Path: utzoo!attcan!uunet!husc6!bloom-beacon!bu-cs!purdue!decwrl!labrea!agate!saturn!fouts@lemming.
From: fouts@lemming. (Marty Fouts)
Newsgroups: comp.os.research
Subject: Re: Non-secure workstations (long) (Was: The NeXT Problem)
Message-ID: <5173@saturn.ucsc.edu>
Date: 18 Oct 88 16:46:51 GMT
Sender: usenet@saturn.ucsc.edu
Organization: NASA Ames Research Center, Moffet Field, CA
Lines: 44
Approved: comp-os-research@jupiter.ucsc.edu


In article <5158@saturn.ucsc.edu> pardo@june.cs.washington.edu writes:

   crum@lipari.usc.edu (Gary L. Crum) writes:
   >bzs@xenna (Barry Shein) writes:
   >>[ Optical disk == portable file system ]
   >Barry's environment where students boot cubes off their own platters
   >poses many interesting security problems!  In such an environment, cubes
   >cannot "trust" each other because users have their own system disks
   >and hence all users are superusers for their respective machines.

   I believe (somebody tell me?) that Andrew and possibly some other
   systems have solved this.  When you do remote file accesses (e.g.,
   mount some file system) you are required to identify yourself.

The problem with this is that there is no way to prove that the 'you'
identifying 'yourself' is really you in the presences of promiscuous
or tapable transmission media.  Since the mid-70s, open literature has
existed which suggests ways around authentication schemes.

Sending clear text passwords is obviously wrong, and no one would
force users to do it. (;-0  Sending constant encrypted passwords is
also wrong, although in a slightly more subtle way.  (To beat you, I
simply record a session in which you get a good log in, and then when
I want to fake you, I replay your half of the session.)

Attempts to get around this involve either schemes to make it hard to
forge the physical address and then checking that,  (I. E. which 48
bit transceiver number) or to use schemes which require the
encrypted password to be changed.  The first method is fairly easy to
defeat in Shein's proposed environment, and isn't very useful when the
'you' is moving around anyway.  The second method shows more promis,
but. . .

Anyway, authentication in a hostile network is at best a currently
unsolved problem, and at worse an unsolvable problem.

Marty
--
+-+-+-+     I don't know who I am, why should you?     +-+-+-+
   |        fouts@lemming.nas.nasa.gov                    |
   |        ...!ames!orville!fouts                        |
   |        Never attribute to malice what can be         |
+-+-+-+     explained by incompetence.                 +-+-+-+