[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:	SEAL

Moderator:	GALVIA::SMITH

Created:	Mon Mar 21 1994
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1989
Total number of notes:	8209

1861.0. "Minor security problem in the authentication proc" by LUX06::GLOESENER () Wed Mar 12 1997 09:15

  Product: AVFWU V2.1

I found this while setting up our firewall for use with the SNK key.
It is only a minor security issue, since the SNK key algorithm is very
good.

If you try to authenticate using telnet and you enter your user -id with
the 'auth' command, you will be chalanged uding a line like:

Command? auth userid
Send response to the following challenge:  2081849
Response?

Now how ever if the user-id is not existing you will have:

Command? auth non-valid-userid
Send response to the following challenge:  
2081849  <----------- 
Response?

The chalange is displayed on a new line giving a hint towards the existance
of the user id. 

Gast Gloesener

T.R	Title	User	Personal Name	Date	Lines
1861.1		CHEFS::espol1.gmt.dec.com::PITT	Gone with the winsock ...	`Wed Mar 12 1997 12:37`	17
	This has been discussed before. There is no right answer, but I believe it is on the list to be fixed in "a future release". The reason that there is no right answer is that if you know that a company only uses one particular type of authentication, then the firewall should always use that sort of challenge. However, unless this can be chosen on a per-installation basis, what's right for one site is wrong for others. At present, the firewall will always do an SNK-type challenge for a non-existent username, but it does it "not quite right". It's very very difficult to come up with a scheme that will not allow the external hacker with no additional information to determine what are valid user-ids and what are not. T
1861.2	I am not sure	LUX06::GLOESENER		`Wed Mar 12 1997 17:52`	7
	By reading .1 I am not sure if I expressed myself correctly in .0: It is only because the challange is displayed on a separate line for non-existing while beginf the query string for existant users that makes the difference and the revealing of valid user-id. Gast.