Some thoughts of mine:
Mark E. Gibbons proposed a scheme where a script on a 'normally not
accessible' machine changes his password.
This is, I would say, violation of the first principle of any
security: do not write your pw nowhere, especially not on storage
media.
We have the problem of 'magic kingdom access' too, and it will
become really wild when we open up to functions via the Internet.
I rule out 'protection' through obscurity. As most agree, mere IP
address discrimination is not a protection, the address can be
spoofed, e.g. from router tables, and is public.
Dial in via a provider is an option we pursue: the dial nodes are
PPP nodes within an IP network. Again: can be spoofed by inspecting
routing tables.
The only valid protection is here in my opinion a dual mode
protection: knowledge and posession: the user must know a password,
and posess a one time token that allows authentication on the target
hosts within the private network, that are accessible from the
outside.
How do I posess a one time token: the most simple thing is a
password list of one time passwords. Disadvantage: most people
strike out the ones used and do not use the proper matrix algorithm
each time to retrieve the next password. Periodic schemes (one for
each day) are out, I would say.
Disadvantage: written down passwords.
Posession of a one time password generator (Enigma, SecurID): that's
probably the best solution for access authentication. This is the
smartcard thing where time synchronized number generators generate
an access key on the remote user's smart card, and in sync (with
some tolerance for wariation) the same calculation takes place on
the authentication host.
Authentication is done by a physically secured machine within the
network, the traffic between the authentication client (host to be
accessed) and the authentication server is encrypted (don't choose
DES if you expect overseas clients to be authenticated centrally
too).
Just: ... don't write it down, no matter in what form, no matter on
what storage. Hand scribble is btw. ways more secure than binary
information on a harddisk. I don't think that Mark's 'normally
inaccessible' host has security on disk block level. Probably anyone
could get a handle request to his block where the passwords are, if the person may
use NFS, as an example.
The best scheme for 'magic kingdom access' is for me: authentication
by means of a partially known and partially one time generated key
towards Kerberos, key distribution within Kerberos tickets, and PGP
for all traffic between public and private network (PGP is RSA in US
and Canada, public domain elsewhere since it is the result of a
publicly published research effort, not 'exported').
Key length can vary dependent on the key validity interval.
A pointer to good security info ( the 'don't write it down'): get on
the mailing list of the NSA. The last document issued details
security testing and evaluation. Although most of it is for
government stuff and beyond scope for 'normal' people, the NSA
documents contain very useful info from people who know it.
I got on the list by writing to:
INFOSEC Awareness Division
ATTN: X711/IAOC
Ft. George G. Meade, MD 20755-6000
(410) 766 8729 Barbara Keller
this was in '92, maybe the address changed.
Mike
Follow-Ups:
|
|
