<None>

[Ray Trent]

Subject:Re: BSD tty security, part 3: How to Fix It
Reply-To: rat at erg.sri.com (Ray Trent)
Organization: SRI International, Menlo Park CA
References: <etc.> <14021:May1521:56:2291 at kramden.acf.nyu.edu>
Date: Wed, 15 May 91 23:39:10 GMT

In the referenced article, brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>Be serious. The whole point of a SECURE attention key is that it cannot
>be violated by unprivileged applications (i.e., things outside the TCB).
>And, as Bellovin told you, there's no need for an application to turn
>off the SAK---you just make the SAK a variable-length signal if normal
>data is fixed-length, and vice versa. This is a non-issue.

This concept of a "secure" attention key is silly. If the terminal is
sufficiently physically secure and you trust the users with access to
it then no secure attention key is needed. If this isn't the case, no
secure attention key is possible. It is almost as easy for me to plug
in an 8 bit ascii fixed length character filter into the line as it is
for me to set up a trojan horse password stealer in the first place.
Even if I couldn't simply purchase such a toy, it would be trivial to
make in my garage. All you've done is make the stealer's job slightly
more difficult. No, amend that, you've also instilled an unwarranted
confidence in the minds of your users. 

If you want to do this right, use a zero knowledge exchange to
mutually verify the identity of both the login program and the user
logging in. The easy, non-hardware ways to do this probably still
won't protect against people looking over your shoulder, but they
prevent the problems under discussion very nicely and much more
securely.

--
"When you're down, it's a long way up
 When you're up, it's a long way down
 It's all the same thing
 And it's no new tale to tell"                      ../ray\..