Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!amdahl!rtech!gonzo!daveb From: daveb@gonzo.UUCP (Dave Brower) Newsgroups: comp.unix.wizards Subject: Re: /etc/shadow Message-ID: <465@gonzo.UUCP> Date: 19 Nov 88 07:13:32 GMT References: <17568@adm.BRL.MIL> Reply-To: daveb@gonzo.UUCP (Dave Brower) Organization: Gonzo Media Group Lines: 32 In article <17568@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes: >? From: Doug Gwyn > >? In the above, probably it would be safest to use the encrypted form >? of a trial password instead of plaintext. It bothers me that some >? network protocols send unencrypted passwords over the network. > >Perhaps I don't understand the problem fully, but it seems to me that >I could just write a client that sends, say, the login name and the >encrypted password (which I got from reading the password file) over >the net and masquerade as a legitimate host. Unless you send the plaintext >password over the net, you preclude the server from checking the validity >itself. And you force all encryption algorithms to be the same. The answer to a large number of these authentication problems is alleged to be the one way public key encrytption available from RSA. Does anyone know some of the salient facts about this approach? * How "secure" is the encryption to common attacks, including brute force? * What does it really cost to license from RSA, and what do you get for your license. * Is anyone actually using it in anything? -dB -- "It if was easy, we'd hire people cheaper than you to do it" {sun,mtxinu,hoptoad}!rtech!gonzo!daveb daveb@gonzo.uucp