Password security - Another idea

Sat Dec 31 09:16:28 AEST 1988

In article <4497 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>Hiding something indicates that it is dangerous if revealed. It says,
>basically, that encryption technology is inadequate and cannot be made
>to work, the only reasonable protection is secrecy. Do we honestly
>believe this? Or, worse, do we believe that security is attained by
>layering anything we can think of onto the system?

Hi, Barry!

I think there's a subtle point that you're missing here:  there's a
difference between keeping a piece of information SECRET, and
restricting ACCESS to it.  It just so happens that on computers, we
tend to use the same mechanisms to accomplish both.  So keeping a
password database inaccessible (by protections or shadowing or making
it into a kernel object or what-have-you) does NOT imply that the
information contained therein is necessarily a SECRET that must be
hidden, but rather it implies that we need to restrict access to the
information to prevent someone from taking it away and fiddling with
it long enough to eventuall break it (by whatever means -- brute-force
cracking, blind luck, sophisticated cryptanalysis, whatever).

Here's an analogy:  Suppose there's a room containing classified
files.  To prevent unauthorized access to the files, a lock is installed
on the door.  Now, if I (unauthorized) wanted to access the information,
I could try to pick the lock.  If I were allowed to sit in front of the
door for as long as I wished, fiddling with the lock and trying various
attacks on it, there's a chance that eventually I'd be able to pick the
lock and access the information.  It may be a very GOOD lock and require
a long time to pick, but eventually I might get lucky.  This is analogous
to the current situation with UNIX password files:  since the file is
world-readable, I can conceivably make a copy of the file, take it home
with me, load it onto my PeeCee, and hack on it at leisure.  I might, by
blind luck, stumble onto some useful passwords that way.

In the case of the locked door, if we want to keep people from hacking
on the lock and restrict the use of the lock to being opened with a proper
key, we can post a guard at the door.  Assuming that the guard cannot be
bribed or otherwise made an accessory to an attack, s/he will prevent
random hackery on the lock.  Similarly, by burying the password information
and restricting access to it, one can prevent random hackery on the
password file.

Oh, all right, I'll admit that it's probably possible to subvert the
guard mechanism as well;  HOWEVER, consider the following:  each "hurdle"
that we place in the way of a cracker has a probability P of being
compromised.  I submit, though, that in a useful system there's no
such mechanism where P=0 (proof left as exercise to the reader 8-)  )
Therefore, the best we can do is come up with a mechanism where P is
(hopefully) quite small.  If there are TWO hurdles to be overcome, then
the probability of the composite mechanism being compromised is P1 * P2.
Thus, by choosing an appropriate set of mechanisms, we can (hopefully)
make the probability of compromise arbitrarily small.  Recognize, though,
that the smaller you make the probability, the more difficult the system
becomes to use.  Therefore, striking a balance between ease of use and
security is a decision that each individual system adminstrator must 
make.

Jim Paradis (paradis at encore.UUCP) 508-460-0500
Devout Secular Humanist and Worshipper of Bacchus in Vintage Years