X230GV@TAMVM1.BITNET.UUCP (02/19/87)
``Concealment is not security.''
---F. T. Grampp and R. H. Morris
``UNIX Operating System Security''
AT&T Technical Journal, October 1984
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I can't help being amused. I subscribed to info-vax just after the start
of the discussion about restricting the readership, but I gather that it all
started when somebody distributed the VMS password encryption algorithm.
I saw the DCL example where DECnet was used to verify the password, and
I immediately started seeing problems with it, not least of which is one that
I haven't seen mentioned: if you're using an ethernet, sending your unencrypted
password out onto it is very dangerous. Every transceiver on the net gets a
copy of it, right there together with the node and userid, and it's the
responsibility of the receiving software to say ``no, that packet's not for
me.'' It would not be difficult to write the software necessary to just pull
everybody's packets in and peruse them. In fact, Ethernet monitors that can
look at the contents of any packet are common.
On the other hand, the VMS password encryption is very secure. If the user
chooses good passwords and changes them at reasonable intervals (this is *not*
the manager's responsibility), the password hacker has to use a random search,
even with the algorithm. The only difference is that now the hacker has a way
of verifying his guesses; this does not affect the fact that it'll take a heck
of a lot of cpu time to find even a single password (several years, usually),
due to the complexity of the algorithm and the number of possible permutations.
The encryption algorithm is easily obtained. Keeping such things off of
info-vax will not slow hackers; they don't gain much from it anyway. You
will succeed, however, at lulling managers and users into a false sense
of security, causing them to prefer swiss cheese methods such as the
aforementioned DECnet kludge. Do you imagine that a program using password
encryption would be easier to hack than that one has proven to be? Hardly!
And after all the holes that have already been found in it, is anyone really so
naive as to believe there are no more?
Best regards,
Glenn Vanderburg
P.S. The article referred to at the top of this note is an excellent one.
Although it deals specifically with UNIX, that system is similar enough
to VMS (as far as security goes) to make the article highly relevant.