The BBS, knowing your password, sends out a randomly generated
key. It encodes your password using this key and holds onto the
encrypted copy. In the meantime, the user gets the random key,
encrypts his password using it and sends it to the BBS. Remember
that this is one way encryption - even knowing what the key is (which
is sent as a plain 'hex' string) doesn't help get back to the original
password. The BBS having already done the same one-way encrypt
compares the two and either lets you in or not!!
The only things passing on-air where they may be seen are the key to
the user and the encrypted password back to the BBS. This system
requires the BBS sysop and the user to agree on a password by some
secure method (telephone?) but is simple since there is just the one
password.
This system does not help with the other security issue "has the mail
been tampered with or not" which really needs a PGP checksum/sig
combination but thats another bag of worms altogether.
Cheers all...
--73 de Robin Hub manager gb7ipd
g8ecj.ampr.org. IP 44.131.161.112 Located in Flackwell Heath IO91po NTS: G8ECJ@GB7TVG.#42.GBR.EU AmprNet: rttehted@kerailya.tunkki.fi Internet: fvqhrsl@ulaval.ca http://www.abmdata.demon.co.uk/g8ecj.htm Shack: (+44) 1628 533311 Fax: (+44) 1628 533399
-----Original Message----- From: Mark Cheeseman <ndra@mailit.tunk.net> To: Ben Kram <cjus@rele.tunk.net> Cc: damsz@kerailya.tunkki.fi <dxiseiu@mailit.tunk.net> Date: 02 March 1998 01:00 Subject: Re: Security
One package which looks ideal is OPIE (download from ftp://ftp.inner.net/pub/opie/), which uses one-time passwords for logins through FTP and Telnet daemons (and su). All FTP/Telnet traffic is transmitted unencrypted (hence the need for the modified su), and standard clients can be used. All you need is a secure path (or at least, more secure than amateur radio) to transmit the initiator used to generate the passwords to the user.