I'm not sure of all you requirements as the document was a little unclear but this might address a lot of your needs: http://www.cs.utexas.edu/users/mcguire/software/horatio/ Generally what you're talking about sounds like a great candidate for public/private key cryptography. I don't even know why you need dedicated hardware ... at most you need to authenticate once per session (where a session is a borrowed IP address) so even if you used a 2048 bit key it should be managable. The simplest solutions (though a little insecure since a web server is a complicated piece of software and hence introduced possible compromises) is a web server on the firewall or on a trusted, secure host inside the firewall (with only encrypted HTTP access allowed). The user logs onto the web server (you can even have a second layer of username/password authentication) and it challenges them with a randomly generated string. They encrypt it on their local box via some simple customer code you give them and then cut and paste the response into the web server. If the string is encrypted using the private key associated with a trusted public key on the web server then the web server writes new entries in a local database corresponding to the users IP (andtimestamps it). A pull based client on the firewall regenerates firewall rules every five minutes or so by reading them out of the database. A daemon process watches entries in the database and removes them after a time interval (this might be done a better way using a log on the firewall and then scanning it for idle times). The main concern with this kind of setup is users coming in from behind a proxy (particularly a company wide one) open up your network to everyone behind that proxy. The only route around that I can imagine is to use something like VPN which will actually build a secure tunnel. Regards, Sheer On Tue, 16 Apr 2002, Raymond Paskvyl of Unreal wrote: > Hi there :o) > > I have do make 'server autentification' thingy. For several reasons, > it > have to be made by ourself - _everything_. We can't use any form of any > library (because we will run at some wierd CPU's etc.). > > Our server have strong IP-based firewall. One open port (avilable to > any > IP address) should 'authorize' user -> enable user to connect to services > throw filrewall (and process 'real' autentification). Ofcourse, it is > 'not' > the only autentification, but 'low level' filter. Services behind this > firewall are avilable only to 'known' (autentificated) IP addresses. Every > user which should connect into services, have small 'key generator' > (one-chip CPU based thingy - card) or a program, which will do > autentification automaticly. Autentificaion have to be unique every time. > We > have to count with fact, that valid user is watched, keys are logged, > communication sniffed. Communication with services is done by public key > cryptografy. > > My question: What should be the best way how to do this ? It is not > enought > to start public key crypto at the start and autentificate by user/pass or > something similar. It is also not enough to use some private key based > auth - because we have to count, that 'host' computer can 'store' > everything. > > Right now, I am going this direction (what do you think): > > On server, on some port sits small program. This program is doing > 'autentification' itselfs. The protocol should be pretty simple. It > responds > to any IP address. Works in 'raw' format (like POP protocol) > > 0. User sends implementation version (server do not send any banner) - if > server can't communicate, connection fails > 1. User sends 'user name/class' - server verify, is user can come from > this > IP address (defined in config on server - dualups, some users should come > from anywhere, etc.) > 2. Server sends to user some 'random' number, user have to 'reply' with > the > same number (just to see if communication really works) > 3. If sucessfull, server send encrypted 'question' do user (cipher baased > encrypt) > 4. User reply with encrypted answer (for every user different) > 5. If OK (reply match user) server inserts line in firewall (for some > period > of time) -> IP allowed to services > 6. User is allowed to use services -> every service have own/another > autentification - this is just 'access' to services in general > > or > > 1. User connects by https to "public" first > 2. Server ask him for question (~10 letters+number, no more) > 3. User reply with some answer (readed from autentification device) > 4. like 6 > > or > > 1. User boots up his work computer (Win 9x in many cases :( > 2. User writes pin to auth program / some users have to use 'device' - not > only PIN (if they are "stupid" and they should be affected by some > trojan/vir/...) > 3. like 6 > > It ofcourse doesn't solve any way trouble with proxies, routers, etc. > > 'Question/Answer' should be ask for some 'dictionary' based thingy (server > should remember what were asked - like 'seek to position ABC read XYZ > bytes - few cycles) in combination with time and few other things. It > means, > every user have 'randomly generated bunch of datas' in its autentification > device (encrypted by pin) and server hold copy of datas. Question will be > every time unique. Doesn't matter, if someone sniff connection/log > keys/watch keyboard. Am not going to use public crypt because it cost time > to implement at chip we will use (or is any algo (RSA kind) really simple > to > implement ?) - public key crypto should be best solution probably. > > The point is to have fast solution, but with resonable security. There is > several 'user classes' - some connection by modem, some from fixed IP > addresses, sometimes from 'inet coffe' or 'hotel connections' and similar > [so, we can't trust to connection itselfs in any form] > > What do you think about this problem in general ? And about this 'way' ? > > What cipher encyrption you recomend ? (3DES, RC6, TwoFish, BlowFish, > CAST-128/256, ...) Cipher is not really needed, so, it is just to make it > 'more presice'. > > It is not important, but server OS is BSD based system, user OS > unixes/linuxes and windoze (mainly). Autentification chip looks like small > card with 'keyboard' (calculator). It also autentificate user for other > services (different way). > > Any idea, how to well-protect from 'stole' auth device/program ? (except > startup up pin and crypt "dictionary"). > > Dictionary should be whatever, buch on random numbers, some algo, > whatever. > > Or am I too paraonic ? > > Thanx for comments, > Best regards, > Lada 'Ray' Lostak > Unreal64 Develop group > http://www.unreal64.net > > >
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 15:57:11 PDT