Re: better login security
From: Max K. (maxk@cs.technion.ac.il)
Date: 12/09/02
- Next message: Tom Van Vleck: "Re: Generating passwords"
- Previous message: Matty: "Re: crypto++ binaries for SunOS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Max K." <maxk@cs.technion.ac.il> Date: Mon, 09 Dec 2002 11:02:10 +0200
Andrei Gurtov wrote:
> Hi,
>
> A well-known attack aimed at revealing users' passwords is simply to run a
> faked login prompt that would record the password the user types while
> thinking he is logging in. To avoid this attack, the machine first has to
> authenticate itself to the user before the user agrees to give his password.
> I wonder if something like this could be included into the login shell:
>
> Login:
> Challenge:
> Response:
> Password:
>
> First the user types his login id and then a challenge word (e.g. "spring").
> The machine decrypts stored response using the challenge as a key and
> replies with the answer (e.g. "break"). Now the user is convienced that the
> login shell is not faked and can type the password to authenticate itself to
> the machine. The challenge and response have to be given by the user
> beforehand and stored in a shadow password file only accessible to root
> processes.
>
> Has something like that been already implemented somewhere (except for
> ctrl-alt-del login in W*s)?
>
> Thanks,
> Andrei Gurtov
> www.cs.helsinki.fi/~gurtov
>
>
all this idea is nice ... but:
the console control, login program, etc. are all owned by root.
if anybody creates link/patches the binary - he/she hass already had
your system, so why would your solution help anyway ?
- Next message: Tom Van Vleck: "Re: Generating passwords"
- Previous message: Matty: "Re: crypto++ binaries for SunOS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
