The login program has been replaced. It requests a one time password, instead of the reusable password, and then acts the same as the old login. (Well, it does more logging.) One time passwords (OTPs) are generated based on a random secret key, or a key screened by Adam. The list of OTPs is then distributed by email, protected and authenticated with PGP.
Many people, when considering security software, seem to have an urge to run to a vendor, who will send in a bunch of smart sounding guys with short hair and suits, who will swear on their mother's grave that their product is 110% secure. And then they will give you a manual and some disks (in exchange for lots of money), and you trust these guys, and the people in their back room, to have written that software 100% correctly.
When you ask about the algorithms used, you discover that they are secret. Otherwise, how could the product be really secure?
Well, fact is, secrecy about the algorithm does not buy security. A really bright attacker can find out about it. You could find out about it, with enough work. A much, much better road to take is to publish the source code. Allow anyone and everyone to read it. Design it so that even when your enemy knows exactly what you did, it will not be possible to use that knowledge in an attack. That is what the products here S/Key and PGP, do. I've read the source to all of S/Key--Its short. I'm confident that if the mathematics work as advertised, the system is secure. I could never say that about vendor supplied software.
"The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/reply attacks. This system has several advantages compared with other one-time or multi-use authentication systems. The user's secret password never crosses the network during login, or when executing other commands requiring authentication such as the UNIX passwd or su commands. No secret information is stored anywhere, including the host being protected, and the underlying algorithm may be (and it fact, is) public knowledge. The remote end of this system can run on any locally available computer. The host end could be integrated into any application requiring authentication."
"PGP, short for Pretty Good Privacy, is a public key encryption package; with it, you can secure messages you transmit against unauthorized reading and digitally sign them so that people receiving them can be sure they come from you." (Adam adds-- PGP runs on Macs, PC's, Amigas, many flavors of Unix, VMS, and possibly more.)
(The following is excerpted wholesale from the PGP users guide, volume 1, by Philip Zimmermann)
How it Works
It would help if you were already familiar with the concept of cryptography in general and public key cryptography in particular. Nonetheless, here are a few introductory remarks about public key cryptography.Back to Table of ContentsFirst, some elementary terminology. Suppose I want to send you a message, but I don't want anyone but you to be able to read it. I can "encrypt", or "encipher" the message, which means I scramble it up in a hopelessly complicated way, rendering it unreadable to anyone except you, the intended recipient of the message. I supply a cryptographic "key" to encrypt the message, and you have to use the same key to decipher or "decrypt" it. At least that's how it works in conventional "single-key" cryptosystems.
In conventional cryptosystems, such as the US Federal Data Encryption Standard (DES), a single key is used for both encryption and decryption. This means that a key must be initially transmitted via secure channels so that both parties can know it before encrypted messages can be sent over insecure channels. This may be inconvenient. If you have a secure channel for exchanging keys, then why do you need cryptography in the first place?
In public key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key. Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the same kind of secure channels that a conventional cryptosystem requires.
Anyone can use a recipient's public key to encrypt a message to that person, and that recipient uses her own corresponding secret key to decrypt that message. No one but the recipient can decrypt it, because no one else has access to that secret key. Not even the person who encrypted the message can decrypt it.
Message authentication is also provided. The sender's own secret key can be used to encrypt a message, thereby "signing" it. This creates a digital signature of a message, which the recipient (or anyone else) can check by using the sender's public key to decrypt it. This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else, because the sender alone possesses the secret key that made that signature. Forgery of a signed message is infeasible, and the sender cannot later disavow his signature.
These two processes can be combined to provide both privacy and authentication by first signing a message with your own secret key, then encrypting the signed message with the recipient's public key. The recipient reverses these steps by first decrypting the message with her own secret key, then checking the enclosed signature with your public key. These steps are done automatically by the recipient's software.
Because the public key encryption algorithm is much slower than conventional single-key encryption, encryption is better accomplished by using a high-quality fast conventional single-key encryption algorithm to encipher the message. This original unenciphered message is called "plaintext". In a process invisible to the user, a temporary random key, created just for this one "session", is used to conventionally encipher the plaintext file. Then the recipient's public key is used to encipher this temporary random conventional key. This public-key-enciphered conventional "session" key is sent along with the enciphered text (called "ciphertext") to the recipient. The recipient uses her own secret key to recover this temporary session key, and then uses that key to run the fast conventional single-key algorithm to decipher the large ciphertext message.
Public keys are kept in individual "key certificates" that include the key owner's user ID (which is that person's name), a timestamp of when the key pair was generated, and the actual key material. Public key certificates contain the public key material, while secret key certificates contain the secret key material. Each secret key is also encrypted with its own password, in case it gets stolen. A key file, or "key ring" contains one or more of these key certificates. Public key rings contain public key certificates, and secret key rings contain secret key certificates.
The keys are also internally referenced by a "key ID", which is an "abbreviation" of the public key (the least significant 64 bits of the large public key). When this key ID is displayed, only the lower 24 bits are shown for further brevity. While many keys may share the same user ID, for all practical purposes no two keys share the same key ID.
PGP uses "message digests" to form signatures. A message digest is a 128-bit cryptographically strong one-way hash function of the message. It is somewhat analogous to a "checksum" or CRC error checking code, in that it compactly "represents" the message and is used to detect changes in the message. Unlike a CRC, however, it is computationally infeasible for an attacker to devise a substitute message that would produce an identical message digest. The message digest gets encrypted by the secret key to form a signature.
Documents are signed by prefixing them with signature certificates, which contain the key ID of the key that was used to sign it, a secret-key-signed message digest of the document, and a timestamp of when the signature was made. The key ID is used by the receiver to look up the sender's public key to check the signature. The receiver's software automatically looks up the sender's public key and user ID in the receiver's public key ring.
Encrypted files are prefixed by the key ID of the public key used to encrypt them. The receiver uses this key ID message prefix to look up the secret key needed to decrypt the message. The receiver's software automatically looks up the necessary secret decryption key in the receiver's secret key ring.
These two types of key rings are the principal method of storing and managing public and secret keys. Rather than keep individual keys in separate key files, they are collected in key rings to facilitate the automatic lookup of keys either by key ID or by user ID. Each user keeps his own pair of key rings. An individual public key is temporarily kept in a separate file long enough to send to your friend who will then add it to her key ring.
This does not mean that a line noise-like password will allow you to avoid using S/key; merely that you need a dictionary attack resistant password to use a software client.
The system is compromised if someone has root access to SPL machines, and knows what they are doing. However, even Kerberos wouldn't prevent that.
Remote users could choose to leave the decrypted file of OTPs on disk, or photocopy it and leave it on the copier, or do all sorts of things with it. We try to prevent this via education. However, even if someone does get ahold of the list, and cracks a secret password, it 'only' buys them 80-100 logins. This is not quite so bad as it seems, as we do have other security measures in place, but its time enough to get root access, and be a major pain in the butt.
There are a number of theoretical weaknesses in PGP on multi-user machines, most of which are very difficult to actually exploit in practice. See volume 2 of the PGP users guide for more on these.
The system does not prevent eavesdropping on your sessions, it just prevents people from logging in without proper authorization.
There is a potential for the 'gee-whiz' aspects of the system to prevent or delay intelligent thought about potential vulnerabilities of the system.
© Copyright 1994 Adam Shostack. All rights reserved.