Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!decwrl!decvax!mcnc!gatech!bloom-beacon!mit-eddie!uw-beaver!uw-june!ka From: ka@june.cs.washington.edu (Kenneth Almquist) Newsgroups: sci.crypt Subject: Re: Unix Password Hacker Message-ID: <4315@june.cs.washington.edu> Date: 28 Feb 88 08:27:23 GMT References: <731@ddsw1.UUCP> <657@morningdew.BBN.COM> <24582@cca.CCA.COM> <281@csed-47.csed-1.UUCP> Distribution: na Organization: U of Washington, Computer Science, Seattle Lines: 37 Summary: summary >>>> Much better is simply keeping the encrypted passwords in a file that is >>>> not publicly readable. ... > > It is also required by even the lowest level of the DOD Trusted Computer > Systems Evaluation Criteria (C1). From section 2.1.2.1., "Identification > and Authentication": "The TCB [Trusted Computing Base] shall protect > authentication data so that it cannot be accessed by any unauthorized user." In a traditional UN*X system with a publicly readable password file, the passwords *are* protected (at least allegedly) using encryption. Suggestions like the one of read protecting the password file *and* encrypting it raise a red flag for me. If the encryption scheme is good, then read protecting the passwords is unnecessary. Similarly, if the read protection on the password file really works, then encrypting the passwords is a waste of time. More generally, if there are two indepen- dent security checks on a system, and an intruder can subvert the first security check with effort E1 and the second security check with effort E1, then the total effort to crack the system is E1+E2. This is less than 2*max(E1, E2), so very little is lost by abandoning one of the two security checks. In fact, eliminating one of the security checks may make your system *more* secure. One reason is that simpler systems are more likely to be correct. More important is the discipline enforced by chosing one feature or the other. If you retain both features, then when you look at feature A and discover it is not really very good, you can figure that it doesn't matter because feature B will keep out any intruders who get past feature A. And then when you look at feature B you can ignore the holes in it on the assumption that feature A will keep in- truders from getting that far anyway. A system in which an intruder must bypass 2 or 3 ineffective security mechanisms is not much harder to penetrate than a system with only one ineffective security mechan- ism. The discipline of limiting yourself to one security mechanism is that it encourages you to design one that works. Kenneth Almquist ka@june.cs.washington.edu