[lug] security of mindterm applet?

[Sean Reifschneider]

On Mon, Oct 30, 2000 at 04:28:59PM +0100, rm at mamma.varadinet.de wrote:
>use a retina scanner or fingerprint reader (or smartcard etc.) the device is

SmartCards are smart because they don't just give up their secret during
an authentication.  The authentication is more like CHAP, where any party
listening in the middle doesn't gain anything.

CHAP works like this:  One side presents string as a challenge.
Both sides take this challenge and append the "secret" (your password)
to it.  They then both generate an md5sum of the resulting string.
If the remote side sends back this string, you know they have the secret.
The idea is that a challenge should only be used once, or at the very least
be very sparse.

Sniffing this session results in a response that can only be used for
exactly the same challenge.  A challenge consisting of the time in
microseconds, pid, and remote IP/port (if available) seems reasonably
good.

This is similar to the way the ssh-agent program works.

>both times the intruder seemd to have the 'right' password. And both times the
>intrusion happend shortly after the owner of the box logged in from an internet
>cafe (and he claims that he used ssh). 

Running SSH on an untrusted system is generally a bad idea.  It's easy
enough to modify SSH so that it logs where the connection was made to
and what password was presented.  OpenSSH supports Skey, which would
make me feel slightly better about logging in from a public terminal...
Usually I won't do anything over the network unless I can just get a
direct net connection and use my laptop though.

If you have mail you want to check when you're out, try forwarding mail
to one of the various web-based mail services, or set up your own...

Sean
-- 
 [...] Premature optimization is the root of all evil.
                 -- Donald Knuth
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python