ch@dce.ie (Charles Bryant) (04/04/91)
In article <3888.27f10f22@hayes.uucp> tnixon@hayes.uucp asks for: >... your opinions on the usefulness, >effectiveness, and value of commonly-used techniques such as >call-back security (within a modem; I, for example, think it is more >effective when controlled by an external device so that incoming and >outgoing calls are on different lines), In many places callback is useless (in the modem) since the called party cannot clear the call. This dosen't stop customers from asking for it though! Even after this is explained to them. >encryption (built into the >modem, like data compression), The sci.crypt folks will probably be more likely to be qualified to comment on this, but I think end-to-end encryption is better. Particularly if each end is at least as powerful as a PC. However, just as with error correction, I think it many poeple would be more likely to use it if it is in the modem merely because its there. Obviously if encryption is external to the modem, compression in the modem is not much use. I happen to think its crazy to use compression in the modem when neither end is a terminal since it just shifts the bottleneck from the phone line to the PC->modem link but that dosen't stop people from running ZMODEM over a compressed link insteqad of compressing the file first. The same is likely to happen if encryption is added to modems - but, most of the people who use modem-based compression wouldn't use any other compression otherwise so it would probably be the same for encryption and some is better than none. >modem-based passwords (with the >exchange of information handled by the error control protocol, >possibly using an encrypted challenge/response system), etc. Again, it is probably better to do this end-to-end (and easier unless one end is just a terminal) but its cheaper to implement since a noticeable delay in verifying a password is not a disadvantage. >I'm >also interested in your opinion on whether new techniques such >as modem-based decoding of caller-ID information would be useful. That would be useful for other reasons (e.g. callback, routing of calls) so its probably worth having. (But I can see problems too: e.g. usual modem line fails, so user connects modem to his fax line and wonders why his outgoing calls get put through to fax machine instead of the remote modem). -- Charles Bryant (ch@dce.ie) -- If you like the opinions expressed in this message, they may be available for rent - contact your local sales office. Low interest deals available.
smith@sctc.com (Rick Smith) (04/06/91)
I heard a rumor recently that some dialback modems are manufactured with a "backdoor" password that can't be disabled, which gives an outsider rather complete access to the modem. So check out your manufacturer closely. Evidently modem design/manufacturing skills are independent of good sense where security is concerned. I'm sorry I don't have more detailed information. If the rumor is true, the perpetrator certainly deserves to lose. Rick. smith@sctc.com Arden Hills, Minnesota
janm@dramba.neis.oz (Jan Mikkelsen) (04/06/91)
In article <3888.27f10f22@hayes.uucp> tnixon@hayes.uucp asks for: >... your opinions on the usefulness, >effectiveness, and value of commonly-used techniques such as >call-back security (within a modem; I, for example, think it is more >effective when controlled by an external device so that incoming and >outgoing calls are on different lines), encryption (built into the >modem, like data compression), modem-based passwords (with the >exchange of information handled by the error control protocol, >possibly using an encrypted challenge/response system), etc. What you need in a modem will depend on what you are trying to prevent. If you are trying to keep the entire dialouge on the line secret from someone tapping the line, then data encryption in the modem is useful. This is however not always the case. Commercial users are often more worried about authentication and confidentiality in other places. Cryptography in a modem does not help the data before it enters the sending modem, and after it leaves the receiving modem. It all comes down to a matter of trust. If the only place you mistrust with your data is the telephone line, then modem encryption is useful. Unfortunatly, many people mistrust more than that, and require encryption at a higher level - "end to end". There is also the problem of key management with a modem. They are harder to do, and it is unlikely that the modem will be able to asymmetric key cryptography (like RSA) at any reasonable speed. Modem based passwords and challenge/response could be useful but personally I would put all security functionality into the host where better control can be kept over the secure key storage, logging can be done, and there is greater control over the software. Now, a smart card reader, PIN pad and a modem in a tamperproofed case would be an interesting idea. I don't think anyone has attempted this yet, and it could certainly help with the key management problem. The cost of these things has come down significantly over the past few years also ... -- Jan Mikkelsen janm@dramba.neis.oz.AU or janm%dramba.neis.oz@metro.ucc.su.oz.au "She really is."
ronald@robobar.co.uk (Ronald S H Khoo) (04/07/91)
ch@dce.ie (Charles Bryant) writes: > I happen to think its crazy to use > compression in the modem when neither end is a terminal since it just > shifts the bottleneck from the phone line to the PC->modem link Well, if your iron can drive the modem at 38,400, and the modem's only [heh] a V.32, it's not _too_ bad :-) > but that > dosen't stop people from running ZMODEM over a compressed link insteqad > of compressing the file first. Convenience, of course. Actually, if they're using anything other than an *ancient* ZMODEM, ZMODEM itself can be asked to do the compression, which gets around the convenience problem, though I don't know how generally good its algorithm is. I've only ever used it for PostScript[TM] files, and it works OK for that. > If you like the opinions expressed in this message, they may be available > for rent - contact your local sales office. Low interest deals available. Ah yes, but does DCE get a cut ? :-) -- Ronald Khoo <ronald@robobar.co.uk> +44 81 991 1142 (O) +44 71 229 7741 (H)
zuck@mgsscsg.UUCP (Zuck Zuckerbrot) (04/10/91)
just to throw my $.02 in, we here at motorola use a security system between our modems and the systems. every user has a credit card sized device with an lcd display with a six digit number that changes randomly (?) once a minute. to use it one dials in, connects with a modem, enters a four digit PIN followed by the number currently in the window. once validated, it allows you to pass through to the hosts. it's made by security dynamics in boston and is called the "ace system" "Project teams detest weekly progress reporting because it so vividly manifests their lack of progress." - unknown -- -Zuck Zuckerbrot | UUCP ...mcdchg!amtfocus!mgsscsg!zuck - -Motorola Inc. | FONE (708)632-6228 - -1475 W. Shure Drive S356 | FAX (708)632-4421 - -Arlington Hts., IL 60004 | DISCLAIMER=standard;export DISCLAIMER -