Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!maxzilla!paradis From: paradis@maxzilla.Encore.COM (Jim Paradis) Newsgroups: comp.unix.wizards Subject: Re: Password security - Another idea Message-ID: <4537@xenna.Encore.COM> Date: 30 Dec 88 23:16:28 GMT References: <228@sea375.UUCP> <4497@xenna.Encore.COM> Sender: news@Encore.COM Reply-To: paradis@maxzilla.UUCP (Jim Paradis) Organization: Encore Computer Corp, Marlboro, MA Lines: 60 In article <4497@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: >Hiding something indicates that it is dangerous if revealed. It says, >basically, that encryption technology is inadequate and cannot be made >to work, the only reasonable protection is secrecy. Do we honestly >believe this? Or, worse, do we believe that security is attained by >layering anything we can think of onto the system? Hi, Barry! I think there's a subtle point that you're missing here: there's a difference between keeping a piece of information SECRET, and restricting ACCESS to it. It just so happens that on computers, we tend to use the same mechanisms to accomplish both. So keeping a password database inaccessible (by protections or shadowing or making it into a kernel object or what-have-you) does NOT imply that the information contained therein is necessarily a SECRET that must be hidden, but rather it implies that we need to restrict access to the information to prevent someone from taking it away and fiddling with it long enough to eventuall break it (by whatever means -- brute-force cracking, blind luck, sophisticated cryptanalysis, whatever). Here's an analogy: Suppose there's a room containing classified files. To prevent unauthorized access to the files, a lock is installed on the door. Now, if I (unauthorized) wanted to access the information, I could try to pick the lock. If I were allowed to sit in front of the door for as long as I wished, fiddling with the lock and trying various attacks on it, there's a chance that eventually I'd be able to pick the lock and access the information. It may be a very GOOD lock and require a long time to pick, but eventually I might get lucky. This is analogous to the current situation with UNIX password files: since the file is world-readable, I can conceivably make a copy of the file, take it home with me, load it onto my PeeCee, and hack on it at leisure. I might, by blind luck, stumble onto some useful passwords that way. In the case of the locked door, if we want to keep people from hacking on the lock and restrict the use of the lock to being opened with a proper key, we can post a guard at the door. Assuming that the guard cannot be bribed or otherwise made an accessory to an attack, s/he will prevent random hackery on the lock. Similarly, by burying the password information and restricting access to it, one can prevent random hackery on the password file. Oh, all right, I'll admit that it's probably possible to subvert the guard mechanism as well; HOWEVER, consider the following: each "hurdle" that we place in the way of a cracker has a probability P of being compromised. I submit, though, that in a useful system there's no such mechanism where P=0 (proof left as exercise to the reader 8-) ) Therefore, the best we can do is come up with a mechanism where P is (hopefully) quite small. If there are TWO hurdles to be overcome, then the probability of the composite mechanism being compromised is P1 * P2. Thus, by choosing an appropriate set of mechanisms, we can (hopefully) make the probability of compromise arbitrarily small. Recognize, though, that the smaller you make the probability, the more difficult the system becomes to use. Therefore, striking a balance between ease of use and security is a decision that each individual system adminstrator must make. Jim Paradis (paradis@encore.UUCP) 508-460-0500 Devout Secular Humanist and Worshipper of Bacchus in Vintage Years