On Mon, Sep 09, 2002 at 08:36:58PM -0400, iudicium ferat wrote: [reformatted a bit for clarity] > 1) IP-based matching is done: only a certain internal sub-net is > able to connect.
Better hope that your attacker isn't an insider, then. > 2) Next, mainframe authentication (userid/passwd) is done between > two machines that are 15 feet apart - and that are not on the > public Internet. ``Mainframe Authentication'' ? Are the passwords stored in plaintext on the server, do they travel in plaintext or repeatable form over the wire? How can the machine requesting the auth from the mainframe be *sure* it's talking to the mainframe? 99% of hackers are insiders. > 3) After the hand-shake, then a userid lookup table located on the > server (which is only readable by www server ID and only writable > by root via cron - and then must be eye-balled by a human) is read > to determine the appropriate access level. Seems reasonable, of course, it does mean that if you have a remote root then all bets are off. > 4) The system menu is created based up this ID. Are you sure that there's no way to trick it? > 5) The security bit contains these items: cookie, time-based, and > one-way crypt'ed access key -- this is Can both ends believe that this access key was fresh? (ie. can both recreate it, and know that there was something in there that must have been new (eg, a random nonce that they supplied or a timestamp). What algorithm are you using for the ``one-way crypt''? If you're using crypt(3), be warned that it's breakable in about a day on a reasonable machine, and easily parallelisable. > 6) then Matched to a IP/UserID timed cookie on the server (one > which is expires if the user waits too long.) Do you make sure that the hash verifies? > 7) The security bit sent to the user MUST match the security bit > stored securely on the server. If I see a message (U,t,k) go past me on the wire, as a cookie, then I'm going to simulate a network fault, disconnecting the user, but not the server. I'm then going to send the cookie (U,t,k) and (having faked the IP address, too (this is doable with access to just one of the routers in between the networks in question), then I can get into your system. > That's it. I wrote the whole 1,750 line program about 3 months Why not use something peer-reviewed like SSL with certificate/key client authentication. You still need to authenticate against the mainframe, and there are perhaps better ways of doing that, but it strikes me you're trying too hard to justify what you've done. MBM -- Matthew Byng-Maddick <[EMAIL PROTECTED]> http://colondot.net/
