Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uwmcsd1!marque!uunet!mcvax!ukc!dcl-cs!aber-cs!pcg From: pcg@aber-cs.UUCP (Piercarlo Grandi) Newsgroups: comp.protocols.tcp-ip Subject: Re: passwords Summary: Key based systems instead of knowledge based systems Message-ID: <254@aber-cs.UUCP> Date: 18 Nov 88 19:02:56 GMT References: <8811090956.AA07706@LANAI.MCL.UNISYS.COM> <26010@bu-cs.BU.EDU> <7178@charlie.OZ> Reply-To: pcg@cs.aber.ac.uk (Piercarlo Grandi) Distribution: eunet,world Organization: CS Dept., University College of Wales, Aberystwyth, UK Lines: 61 X-Disclaimer: Any statement is purely personal. In article <7178@charlie.OZ> jgm@charlie.oz.au (John Moorfoot) writes: In article <26010@bu-cs.BU.EDU> kwe@bu-it.bu.edu (Kent England) writes: >In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> > perry@MCL.UNISYS.COM (Dennis Perry) writes: >> > When I was at InterOp I stopped by the Sytek booth to look at >their telnet server. I was not impressed, except by a neat little >gizmo they had for their terminal server administrators. It looked >like a calculator. To use it you enter a PIN, like at your favorite >ATM machine. Then when you log onto a secure port to administer your >Sytek terminal server, the login program gives you a sequence of >numbers. You enter the numbers into the little gizmo and it gives you >a bunch of numbers back. You enter these into the login program and >you are in. Anyone catching this sequence over the net cannot >duplicate it, they don't have the little calculator gizmo and your >PIN. [ ........ ] A host program asks the PC for a challenge for a user, and the PC returns the challenge and two possible responses. The calculator can be programmed to accept two separate PINs, and will give a response to the challenge dependant on the PIN entered. This provides an adiitional degree of security, as the second PIN can be used (for instance) if the user is under duress. [ ......... ] Actually all these systems just transform a "what you know" security to a "what you have" security. There is no inherent improvement in the overall security level, and actually it may be lower (more components to compromise, etc...). As to systems that auotmatically generate passwords, usually the cardinality of the set of distinct passwords they can possibly generate is vastly smaller than the cardinality of possible passwords, and therefore they make it terribly easy to generate a list of all possible passwords. What's the point of having a key space of 127^8 (8 ASCII chars) if the password generators can only generate a few thousand or dozen thousand different passwords (e.g. most generators based on trigraphs). All these issues have been hashed to death in the past. This is a TCP/IP group. Let's make some specific TCP/IP comments on security -- a system that supports TCP/IP protocols must provide all security itself. Security MUST be end-to-end, and MUST be based on powerful encryption, such as RSA, and authentication MUST be based on something like zero-knowledge proofs, and the human link still remains the weakest. Protecting things like portions of the socket/host address spaces will only stop children. My general feeling is that security is NOT terribly important for a lot of people, and that as somebody pointed out, it involves a total approach, and is thus TERRIBLY expensive if done seriously. For example, one of the attacks to a system is to send a fake os upgrade tape labeled as though it were from the manufacturer... To foil these attacks you must involve the manufacturer in your security approach. -- Piercarlo "Peter" Grandi INET: pcg@cs.aber.ac.uk Sw.Eng. Group, Dept. of Computer Science UUCP: ...!mcvax!ukc!aber-cs!pcg UCW, Penglais, Aberystwyth, WALES SY23 3BX (UK)