have been selected because they would all be easily available to the software while it is running.] Item 1 is used to generate a two-column key. the even numbered columns forming one key and the odd forming the other. Becaues the key is basied on the accession number portion of the message id, no two messages from the same source user&machine will have the same key. The key thus generated is used as a base for a simple checksum process on the approprate entries [4 of the 2-6 group depending on opperation] producing a number not larger than 127, and a very basic checksum of the two results forms the third numger in the "Authent:" headder line. The constants mentioned in item 7 are the base multipliers and devisors and such. PROCESSING -- Message receipt & validation. Items 1 is used to generate the key. Items 2, 3, 4, and 5 from the inbound message are recovered from the article, and processed through the checksum routine. The results are compared against the contents of "Authent:". If the contents are invalid the "Authent:" is destroyed [probably ommited from the output of the article]. If the contents are validated, a new checksum based on items 2, 3, 5, and 6 is figured, and this number is written on the "Authent:" headder when the article is stored. There is no change in current batching/sending procedures as 2, 3, 5, and 6 on teh current system will be items 2, 3, 4, and 5 on teh destination system. PROCESSING -- Message creation. Durring message creation, all the above processing holds true but it is important that the receiving system will see an overlap of item pairs 2,4 and 3,5, so the processing preformed durring posting should reflect this. PROCESSSING -- Note: It is important that the system take care to understand that the items mentioned may overlap. [i.e. no assumptions about the "Path:" header bew made except the fact that it will contain at least two entries.] This will validate messages, and will make it a general pain for someone to forge entries. Forgery will still be possible, but only by editing the messages after generation and manually re-figuring the "Authent:" for it's aledged path. Exactly what should happen when a forgery [or bad "Authent:"] is received must be left to people with more practical experience on the net. Perhaps, at first, vnews can be set up to print: "Notice: NO AUTHENTICATION on Message" when it displays headers. Needless to say, there will have to be a hack-around until this [or any] authentication system is dern-near universal. An example of such a hack would be the addition of an extra number on teh end which states how many systems were on the Path: when the Authent: was last figured, and then using this as an offset for finding items 4 and 5 durring rnews processing. [and then re-figuring 5 and 6 to reflect current standings] Disclaimer: Then again, maby not........ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< << All the STREAM is but a page,<<|>> Robert C. White Jr. << << and we are merely layers, <<|>> nusdhub!rwhite nusdhub!usenet << << port owners and port payers, <<|>>>>>>>>"The Avitar of Chaos"<<<<<<<<<<<< << each an others audit fence, <<|>> Network tech, Gamer, Anti-christ, << << approaching the sum reel. <<|>> Voter, and General bad influence. << <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ## Disclaimer: You thought I was serious???...... Really???? ## ## Interogative: So... what _is_ your point? ## ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^