home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
isoc
/
pub
/
isoc_news
/
1-2
/
n-1-2-040.33a.Z
/
n-1-2-040.33a
Wrap
Text File
|
1994-03-26
|
4KB
|
78 lines
N-1-2-040.33 Protecting Passwords from Network Snooping by Jeffrey I.
Schiller*, <jis@mit.edu>
The global Internet is a large and heterogeneous network. It is quite
common that the path over which your data travel may include many
separate autonomous network entities. This is particularly true when
we travel to different parts of the world and wish to access our
computer resources back home.
For most people, the information we work with is not so confidential
that we are concerned that it may be observed by third parties as it
traverses the network (there are exceptions of course). However, many
of us do care about our password being compromised when we login to
systems over the network.
Although reports of passwords illicitly obtained by network "snooping"
are rare, it is also the case that when an account is compromised, it
may be impossible to know how and when the account's password was
obtained. For many of us, it is better to be safe then sorry.
Schemes to protect passwords on the network may be roughly divided
into four categories.
1) One time passwords. Passwords that are only valid once.
2) Cryptographicly protecting passwords from disclosure.
3) Hand held authentication "token" devices.
4) Cryptographic network authentication systems (Kerberos,
X.509, SPX).
One time passwords are systems whereby you carry a list of passwords
that you use sequentially. Each individual password is valid for one
use only. Therefore if an unauthorized individual observes one of your
passwords when you use it, it does them no good as that particular
password will never be accepted again. The primary advantage of one
time passwords is that implementation is generally easy. Very few
programs usually need to be modified on most host systems. Of course
the disadvantage is that you need to carry a password list and you
hope that it will be long enough for your trip!
Cryptographicly protecting passwords as they traverse the network
involves software on both the client system (or terminal server) and
your host. These two systems need to agree upon a cryptographic key
and algorithm which is used to encipher your password for
communication over the network. This technique is not yet widely used
on the Internet, mostly for lack of standards for doing so. Luckily,
the Telnet Working Group of the IETF (Internet Engineering Task Force)
has recently proposed a Telnet Authentication Option which will enable
the development of standards to achieve this result.
Hand held authentication tokens are portable credit card size devices
that you use to augment your login process. In essence these devices
are a specialized form of a one time password system. However, instead
of needing to carry around a list of passwords, you carry the card.
These devices also effectively replace a password based login
mechanism with something better, something that is also immune to the
problems of poor password choice.
The biggest disadvantage to hand held authenticators are their cost,
and of course the need to carry them with you (and not lose them!).
In the next issue of the Internet Society Newsletter we will go over
network authentication systems, the fourth category. These systems
help address the problem of protecting passwords as they traverse the
network as well as offer authentication solutions for protocols other
than the traditional login and file transfer. As network applications
become more distributed and sophisticated, these systems will play a
larger role in network security.
* MIT Network Manager, Massachusetts Institute of Technology
