----- Original Message ----- From: "Wes Peters" <[EMAIL PROTECTED]> To: "Jon Hamilton" <[EMAIL PROTECTED]> Cc: "Lyndon Nerenberg" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, February 19, 2000 1:14 AM Subject: Re: Crypto progress! (And a Biiiig TODO list) > And how exactly are they supposed to tell the difference between answering > slowly due to breakin evasion vs. answering slowly because the system is > a 386sx/16? > > You would want to answer all "mistakes" slowly, but valid logins quickly. > yup... and any reasonably-malicious software would timeout well before that, and try something else... think multi-threaded, with a "work queue" of tester-threads and a few control threads that "think up" the requests... now imagine a distributed system. ;) i think a better approach might be to "pre-qualify" the requesting-host before even looking at the request itself. this could be done with diffie-hellman in a relatively straight forward manner... and then the door is open to symmetric encryption of the entire challenge/response exchange. if a "qualified" host is ever compromised, and it's dh-key becomes known, the malicious-user still doesn't have access to any other machines... all she has gained is the right to test login/password combinations herself... (which is already offered in the currently-proposed system.) replay attacks could be thwarted by adding timestamps to the exchange. unless a "qualified" hosts key is compromised, the only method that should be open to our DoS friends is at the protocol level (syn-flooding, pipe-filling, etc.) ...and another idea: if the secure connection is kept up over a period of time, additional authentications could be performed... the log information could also be routed over the connection... the authentication server would also have a simple method of determining whether a given host is up or down: do i have a connection, or not? just a thought. - jason allum To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
