>I'm not sure of all you requirements as the document was a little unclear >but this might address a lot of your needs: > >http://www.cs.utexas.edu/users/mcguire/software/horatio/ It is my mistake - I will try to 'repeat' it more carefully. Horatio is something what I need (yup :o) _BUT_ .... I will try to split into 2 things: 1. 'Design' - HOW it should work 2. 'Program' HOW it internally works (which algos, etc.) - let's talk about (2) when (1) will be clear :) So, first I will try to define 'what' we have: 1. Server with some services (emails/busines things/web pages/shared information system/etc.) 2. Some of these services are PUBLIC some are PRIVATE 3. Public services are avilable throw public 'web' (public domain) 4. Private services are avilable throw private 'server' (private domain) 5. There is a ONE server, lisenning on more IP addresses (pub/priv) - many information are shared 6. Before server is firewall (separate machine) 7. Everything run BSD systems 8. private/public services sharing 'one' database, but I created more 'views' on database (more physical databases, more physical users with restricted rights) - so, if there will be security trouble (and I think the best way how to make something secure is presume, it is 'not' secure itselfs :) there can't be easily readed other 'tables' 9. Many services all the time check 'destination' address - and physically will not work if accessed from 'public' address 10. Many of 'shell' programs are 'trojans' - such as shells, etc. (on standard paths) - they 'run' but doesn't do nothing, just send us someone runs them (and automaticly (after some time, first time it logs what attacker is doing) ban user on firewall) 11. I can't prevent good hacker. But there are not much good hackes. Majority of attacks are by script kiddies, and I want to prevent mainly them. If someone will want to break in, he will do. It is only question of time. No more. There is no security at all.... This is 'server side'... Now user side... 1. Users can connect from dangerous places - inet coffies, hotels etc. _OR_ 'work place' 2. With dangerous places, we have to calculate, that: a. user can't run any external program (downloaded, or from CD, whatever) b. keyboard is logged c. connection is sniffed d. user is 'watched' by other ppl e. in this case, 99% of connections will be from windoze world f. some 'virus/trojan' is active 3. With 'work' place we should calculate: a. there are running windoze 9x (95/98/ME) - hell for security b. some % of users are running UNIX based OS (mainly BSD or Linux clones) c. user can have some 'pernament' program authorizing And what I need: 1. Something what doesn't require 'program' to authorize but keep security (dangerous places) 2. Something what will allow using some 'program' to pernament authorizing (work places) 3. Will be simple to create 4. Will allow 'parthers'... it means: a. some users will be from our company - they're OK - we can give them notebook - whatever b. some users (~70%) will be from parthers companies (important/big one only) - they can log into system and use 'some allowed parts' (like check support for known bugs, etc etc. - these informations are NOT pulic - but not for parthers - and it is more complicated - different pather can go to different level of internal infos) - so, we need something what we can easily 'distribute' And where it will run: 1. Some X86 and PPC based CPU's - windoze/unixes (so, it have to be easily portable) 2. On special one-chip based CPU's - probably (see down) My biggest problem is: HOW to authorize user from 'dangerous' place ? There are several ways ho to do it: 1. Password based auth (user/login basically - or some form) 2. Private key based auth (symmetric cryptography) 3. Public key based auth (asymmetric cryptography) 4. Body human based auth (finger print generated access key, etc.) 5. Some other big system (such as Kerberos, whatever) and/or in combination with VPN 6. Some combination 1-4 with 'floating' code Because we have to run on 'dangeours' places, where we can't put our technology at all (or trust), we can remove 5 (requires instalation/configuration). Then we can remove 4 (too expensive to create tenths human metters) and 1 (it is not secure at all - doesn't matter of connection will be throw SSL - keys can be loged). Not in all cases can manager use his own notebook. Sometimes he need to access 'someone else computer' or 'hotel network' (and keep notebook on room when going out) or 'special inet computer' which are often in hotels (computer dediacted only for inet conenction I mean). And competition never sleeps :o) Did I miss something ? Remainder is (a)symetric cryptography with floating code. Because or 'dangerous' places (no trust), we need floating code. It is not enough to bring own private key on some media (CD-rom, floppy, flahs memory card, ...). Because it can be stollen.... Or I can't imagine scenario, where we will use asymetric cryptography (ofcourse, good choice) - without danger of stoling my key. We have to TRUST to browser (majority cases IE hehe) - that if I will delete key, it will be REALLY delete or encrypted with strong algo. We have to trust to OS - if IE will 'delete' key, OS will really remove from media, etc.... Why we need dangerous places ? Because many of our businesmans are traveling accross various states, and they need to 'stay in'. Check emails, give tasks to other employments, update some parts of web, login to 'busines' system, etc. (all done throw HTML (require some browser) and SSL/HTTPS). So, HOW to autentificate user at all ? I get following "idea" (not idea at all, just one of way where to go) - and I ask, what do you think about it... Every user have small credit-card like 'computer' - small keyboard, verry small display - 'autentification device'. I am system programmer (drivers, engines)/HW developer, so, I will have to do this work... 'dangerous scenario' 1. User connects to https://server/auth (works for everyone) 2. User switch on his auth-device (put some pin - internal datas are encrypted by some algo), it show him some 'number' (generated for date/time/user) -> server recognize user name and verify, if user can some from this IP address (stored on server) 3. User logs to server by his username and this generated number as password -> now 'auth' really starts - this also prevent 'running out of dictionary' (see down) and DOS attack to auth system (I don't mean DOS to HTTP server) 4. Server shows to him some text (a-z 1-0) - user write to its device - text is ~8-10 chars long 5. User reply by another generated number 6. Server inserts for some period his IP to firewall 7. User can connects to 'server' (all over ssl ofcoruse) - like https://private.server.com 8. User (on end of work) or server (timeout) removes its IP address from firewall 9. Auth device should also work for 'services' - instead of 'password' should be always used some 'generated' text - because if there will be some proxy, whatever, and user watched/key loged, someone un-authorized can log into system 10. In 'text' will be coded (by symetric cipher for ex.) 'question' like: word on line 50 row 40 (so, some of "dictionary" - different form than this simple one, but still dictionary) -> server/auth-device have 'common' dictionary, server remembers what data were asked 'work scenario' 1. User boots up system - if secure one (Unixes) - it automaticly auth on server 2. On not well secure OS (Windoze) it asks for 'password' (and also for some users will be required steps 2/3 from dangerous) 3. In some time periods program repeats auth (or server will remove entry from firewall) - prevent system fall down (specically for 9x :o) 4. On session end, program removes entry from firewall Note: I do not compare unix/windoze (secure/stupid/...) I mean: someone using UNIX will (for sure) know what security is and his OS will be 'protected' well. Users running windoze... You know, it is not "easy" to create/keep this OS 'secure' (any OS at all) - and total majority of users don't know how..... And you know .... :) This is what I need.... Now I will try to comment yours replies (thanx for them): ==================================== >I'm not sure of all you requirements as the document was a little unclear >but this might address a lot of your needs: > >http://www.cs.utexas.edu/users/mcguire/software/horatio/ > I hope now I make it more clear. Sorry :) Horation is something what 'we are creating' - so, we may use it, but it doesn't solve (or I am miss ?) our 'dangerous' places - I didn't find any other secure way, how to auth from dangerous places, except some 'auth device'.... >Generally what you're talking about sounds like a great candidate for >public/private key cryptography. I don't even know why you need dedicated >hardware ... at most you need to authenticate once per session (where a >session is a borrowed IP address) so even if you used a 2048 bit key it >should be managable. Because, HOW I will 'use' my private key ? I have to 'put' into 'host' computer, throw which one I am going to administrate something (check emails, update some web, put tasks to emplyments, ....) -> it can be really easily STOLEN. Or any other way how to protect it ? >The simplest solutions (though a little insecure since a web server is a >complicated piece of software and hence introduced possible compromises) True. That's why there is firewall, views on database, separate machines. It doesn't make 'secure' thing (it doesn't exist IMHO) but increases a bit 'global security'.... >is a web server on the firewall or on a trusted, secure host inside the >firewall (with only encrypted HTTP access allowed). The user logs onto >the web server (you can even have a second layer of username/password >authentication) and it challenges them with a randomly generated string. Yes. >They encrypt it on their local box via some simple customer code you give >them and then cut and paste the response into the web server. If the >string is encrypted using the private key associated with a trusted >public key on the web server then the web server writes new entries in a >local database corresponding to the users IP (andtimestamps it). A pull >based client on the firewall regenerates firewall rules every five minutes >or so by reading them out of the database. The trouble is 'local box'. It need to be SMALL AS POSSIBLE. We are doing in commnucations devices (wirelees devices - 2-30+GHz, laser devices, network connectors/converters/etc.). Imagine situation, where businesman is somewhere - on busines meet. They are about to create some agreement. Bigger one. And now he need to online query something: How fast we can supply requested amount of devices ? He have to login into 'private' system - to ask some developer, look on 'bug lists' or check manufacturing. Whatever. In some cases, he can have his notebook and connect to network (not best solution, because you have to apply new network parametres -> sometimes can occur troubles, second side have to call 'admid' for network params, businsman doesn't need to be good in adminisrating network, whatever....). Or he can use some wirelees/phone connection (not all the time will work...). Or he can use parther's computer to get information. The fastest/best way. And we are comming to point: For them is the best choice 'small' dedicated HW to autentificate. And next thing - I explained above 'parthers'... It is not easy to give notebook to EVERYONE or TRUST to key pair which we will give to them. But it is easy to give them small 'calculator' :o) >A daemon process watches entries in the database and removes them after a >time interval (this might be done a better way using a log on the firewall >and then scanning it for idle times). Yup. >The main concern with this kind of setup is users coming in from behind a >proxy (particularly a company wide one) open up your network to everyone >behind that proxy. The only route around that I can imagine is to use >something like VPN which will actually build a secure tunnel. All services itselfs are based on 'HTTPS' at all (thin client). I belive, HTTPS with 'generated' keys (so, no private key for auth) should be 'enough', if server will require at least 128 bits. And we can assume browser is cappable to use https/128. On 'work' computers, we are allready using secure tunnels (just simple SSL layer - stunnel - you know this thingy I guess). VPN itselfs requires some 'instalation' and 'configuration' - and it is something, what I want prevent (if possible). All the time, we have to mix together few things: 1. Money required to build 'auth' 2. Money required to 'add' someone into ring 3. Security 4. Time 5. Time/Money for every 'connection' 6. Technical knowledge of 'end' users I personally thing, that small dedicated HW (which will cost ~$15 per unit) fill majority of need well. Anyway, it is why I select small CPU not some USB existing device. By use some existing USB/COM device (Flash card, CPU, ...), we have to 'write' SW which will access it - and we have to do it for X opearing systems/browsers - ActiveX for IE, etc. In the result, 'HW/OS' indepenend piece of HW will cost lees. SW itselfs to read these devices is simple, but have to be done 'x' times.... The best solution - send auth to mobile phone/pages can't be used, because of speed :( [cross-country] Thanx for your time, Have a nice day, Best regards, Lada 'Ray' Lostak Unreal64 Develop group http://www.unreal64.net
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 08:10:47 PDT