[5171] in www-talk@info.cern.ch
Re: Minimal Authorization
daemon@ATHENA.MIT.EDU (Michael A. Dolan)
Sat Aug 13 13:38:08 1994
Date: Sat, 13 Aug 1994 19:36:04 +0200
Errors-To: listmaster@www0.cern.ch
Errors-To: listmaster@www0.cern.ch
Reply-To: miked@CERF.NET
From: miked@CERF.NET (Michael A. Dolan)
To: Multiple recipients of list <www-talk@www0.cern.ch>
At 08:09 PM 8/12/94 -0400, Stephen D Crocker wrote:
>At the risk of sounding too much like an alarmist and a security
>zealot, passwords in the clear are no longer an acceptable risk. At
>the very least, a challenge-response system is necessary.
I fully expected this response and appreciate your input. "In the clear"
is somewhat vague, though. For example, what if they were simply Base64
(or uuencode, or rot13, or...) encoded ? Then they're not in the clear,
but the "encryption" is keyless and therefore somewhat trivial.
>One useful scheme is S/Key: it's free, easily avaiable and fits into
>the existing paradigms.
Could you provide a pointer ?
>Much stronger schemes are also available, e.g. Kerberos, public key
>systems, etc.
These are overkill for many applications, hence my request. I'm looking
more for the "window latch protection" - it won't keep a determined
burgler out of your house, but it will keep the honest person honest.
>This point has been identified as a critical issue in the security of
>the Internet and highlighted in a recent Internet Architecture Board
>workshop.
I appreciate your input and will hopefully not perpetuate passwords in the
clear (such as TELNET, FTP, etc). How does IETF propose to enhance these
existing protocols ? Surely they won't jump from "clear" to DES and
digital signatures ? Perhaps there is some common ground here ?
Mike
-----------------------------------------------
Michael A. Dolan - <mailto:miked@cerfnet.com>
TerraByte Technology (619) 445-9070, FAX -8864
