From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 17 Aug 1995 23:42:11 -0400 From: Vadim Antonov avg@postman.ncube.com Subject: secure login without digital pathways box Topicbox-Message-UUID: 181c4bf0-eac8-11e9-9e20-41e7f4b1d025 Message-ID: <19950818034211.qt3c8Qmw3gkMblBs6jN9YYPJ7BEz4QfNRLCA2vTrGXY@z> -----BEGIN PGP SIGNED MESSAGE----- Look for "fcrypt" at European FTP servers (ftp.funet.fi?) The source for DES was available everywhere outside US for at least a decade. As for reducing security -- when a corporation has all really valuable data stored on Unix machines it makes very little sense to protect toys zealously. Also, challenge-response schemes do not protect against active snoopers (you can always "steal" an already authenticated TCP or UDP session) and so are of very little value as protection against Ethernet snoopers (to steal packets you already have to have access to a machine on the Ethernet, ok?) This means that you still need a solid firewall, no matter if you use one-time passwords or not. Over long-distance links the one-time-password schemes are vulnerable to host-route attacks (a man-in-the-middle scheme) or compromised source hosts (i.e. the securenet thingie can't protect you if you're logging from a host with doctored telnet). The real answer to the network security is the encryption of all data and using key exchange schemes resistant to the man-in-the middle attacks. And, also, *never* log in from a machine you don't trust. Better carry your own laptoy, as security of the machine is as good as its physical security. There's no magic bullet. So, the options i added are designed for use inside protected LANs, where excessive level of paranoya only makes people irritated (and by doing so _compromises_ security, as then the users will tend to circumvent authentication so rendering it useless). - --vadim -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMDTfQUDODjim2XUVAQEf1gP8DIh6ORzpLA4kslZ90Vk5igudSF5ZZpZP Kj60qTxNkztRk9X/qEKISPXjfe/Ifmmm5vPlBGPT42gcMvDKWcOrizrt9cTBsTBU apGzLyUT9AsuMmva4hfd0xyY3QHb/Aj84aRrGYFHtKLlbylpcEjoHtfncqie+R5L fVA1OYUKk+E= =bOcB -----END PGP SIGNATURE-----