secure login without digital pathways box

[Vadim Antonov avg@postman.ncube.com]

-----BEGIN PGP SIGNED MESSAGE-----

Look for "fcrypt" at European FTP servers (ftp.funet.fi?)
The source for DES was available everywhere outside US
for at least a decade.

As for reducing security -- when a corporation has all
really valuable data stored on Unix machines it makes
very little sense to protect toys zealously.  Also,
challenge-response schemes do not protect against active
snoopers (you can always "steal" an already authenticated
TCP or UDP session) and so are of very little value as
protection against Ethernet snoopers (to steal packets
you already have to have access to a machine on the Ethernet,
ok?)

This means that you still need a solid firewall, no matter
if you use one-time passwords or not.  Over long-distance
links the one-time-password schemes are vulnerable to
host-route attacks (a man-in-the-middle scheme) or compromised
source hosts (i.e. the securenet thingie can't protect you
if you're logging from a host with doctored telnet).

The real answer to the network security is the encryption of
all data and using key exchange schemes resistant to the
man-in-the middle attacks.  And, also, *never* log in from
a machine you don't trust.  Better carry your own laptoy,
as security of the machine is as good as its physical
security.  There's no magic bullet.

So, the options i added are designed for use inside protected
LANs, where excessive level of paranoya only makes people
irritated (and by doing so _compromises_ security, as then
the users will tend to circumvent authentication so rendering
it useless). 


- --vadim

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMDTfQUDODjim2XUVAQEf1gP8DIh6ORzpLA4kslZ90Vk5igudSF5ZZpZP
Kj60qTxNkztRk9X/qEKISPXjfe/Ifmmm5vPlBGPT42gcMvDKWcOrizrt9cTBsTBU
apGzLyUT9AsuMmva4hfd0xyY3QHb/Aj84aRrGYFHtKLlbylpcEjoHtfncqie+R5L
fVA1OYUKk+E=
=bOcB
-----END PGP SIGNATURE-----