Background
Network security is a big issue within the University. The Computer
Laboratory (T&R) prohibits remote access to its computers unless prior
consent has been given. This is inconvenient.
A one time password system for rlogining into machine would
probably be adequate. In commercial systems such a password is usually
sourced using a device similar in shape, size and component complexity
to a picket calculator. However, such a device costs a
significant amount of money and can easily be lost.
Proposal
A paper based one time password system is proposed. The user of the
system would carry around a single A4 sheet printed on both sides
which forms a code book. This code "book" would be valid for,
say, one month or 50 accesses which ever comes sooner. It could be
used in the following challenge-response scenario:
- user types "rlogin gateway-host -l userID"
- machine asks for a conventional password which the user duly
enters
- machine replies with a series of alphanumeric quintuples
- user looks up quintuples in the code book and responds
accordingly
Time constraints could be added to this process. For example, the
user may only be allowed three attempts to login per hour.
In case the user looses a code book there should be a mechanism to
withdraw the book from circulation. This could be provided by a web
page hooked to an appropriate CGI script.
The interface to code book generation could also be provided by a
local web page. A large print two page code book might be desirable
for those ocularly challenged. It would be reasonable to assume that
local printing facilities are secure enough.
Previous work
I've proposed the project before and at least one person has had a
stab at it though there are no doubt alternative approaches/major
improvements.
Special resources
None to develop the theory. However, to put the work into practice
you'll probably need to modify the rlogin daemon so it would be useful
if you had your own Linux box to experiment on.
Possible supervisors
I'm not prepared to supervise this project. You might like to contact
members of the security research
group. This project could also be supervised by many other people
in the lab.
|