Path: utzoo!mnetor!uunet!husc6!tut.cis.ohio-state.edu!mailrus!nrl-cmf!ames!eos!aurora!labrea!decwrl!pyramid!prls!philabs!micomvax!zap!iros1!mcgill-vision!mouse
From: mouse@mcgill-vision.UUCP (der Mouse)
Newsgroups: news.admin
Subject: Re: Forgeries: a suggestion for bringing them under control
Message-ID: <989@mcgill-vision.UUCP>
Date: 11 Mar 88 08:39:15 GMT
References: <1861@epimass.EPI.COM> <14276@oddjob.UChicago.EDU> <586@nusdhub.UUCP>
Organization: McGill University, Montreal
Lines: 61

In article <586@nusdhub.UUCP>, rwhite@nusdhub.UUCP (Robert C. White Jr.) writes:
> If everybody really cares about authentication of messages, and
> message delivery, this is a _simple_ method of true user and path
> authentication.  The major drawback of this scheme is an unknown
> level of system overhead.

How about "it doesn't work" for a drawback?

> [proposal for a scheme with an Authent: header based on several
> things, including]

> The information used is:
> 	1) the four [or less] characters directly proceding the
> 		"@" in the message id.

You appear to assume this is unique for a given machine.  Sorry, but it
isn't so.  As far as I know, the Message-ID can be anything at all, as
long as it is guaranteed not to duplicate any other Message-ID
generated anywhere on the entire net (and contains only certain
characters, such as the alphanumerics, dots, @ signs...).  The
convention is to use a trailing @hostname to ensure that the result
doesn't conflict with an ID generated by any other machine (this
convention clearly works only as long as everyone uses it).  But the
part before the @ is less standard.  Here are some of the things I find
in a quick glance through the Message-IDs in the first couple of pages
of our history file:

8710070328.AA21589
	The first part appears to be a date, the second looks like a
	sendmail queue-ID.  (From Berkeley, ajpo.sei.cmu.edu, etc.)
1289
	This looks like a sequence number.  (From a great many places.)
1988Jan23.202318.22868
	The first part is pretty obviously a date; the second part
	looks like a time, and the third part is mysterious.  The
	process ID of the posting process maybe?  (From U of T - is
	this C news default format maybe?)
167100020
	I dunno.  (Message-IDs appearing to conform to this pattern - a
	large integer - appear with uiucdcsb, clio, hpcupt1.HP.COM,
	silver, occrsh.ATT.COM, uokmet.UUCP, etc on the right of the @.)
cVyQZ5y00XoFyDU0DT
	This looks like some binary value expressed in base 62 or
	something equally helpful.  (From andrew.cmu.edu.)

And when the last four characters are digits, which seems to be common,
there are only 10000 possible values!

> 	2) through 6) are the first four [or less [sic]] characters of
> 		various things.
> 	7) several constants coded into the software.

I still don't see anything here that a forger couldn't simply compute
based on the forgery as if it were a normal message.  How does this
help, except in that it makes it marginally more difficult to create a
forged message?

					der Mouse

			uucp: mouse@mcgill-vision.uucp
			arpa: mouse@larry.mcrcim.mcgill.edu