Re: Minimal Authorization

Brian Behlendorf (brian@wired.com)
Sat, 13 Aug 1994 12:10:25 -0700 (PDT)


On Sat, 13 Aug 1994, Stephen D Crocker wrote:
> > At 08:09 PM 8/12/94 -0400, Stephen D Crocker wrote:
> > >At the risk of sounding too much like an alarmist and a security
> > >zealot, passwords in the clear are no longer an acceptable risk. At
> > >the very least, a challenge-response system is necessary.
> >
> > I fully expected this response and appreciate your input. "In the clear"
> > is somewhat vague, though. For example, what if they were simply Base64
> > (or uuencode, or rot13, or...) encoded ? Then they're not in the clear,
> > but the "encryption" is keyless and therefore somewhat trivial.
>
> No, these types of transformations provide no protection. The current
> state of hacker technology includes widespread use of sniffers.
> Passwords appearing in transit are now regularly recorded and
> exploited. Extraction of these passwords from the stream of other
> material requires enough sophistication to find the right fields,
> determine if the packet contains the password, extract it if it
> exists, and forward, perhaps via a circuitous and/or encrypted path,
> back to the bad guy. Given this level of sophistication on the part
> of the hacker, the longest part of adding uudecode or rot13 to the
> sequence is the time it would take him to sneer.

But given that a small percentage of Internet users are at this level of
sophistication, I think that there are still applications for which
minimal authorization is totally fine. These are applications in which
no real assets are protected, where the passwords are used more for
identification than for true authentication. Where the payoff for
cracking isn't all that great.

An example of this is posting an article to USENET. It is certainly
possible to forge posts, yet this doesn't hinder its effectiveness all
that much. It takes about 10 minutes to teach someone how to forge a
post; 1 minute if they have practice forging email. People who are
concerned with making sure their identities can't be forged give their
posts digital signatures, of course.

Now, if Microsoft were to come out with "Forging for Windows" or
"MacForge", then I'd be more concerned about this. I don't think I'm
coming out on a limb when I say sniffing won't be something that'll ever
be trivially easy.

But I should also qualify this with the comment that most password
applications today should have stronger encryption.

Brian