foster@seismo.CSS.GOV (Glen Foster) (03/24/88)
It is important for those who may be contemplating the acquisition of a "PC LAN" to know that there is essentially no security on a 3Com 3+ LAN. Passwords are stored in the name service database as _two byte_ values giving only 2^16 possible values. Brute force attacks on a password (e. g. starting with AAAA and going to AAAB, AAAC etc.) quickly succeed allowing undectable access to any LAN resource or user account. It is extremely unwise to allow dial-up access (3+Remote or 3+Route) to a 3+ network server and one may want to think twice before installing a 3+ network at all. It is possible to change the size of the password field in the name service database but this does not change the size of the actual entry. The password authentication mechanism hashes the password to two bytes before passing it to the server. It would seem a fairly simple matter to modify the algorithm to generate a longer string (the server need not store all of it if a shorter field were specified) and attain additional security by requiring more trials. I have spoken to 3Com (through a 3Com dealer) about this and they recognize that it is a "problem" but do not intend to do anything about it. This article is, partly, an effort to get them to respond in a more reasonable fashion. Their position, as I understand it, is that it will be "fixed in 3+Open" some time in the unspecified future in an unspecified way. Since 3+Open will not run on 3Com's 80186-based server product, those who chose not to upgrade their servers will forever be at risk unless 3Com rethinks their short-sighted policy. This notice is not an endorsement of any competing PC LAN, simply an announcement of a serious shortcoming in 3Com's 3+ product. Sincerely, Glen Foster