Regarding the issue of telnet'ing through an insecure system: A general solution to this problem is to have the system you are attaching to engage in some dialog with you to establish your identity. However, the dialog must be such that even if it is monitored by the system you are going through, that will not allow them to later claim to be you. This is the same basic problem as entering a PIN for a credit or debit card in an environment where the PIN can be seen or recorded. If someone sees your PIN they can steal your ATM card (or dcash card, in the future) and access your money. Cryptographic solutions involve zero-knowledge proof systems but they are too complicated to work in your head. For the hohocon case you could have a calculator programmed with some one-way function (DES is available for the HP48); the remote system could generate a challenge number and you would use your calculator to DES-encrypt it with a fixed secret key, then type the result in, and the remote system would check it. This would not help the hohocon people because next time they tried to log in as you the challenge number would be different. There was a paper in the Eurocrypt 91 proceedings called "Human Identification Through Insecure Channel" which attempted to address this problem. The authors proposed a system which was supposed to be simple enough that you could work the response in your head, but which would be complex enough that eavesdroppers would not be able to figure it out, even after seeing many examples. The idea was that the remote system would issue a challenge as a string of letters or digits: 1982043765. You will give a response of the same length, but only certain positions matter. Those positions are identified by one of two secret words that you memorize. Suppose the first secret is 1246. You will produce a response which embeds the 2nd secret word in the positions where 1,2,4, and 6 appear. Suppose the 2nd secret word is 3124. Your response, written below the challenge, would be: 1982043765 3421223142 - - - - Only the marked positions matter; the others are random. This sounds simple enough, but the problem is that for true security the authors require a much longer string with a much larger set of characters, 40 or 50 characters long. I tried implementing their algorithm, without even memorizing the secrets, just writing them down (they had to be about 10 letters long), and entering in a reponse given a challenge, and I couldn't do it. It was extremely difficult to locate the checked positions and put in the next letter. It took forever to do it, and I kept making mistakes. Maybe with practice it would get easier. Or, perhaps the technique would still be useful with a smaller question size to provide less security but still more than you would get without it. It would be interesting to see if other people come up with approaches to solve this problem. I really don't think that protecting my smart card with a 6-digit PIN is going to be adequate. Hal Finney hfinney@shell.portal.com
It seems to me that a simpler solution than challenge-response would be to emultate the tear-sheet crypto systems and just have a series of one-shot passwords generated. Each time you log in, it requires the next password from the sheet, so capturing the old one does no good (just as breaking the one-time codes from tear sheets doesn't help). Now if I could just figure out a simple way to do this on UNIX... --Alan
Now if I could just figure out a simple way to do this on UNIX...
This exists. It is called S/KEY, and you can retreive this via anonymous ftp from thumper.bellcore.com, somewhere... It uses MD4 as a one-way hash to generate a series of pseudorandom words. It's a neat system. -derek Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory Secretary, MIT Student Information Processing Board (SIPB) PGP key available from pgp-public-keys@pgp.mit.edu warlord@MIT.EDU PP-ASEL N1NWH
"Alan (Gesture Man) Wexelblat" <wex@media.mit.edu> wrote:
It seems to me that a simpler solution than challenge-response would be to emultate the tear-sheet crypto systems and just have a series of one-shot passwords generated. Each time you log in, it requires the next password from the sheet, so capturing the old one does no good (just as breaking the one-time codes from tear sheets doesn't help).
Now if I could just figure out a simple way to do this on UNIX...
You can use a sequential PRNG to do this, and then add a scrambling system to the output (to confuse anyone trying to break the pattern). I once wrote a program to do this (just for experimentation, and not in UNIX...).
Matthew J Ghio says:
"Alan (Gesture Man) Wexelblat" <wex@media.mit.edu> wrote:
It seems to me that a simpler solution than challenge-response would be to emultate the tear-sheet crypto systems and just have a series of one-shot passwords generated. Each time you log in, it requires the next password from the sheet, so capturing the old one does no good (just as breaking the one-time codes from tear sheets doesn't help).
Now if I could just figure out a simple way to do this on UNIX...
You can use a sequential PRNG to do this, and then add a scrambling system to the output (to confuse anyone trying to break the pattern). I once wrote a program to do this (just for experimentation, and not in UNIX...).
You want to use a cryptographically strong one, however, because most PRNGs are easily guessed. This in practice means using MD5 or DES or IDEA or something as an RNG. Perry
For the hohocon case you could have a calculator programmed with some one-way function (DES is available for the HP48); the remote system could generate a challenge number and you would use your calculator to DES-encrypt it with a fixed secret key, then type the result in, and the remote system would check it. In fact, that's exactly why I wrote it :-) . Maybe I should go dig up the source to the challenge-response program I wrote to go along with it.. - Bill
participants (6)
-
Alan (Gesture Man) Wexelblat -
Derek Atkins -
hfinney@shell.portal.com -
Matthew J Ghio -
Perry E. Metzger -
sommerfeld@orchard.medford.ma.us