From: Jef Poskanzer <jef@ee.lbl.gov>
To: cypherpunks@toad.com
Message Hash: 4295d47bc328cef32026c33e2239b96bc1d948bc910ab4ad871273e270e85777
Message ID: <9311182033.AA25177@ace.ee.lbl.gov>
Reply To: N/A
UTC Datetime: 1993-11-18 20:34:32 UTC
Raw Date: Thu, 18 Nov 93 12:34:32 PST
From: Jef Poskanzer <jef@ee.lbl.gov>
Date: Thu, 18 Nov 93 12:34:32 PST
To: cypherpunks@toad.com
Subject: Re: hohocon
Message-ID: <9311182033.AA25177@ace.ee.lbl.gov>
MIME-Version: 1.0
Content-Type: text/plain
At Hackers 8.0 a hallway discussion (including Eric Hughes) came up
with an amusing variation on these sniff-resistant authentication schemes:
use a pager. It goes like this. You telnet from an insecure site to your
home system, and type your userid. Instead of prompting you for a
password, your system looks up your pager number, dials out to the pager
service, and pages you with a random but syntactically valid phone
number. Then it prompts you. You receive the page and type that
number as your password.
Authentication is based on physical posession of the pager, and knowing
what userid/machine it corresponds to. A possible attack would be
to monitor the pager frequencies and try to snag the number out of
the air. Possible defense against this would be to require a special
password before the page is generated - an attacker would have to monitor
both the network and the radio.
Not military grade security, but lots of folks have pagers and could
hack together something like this in a day or so.
---
Jef
Return to November 1993
Return to “Jef Poskanzer <jef@ee.lbl.gov>”
1993-11-18 (Thu, 18 Nov 93 12:34:32 PST) - Re: hohocon - Jef Poskanzer <jef@ee.lbl.gov>