Re: Sys Admins Wanted

Matthew Gream (mgream@nospam.acacia.itd.uts.edu.au)
Fri, 6 May 94 18:27:03 EST

Earlier, Scott Hopwood wrote:

> No, but it is akin to telling someone "every time you sign your signature
> for an account, you have to do it differently, and evey time you use an
> ATM, a new number will be give to you"

Unlike signatures, passwords are not infeasible (to the same
degree of probability) to reproduce. This negates the validity
of your first assertion, because if a password was infeasible
to reproduce, then why would it need to be one time ? One time
passwords exist because static passwords are easy to forge and
reproduce (aka. replay).

With respect to ATM machines, you are again missing the whole
point of one time passwords. They exist such that the
information contained by the password has no value outside a
particular time window. If someone looks over your shoulder and
copies down the PIN you enter, they can use it to gain further
access to your account (albeit still requiring more
information). Exactly the same occurs with static passwords
travelling over insecure networks.

> I wouldn't call it a technology, but a technique. Calling it a technology
> implies that it is an advance on the existing state. I think you may be
> putting the needs of the SysAdmin in front of the needs of the users.

S/Key itself is a technique, an instance of one time passwords.
One time passwords themselves are a technology and encompase
certificate based authentication, challenge-response and so on.
They are a technology because they are an entirely different
way of providing authentication from existing systems. They
have proved themselves and _much_ research is occuring in this
area.

> Improving the integrity or maintainability of a system does not always
> improve its usefulness as a tool. To use yet another analogy, its like
> getting your car fixed and the mechanic telling you:

But if you can't ensure the integrity or maintainability of a
system, then how can it be a stable useful tool. If your
password is grabbed and used in an attack, then there are
several scenarios including having the system offline while it
is recovering, or having yourself put under suspicion of
causing the activity, or having your particular method of login
denied because it's deemed too insecure .. and so on. Each of
these is a definite reduction in the systems usefulness, and
while they can still occur with one time passwords, the
incidence rate is reduced by orders of magnitude. Problems
for the administrator affect the user to a certain extent.

> "We moved the engine onto the front seat. It makes it a lot easier to work
> on it if its in the open. This way, if anything goes wrong we can get to
> it straight away"

Ohh this is silly, its not only impractical but absurd. It
would be like taking authentication to the level where you say
"please go and present yourself to the computer centre for
physical verification to get a magnetic card to login; and do
this for each login". No one would propose it, and no one would
use it.

One time passwords do not have to be overly complex, in the case
of hand held authenticators, you have:

1. read challenge from screen
2. enter challenge into device
3. enter secret password into device
4. read digits or words from display
5. enter response into computer

This is not a burden for the user.

> I don't see a "well considered solution" as being one which requires you
> to remember (or write down) a new password every time you log in for every
> system you have an account on. God help anyone who looses a wallet, because
> every wallet will contain the keys to all the information that you own.

You display ignorance about S/Key. S/Key is challenge response
system. When you login, it "challenges" you with a "serial
number". This serial number represents the state of your
password under a iterative hash.

You take that number, and a secret password and enter it into a
client program. This client program exists in software form
_but_ can just as easily be implemented in silicon. You take
the output of this client program and feed it back as a
"response", voila you're authenticated. It is _convenient_ to
pregenerate passwords by using your secret password and any
range of serial numbers. Naturally, if you lose your list --
that is a problem. If the client program was actually a hand
held authenticator, then it would be of little problem, except
cost, but these devices are cheap.

A direct benefit to the user is that as this serial number
decreases upon subsequent logins, the user knows whether a
surreptitious entry has been made between this and the last
entry.

> A "well considered" system is one which has been discussed and argued about.

This topic has been discussed and argued about greatly,
especially in light of network sniffer attacks of late (which
even prompted a US Senate hearing on "internet security" ...).

> If this is the way systems are going, then I think arguing it *is* in
> order. The users are part of the system, not external to it. They should
> have some say in anything that has a direct impact on them, and not
> ignored and treated like ignorant children.

Well, users also benefit by knowing their personal information
is less vulnerable to interception and less maintenance is
spent recovering from attacks that may have occured with static
passwords. Your premise is also that computing systems are
democracies, they tend not to be. In most corporate
environments, a users concerns don't have the same weight as
the organisations when it comes to risk preventation. This is
a seperate, but loosely related, issue.

Matthew.

-- 
Matthew Gream
Consent Technologies
Sydney, (02) 821-2043
M.Gream@nospam.uts.edu.au