Ray, Have you looked at the feasibility of using an established solution like RSA SecurID instead of creating your own? Are you really planning on building your own custom calculators and encyption mechanisms? Not only does this strike me as unsafe, but I doubt it would be cost effective. The only way I could see this as a reasonable approach is if you were trying to come up with a sellable product that would compete with the likes of RSA. But it sounds like your product is the services on your web site, not key tokens and safe crypto. Regards, David > -----Original Message----- > From: Lada 'Ray' Lostak [mailto:rayat_private] > Sent: Wednesday, April 17, 2002 3:21 AM > To: secprogat_private > Subject: Re: Security - ciphers - autentification > > > >I'm not sure of all you requirements as the document was a > little unclear > >but this might address a lot of your needs: > > > >http://www.cs.utexas.edu/users/mcguire/software/horatio/ > > It is my mistake - I will try to 'repeat' it more carefully. > Horatio is > something what I need (yup :o) _BUT_ .... > > I will try to split into 2 things: > > 1. 'Design' - HOW it should work > 2. 'Program' HOW it internally works (which algos, etc.) - > let's talk about > (2) when (1) will be clear :) > > So, first I will try to define 'what' we have: > > 1. Server with some services (emails/busines things/web pages/shared > information system/etc.) > 2. Some of these services are PUBLIC some are PRIVATE > 3. Public services are avilable throw public 'web' (public domain) > 4. Private services are avilable throw private 'server' > (private domain) > 5. There is a ONE server, lisenning on more IP addresses > (pub/priv) - many > information are shared > 6. Before server is firewall (separate machine) > 7. Everything run BSD systems > 8. private/public services sharing 'one' database, but I created more > 'views' on database (more physical databases, more physical users with > restricted rights) - so, if there will be security trouble > (and I think the > best way how to make something secure is presume, it is 'not' > secure itselfs > :) there can't be easily readed other 'tables' > 9. Many services all the time check 'destination' address - > and physically > will not work if accessed from 'public' address > 10. Many of 'shell' programs are 'trojans' - such as shells, etc. (on > standard paths) - they 'run' but doesn't do nothing, just > send us someone > runs them (and automaticly (after some time, first time it logs what > attacker is doing) ban user on firewall) > 11. I can't prevent good hacker. But there are not much good hackes. > Majority of attacks are by script kiddies, and I want to > prevent mainly > them. If someone will want to break in, he will do. It is > only question of > time. No more. There is no security at all.... > > This is 'server side'... Now user side... > > 1. Users can connect from dangerous places - inet coffies, > hotels etc. _OR_ > 'work place' > 2. With dangerous places, we have to calculate, that: > a. user can't run any external program (downloaded, or from CD, > whatever) > b. keyboard is logged > c. connection is sniffed > d. user is 'watched' by other ppl > e. in this case, 99% of connections will be from windoze world > f. some 'virus/trojan' is active > 3. With 'work' place we should calculate: > a. there are running windoze 9x (95/98/ME) - hell for security > b. some % of users are running UNIX based OS (mainly BSD or Linux > clones) > c. user can have some 'pernament' program authorizing > > And what I need: > > 1. Something what doesn't require 'program' to authorize but > keep security > (dangerous places) > 2. Something what will allow using some 'program' to > pernament authorizing > (work places) > 3. Will be simple to create > 4. Will allow 'parthers'... it means: > a. some users will be from our company - they're OK - we > can give them > notebook - whatever > b. some users (~70%) will be from parthers companies > (important/big one > only) - they can log into system and use 'some allowed parts' > (like check > support for known bugs, etc etc. - these informations are NOT > pulic - but > not for parthers - and it is more complicated - different > pather can go to > different level of internal infos) - so, we need something what we can > easily 'distribute' > > And where it will run: > > 1. Some X86 and PPC based CPU's - windoze/unixes (so, it have > to be easily > portable) > 2. On special one-chip based CPU's - probably (see down) > > My biggest problem is: HOW to authorize user from 'dangerous' > place ? There > are several ways ho to do it: > > 1. Password based auth (user/login basically - or some form) > 2. Private key based auth (symmetric cryptography) > 3. Public key based auth (asymmetric cryptography) > 4. Body human based auth (finger print generated access key, etc.) > 5. Some other big system (such as Kerberos, whatever) and/or > in combination > with VPN > 6. Some combination 1-4 with 'floating' code > > Because we have to run on 'dangeours' places, where we can't put our > technology at all (or trust), we can remove 5 (requires > instalation/configuration). Then we can remove 4 (too > expensive to create > tenths human metters) and 1 (it is not secure at all - > doesn't matter of > connection will be throw SSL - keys can be loged). Not in all > cases can > manager use his own notebook. Sometimes he need to access > 'someone else > computer' or 'hotel network' (and keep notebook on room when > going out) or > 'special inet computer' which are often in hotels (computer > dediacted only > for inet conenction I mean). And competition never sleeps :o) > > Did I miss something ? > > Remainder is (a)symetric cryptography with floating code. > > Because or 'dangerous' places (no trust), we need floating > code. It is not > enough to bring own private key on some media (CD-rom, > floppy, flahs memory > card, ...). Because it can be stollen.... Or I can't imagine > scenario, where > we will use asymetric cryptography (ofcourse, good choice) - > without danger > of stoling my key. We have to TRUST to browser (majority > cases IE hehe) - > that if I will delete key, it will be REALLY delete or > encrypted with strong > algo. We have to trust to OS - if IE will 'delete' key, OS will really > remove from media, etc.... > > Why we need dangerous places ? Because many of our > businesmans are traveling > accross various states, and they need to 'stay in'. Check > emails, give tasks > to other employments, update some parts of web, login to > 'busines' system, > etc. (all done throw HTML (require some browser) and SSL/HTTPS). > > So, HOW to autentificate user at all ? > > I get following "idea" (not idea at all, just one of way > where to go) - and > I ask, what do you think about it... Every user have small > credit-card like > 'computer' - small keyboard, verry small display - > 'autentification device'. > I am system programmer (drivers, engines)/HW developer, so, I > will have to > do this work... > > 'dangerous scenario' > > 1. User connects to https://server/auth (works for everyone) > 2. User switch on his auth-device (put some pin - internal datas are > encrypted by some algo), it show him some 'number' (generated for > date/time/user) -> server recognize user name and verify, if > user can some > from this IP address (stored on server) > 3. User logs to server by his username and this generated number as > password -> now 'auth' really starts - this also prevent > 'running out of > dictionary' (see down) and DOS attack to auth system (I don't > mean DOS to > HTTP server) > 4. Server shows to him some text (a-z 1-0) - user write to > its device - text > is ~8-10 chars long > 5. User reply by another generated number > 6. Server inserts for some period his IP to firewall > 7. User can connects to 'server' (all over ssl ofcoruse) - like > https://private.server.com > 8. User (on end of work) or server (timeout) removes its IP > address from > firewall > 9. Auth device should also work for 'services' - instead of 'password' > should be always used some 'generated' text - because if > there will be some > proxy, whatever, and user watched/key loged, someone > un-authorized can log > into system > 10. In 'text' will be coded (by symetric cipher for ex.) > 'question' like: > word on line 50 row 40 (so, some of "dictionary" - different > form than this > simple one, but still dictionary) -> server/auth-device have 'common' > dictionary, server remembers what data were asked > > 'work scenario' > > 1. User boots up system - if secure one (Unixes) - it > automaticly auth on > server > 2. On not well secure OS (Windoze) it asks for 'password' > (and also for some > users will be required steps 2/3 from dangerous) > 3. In some time periods program repeats auth (or server will > remove entry > from firewall) - prevent system fall down (specically for 9x :o) > 4. On session end, program removes entry from firewall > > Note: I do not compare unix/windoze (secure/stupid/...) I > mean: someone > using UNIX will (for sure) know what security is and his OS will be > 'protected' well. Users running windoze... You know, it is > not "easy" to > create/keep this OS 'secure' (any OS at all) - and total > majority of users > don't know how..... And you know .... :) > > This is what I need.... Now I will try to comment yours > replies (thanx for > them): > > ==================================== > > >I'm not sure of all you requirements as the document was a > little unclear > >but this might address a lot of your needs: > > > >http://www.cs.utexas.edu/users/mcguire/software/horatio/ > > > I hope now I make it more clear. Sorry :) > > Horation is something what 'we are creating' - so, we may use > it, but it > doesn't solve (or I am miss ?) our 'dangerous' places - I > didn't find any > other secure way, how to auth from dangerous places, except some 'auth > device'.... > > >Generally what you're talking about sounds like a great candidate for > >public/private key cryptography. I don't even know why you > need dedicated > >hardware ... at most you need to authenticate once per > session (where a > >session is a borrowed IP address) so even if you used a 2048 > bit key it > >should be managable. > Because, HOW I will 'use' my private key ? I have to 'put' into 'host' > computer, throw which one I am going to administrate something (check > emails, update some web, put tasks to emplyments, ....) -> it > can be really > easily STOLEN. Or any other way how to protect it ? > > >The simplest solutions (though a little insecure since a web > server is a > >complicated piece of software and hence introduced possible > compromises) > True. That's why there is firewall, views on database, > separate machines. It > doesn't make 'secure' thing (it doesn't exist IMHO) but > increases a bit > 'global security'.... > > >is a web server on the firewall or on a trusted, secure host > inside the > >firewall (with only encrypted HTTP access allowed). The > user logs onto > >the web server (you can even have a second layer of username/password > >authentication) and it challenges them with a randomly > generated string. > Yes. > > >They encrypt it on their local box via some simple customer > code you give > >them and then cut and paste the response into the web server. If the > >string is encrypted using the private key associated with a trusted > >public key on the web server then the web server writes new > entries in a > >local database corresponding to the users IP (andtimestamps > it). A pull > >based client on the firewall regenerates firewall rules > every five minutes > >or so by reading them out of the database. > The trouble is 'local box'. It need to be SMALL AS POSSIBLE. > We are doing in > commnucations devices (wirelees devices - 2-30+GHz, laser > devices, network > connectors/converters/etc.). Imagine situation, where businesman is > somewhere - on busines meet. They are about to create some > agreement. Bigger > one. And now he need to online query something: How fast we can supply > requested amount of devices ? He have to login into 'private' > system - to > ask some developer, look on 'bug lists' or check > manufacturing. Whatever. In > some cases, he can have his notebook and connect to network (not best > solution, because you have to apply new network parametres -> > sometimes can > occur troubles, second side have to call 'admid' for network params, > businsman doesn't need to be good in adminisrating network, > whatever....). > Or he can use some wirelees/phone connection (not all the time will > work...). Or he can use parther's computer to get information. The > fastest/best way. And we are comming to point: For them is > the best choice > 'small' dedicated HW to autentificate. And next thing - I > explained above > 'parthers'... It is not easy to give notebook to EVERYONE or > TRUST to key > pair which we will give to them. But it is easy to give them small > 'calculator' :o) > > >A daemon process watches entries in the database and removes > them after a > >time interval (this might be done a better way using a log > on the firewall > >and then scanning it for idle times). > Yup. > > >The main concern with this kind of setup is users coming in > from behind a > >proxy (particularly a company wide one) open up your network > to everyone > >behind that proxy. The only route around that I can imagine > is to use > >something like VPN which will actually build a secure tunnel. > All services itselfs are based on 'HTTPS' at all (thin > client). I belive, > HTTPS with 'generated' keys (so, no private key for auth) should be > 'enough', if server will require at least 128 bits. And we can assume > browser is cappable to use https/128. On 'work' computers, we > are allready > using secure tunnels (just simple SSL layer - stunnel - you > know this thingy > I guess). VPN itselfs requires some 'instalation' and > 'configuration' - and > it is something, what I want prevent (if possible). > > All the time, we have to mix together few things: > > 1. Money required to build 'auth' > 2. Money required to 'add' someone into ring > 3. Security > 4. Time > 5. Time/Money for every 'connection' > 6. Technical knowledge of 'end' users > > I personally thing, that small dedicated HW (which will cost > ~$15 per unit) > fill majority of need well. Anyway, it is why I select small > CPU not some > USB existing device. By use some existing USB/COM device > (Flash card, CPU, > ...), we have to 'write' SW which will access it - and we > have to do it for > X opearing systems/browsers - ActiveX for IE, etc. In the > result, 'HW/OS' > indepenend piece of HW will cost lees. SW itselfs to read > these devices is > simple, but have to be done 'x' times.... > > The best solution - send auth to mobile phone/pages can't be > used, because > of speed :( [cross-country] > > Thanx for your time, > Have a nice day, > Best regards, > Lada 'Ray' Lostak > Unreal64 Develop group > http://www.unreal64.net > >
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 13:44:13 PDT