Usenet Security
Bob Larson
blarson at skat.usc.edu
Thu Feb 25 06:19:51 AEST 1988
In article <1988Feb22.175256.12780 at jarvis.csri.toronto.edu> flaps at csri.toronto.edu (Alan J Rosenthal) writes:
>In article <7311 at brl-smoke.ARPA> gwyn at brl.arpa (Doug Gwyn) writes:
>>One way to not lose an appreciable degree of security due to modem
>>access (assuming telephone line tapping is ruled out) is to have
>>the system check an incoming user ID against an internal list and
>>call back the phone number contained in the internal list to
>>establish the real working connection.
>Doesn't this just put the shoe on the other foot? If you call the
>other system back, you have to prove that it's you calling back.
This is easy to solve, include a temporary password with the first
call. The called back system will then know that the system calling it
knows a random password it just generated and sent to one other system.
(There should be an exparation time on the password, related to the
maximum time the call back will take.)
System A calls System B to and says "Hi, I'm system A, use Password
xxxyyyz and call me back."
System B then calls system A and says "I'm system B, someone told me
to call and use password xxxyyyz."
A possible improvement would be to not have system A hang up and not
tell it's password until the other system has called back.
This is NOT secure from phone taps.
--
Bob Larson Arpa: Blarson at Ecla.Usc.Edu blarson at skat.usc.edu
Uucp: {sdcrdcf,cit-vax}!oberon!skat!blarson
Prime mailing list: info-prime-request%fns1 at ecla.usc.edu
oberon!fns1!info-prime-request
More information about the Comp.unix.wizards
mailing list