rat@aalps3.erg.sri.com (Ray Trent) (05/16/91)
Subject:Re: BSD tty security, part 3: How to Fix It Reply-To: rat@erg.sri.com (Ray Trent) Organization: SRI International, Menlo Park CA References: <etc.> <14021:May1521:56:2291@kramden.acf.nyu.edu> Date: Wed, 15 May 91 23:39:10 GMT In the referenced article, brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >Be serious. The whole point of a SECURE attention key is that it cannot >be violated by unprivileged applications (i.e., things outside the TCB). >And, as Bellovin told you, there's no need for an application to turn >off the SAK---you just make the SAK a variable-length signal if normal >data is fixed-length, and vice versa. This is a non-issue. This concept of a "secure" attention key is silly. If the terminal is sufficiently physically secure and you trust the users with access to it then no secure attention key is needed. If this isn't the case, no secure attention key is possible. It is almost as easy for me to plug in an 8 bit ascii fixed length character filter into the line as it is for me to set up a trojan horse password stealer in the first place. Even if I couldn't simply purchase such a toy, it would be trivial to make in my garage. All you've done is make the stealer's job slightly more difficult. No, amend that, you've also instilled an unwarranted confidence in the minds of your users. If you want to do this right, use a zero knowledge exchange to mutually verify the identity of both the login program and the user logging in. The easy, non-hardware ways to do this probably still won't protect against people looking over your shoulder, but they prevent the problems under discussion very nicely and much more securely. -- "When you're down, it's a long way up When you're up, it's a long way down It's all the same thing And it's no new tale to tell" ../ray\..