Re: Minimal Authorization

Michael A. Dolan (miked@CERF.NET)
Sat, 13 Aug 1994 10:19:32 -0700

At 08:09 PM 8/12/94 -0400, Stephen D Crocker wrote:
>At the risk of sounding too much like an alarmist and a security
>zealot, passwords in the clear are no longer an acceptable risk. At
>the very least, a challenge-response system is necessary.

I fully expected this response and appreciate your input. "In the clear"
is somewhat vague, though. For example, what if they were simply Base64
(or uuencode, or rot13, or...) encoded ? Then they're not in the clear,
but the "encryption" is keyless and therefore somewhat trivial.

>One useful scheme is S/Key: it's free, easily avaiable and fits into
>the existing paradigms.

Could you provide a pointer ?

>Much stronger schemes are also available, e.g. Kerberos, public key
>systems, etc.

These are overkill for many applications, hence my request. I'm looking
more for the "window latch protection" - it won't keep a determined
burgler out of your house, but it will keep the honest person honest.

>This point has been identified as a critical issue in the security of
>the Internet and highlighted in a recent Internet Architecture Board

I appreciate your input and will hopefully not perpetuate passwords in the
clear (such as TELNET, FTP, etc). How does IETF propose to enhance these
existing protocols ? Surely they won't jump from "clear" to DES and
digital signatures ? Perhaps there is some common ground here ?

Michael A. Dolan - <>
TerraByte Technology (619) 445-9070, FAX -8864