Finding Passwords
Louis Faraut
jlf at mirsa.inria.fr
Tue Oct 2 23:01:44 AEST 1990
Hello interns !
Here is my little contribution to the logins Trojan issue . It seems
to me that the problem happens because authentication is one-way only,
user -> computer . In the present login protocol, user could possibly
be a bad guy, computer is always "a good guy" . This is clearly a
false assumption :-(
What about a two-ways authentication, modifying the getty program to
oblige the computer to authenticate itself ?
This could be achieved the following way, by use of a secret keyword,
sort of secondary passwd :
- CPU prompts "login:"
- type your login name
- CPU uncrypts your secret keyword and display it on screen .
(Each user keeps up his own secret keyword encrypted in a personal file ;
only the owner and root can read/modify this file )
- CPU prompts "passwd:"
- Now you can either type your usual passwd if the secret
keyword was right, or do anything else possibly aborting the session .
So, is there an easy way to attack this protocol ?
@
, ,, ,,_._.
/ // // Jean-Louis Faraut
/ // //--
// / // // Administrateur Systeme
((_._' ((_._. // de l'ESSI
E-mail : +-----------------------------------------------------+
jlf at cerisi.cerisi.fr | ESSI (Ecole Superieure des Sciences Informatiques) |
jlf at mirsa.inria.fr | Sophia-Antipolis (France) |
Tel. : 93 95 44 37 +-----------------------------------------------------+
Sorry for bad English, I'm French, nobody is perfect :-)
More information about the Comp.unix.internals
mailing list