home *** CD-ROM | disk | FTP | other *** search
-
-
- N-1-2-040.33 Protecting Passwords from Network Snooping by Jeffrey I.
- Schiller*, <jis@mit.edu>
-
-
- The global Internet is a large and heterogeneous network. It is quite
- common that the path over which your data travel may include many
- separate autonomous network entities. This is particularly true when
- we travel to different parts of the world and wish to access our
- computer resources back home.
-
- For most people, the information we work with is not so confidential
- that we are concerned that it may be observed by third parties as it
- traverses the network (there are exceptions of course). However, many
- of us do care about our password being compromised when we login to
- systems over the network.
-
- Although reports of passwords illicitly obtained by network "snooping"
- are rare, it is also the case that when an account is compromised, it
- may be impossible to know how and when the account's password was
- obtained. For many of us, it is better to be safe then sorry.
-
- Schemes to protect passwords on the network may be roughly divided
- into four categories.
-
- 1) One time passwords. Passwords that are only valid once.
-
- 2) Cryptographicly protecting passwords from disclosure.
-
- 3) Hand held authentication "token" devices.
-
- 4) Cryptographic network authentication systems (Kerberos,
- X.509, SPX).
-
- One time passwords are systems whereby you carry a list of passwords
- that you use sequentially. Each individual password is valid for one
- use only. Therefore if an unauthorized individual observes one of your
- passwords when you use it, it does them no good as that particular
- password will never be accepted again. The primary advantage of one
- time passwords is that implementation is generally easy. Very few
- programs usually need to be modified on most host systems. Of course
- the disadvantage is that you need to carry a password list and you
- hope that it will be long enough for your trip!
-
- Cryptographicly protecting passwords as they traverse the network
- involves software on both the client system (or terminal server) and
- your host. These two systems need to agree upon a cryptographic key
- and algorithm which is used to encipher your password for
- communication over the network. This technique is not yet widely used
- on the Internet, mostly for lack of standards for doing so. Luckily,
- the Telnet Working Group of the IETF (Internet Engineering Task Force)
- has recently proposed a Telnet Authentication Option which will enable
- the development of standards to achieve this result.
-
- Hand held authentication tokens are portable credit card size devices
- that you use to augment your login process. In essence these devices
- are a specialized form of a one time password system. However, instead
- of needing to carry around a list of passwords, you carry the card.
- These devices also effectively replace a password based login
- mechanism with something better, something that is also immune to the
- problems of poor password choice.
-
- The biggest disadvantage to hand held authenticators are their cost,
- and of course the need to carry them with you (and not lose them!).
-
- In the next issue of the Internet Society Newsletter we will go over
- network authentication systems, the fourth category. These systems
- help address the problem of protecting passwords as they traverse the
- network as well as offer authentication solutions for protocols other
- than the traditional login and file transfer. As network applications
- become more distributed and sophisticated, these systems will play a
- larger role in network security.
-
-
- * MIT Network Manager, Massachusetts Institute of Technology
-
-
