From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 08:48:36 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A0602194F for ; Sun, 24 Mar 2013 08:48:36 +0000 (UTC) (envelope-from m.e.sanliturk@gmail.com) Received: from mail-ia0-x231.google.com (mail-ia0-x231.google.com [IPv6:2607:f8b0:4001:c02::231]) by mx1.freebsd.org (Postfix) with ESMTP id 737A27FD for ; Sun, 24 Mar 2013 08:48:36 +0000 (UTC) Received: by mail-ia0-f177.google.com with SMTP id w33so1614348iag.36 for ; Sun, 24 Mar 2013 01:48:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=o+NX5p43cpyKyABdLlTchKNJhkLoJ7tFHJHYuGLkxc0=; b=1APXY2dfCtGFOsa5q8kesIYyJkR70vQbRykIQ2GBL2rYRcagUHYifrKq4xAsQUEuIQ iXNue3ITIVJpdYkXWdT2Wpxl5tR9NA6yhdOqIYkKnYYw9ISI9eaRVaoKlmiAGqpfCCp7 YN54feZoWeuO+ZX8zCZ4ce6OV0GpfSzRUgvIkrgmLPcebmnWoAp2Okkj//aO/w7Zn1CA 6ZLsMwRFRzKTohzjUAYsp/AYU+SypKyLePRbD0hI2DD9kqFJJfb3vFDH9Curl60QKUpD r45PcCAb2w8Vd5ZzlkmXFXtm+P0DNnKFppnX+QRB3IwNwT5o0VVjzrINViMZ/woE2/Lh bwgQ== MIME-Version: 1.0 X-Received: by 10.50.92.4 with SMTP id ci4mr4939073igb.95.1364114916146; Sun, 24 Mar 2013 01:48:36 -0700 (PDT) Received: by 10.64.107.162 with HTTP; Sun, 24 Mar 2013 01:48:35 -0700 (PDT) In-Reply-To: <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org> References: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org> Date: Sun, 24 Mar 2013 01:48:35 -0700 Message-ID: Subject: Re: Client Authentication From: Mehmet Erol Sanliturk To: Doug Hardie Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 08:48:36 -0000 On Sun, Mar 24, 2013 at 1:21 AM, Doug Hardie wrote: > > On 23 March 2013, at 22:59, Mehmet Erol Sanliturk > wrote: > > > The following steps may be another idea : > > > > Assume that you supply to your users a small login program prepared for > them specifically ( since you are using SSH ) : > > > > Compile that program for each user with a special identifier for him/her > and ship this program to your user and require that the login will be > performed by this program . This program will send a very long code to > your system with user password which is only known to you and to your user > . Since external users will not know this code , they will not be able to > login into their accounts by using only password . > > > > This will also easily identify fake login trials : It is very obvious > that to estimate a very long code will require a large number of tries : If > code fails , it means that login trial is from a fake user . > > If password fails , it may be allowed a fixed number of trials ( The > banks are allowing only TWO failed passwords , on third , a new attempt can > be made after 24 hours , in Turkey ) . > > > > This program may also additionally send computer signature to your > system which is previously send to you on subscription computed by a > program prepared by you . > > > > If the user changes / or uses a different computer , he/she should > supply a signature of the computer . > > > > Here , important point is that , always you should verify that you are > communicating the real user , not a faked user in behalf of the real user . > > > > For the stolen program/codes , prepare a new program and ship to the > user . > > Thats an interesting approach but becomes difficult to use when traveling > as you have no idea what computer you will be able to use today until you > get to it. Then you might have only a few minutes access to it before > moving on. > > > > > Another idea may be the following : > > > > Assume the user computer is NOT captured by a criminal bandit . > > > > On subscription , send to the user a square bar code printed on a card > like credit card having a very long code specifically prepared for the user > . > > On login , the user will show this card to the camera of the computer > and will be transmitted to your system . In your system , it will be > decoded , and it will be used to identify the user with his/her password . > > > > If this application is used , it may not be necessary to send the users > a special login program prepared for each of them . > > > > This idea shows a lot of promise. I have to figure out how to tie it into > mail, web etc. There is libqrencode for creating the QR images. I am > downloading it now. > > -- Doug > > A single method may not be so much useful for ALL the users . You may design a part for mostly static users . For traveling persons , by using relevant information in your system , you may use a approximate solution : QR code , password , computer signature : If two of them is correct , and in user profile there is an information that the user travels frequently , you may assume his/her login is correct . Another point may be that the user inform your system that he will travel between dates ( if foreing countries are involved , he may specify them ) . By using such information , it may be possible to identify users correctly as much as possible . This requires a good user profile definition in your system , and temporary exception which these exceptions should ALWAYS be obtained from fully verified login to prevent fake changes . As an example of bank robbery : A criminal , applying to a user GSM company instead of another "person to be robbed" by saying that "My GSM device has been stolen . Please cancel it . Give a new GSM chip and number ." After getting the new GSM number , the criminal is applying to bank for request "Change my GSM number ." instead of another "person to be robbed" . During money transfer of "person to be robbed" , the bank is sending a GSM message to the person , but diverted to criminal to get authorization . Person is giving authorization . As a result : Money is stolen . Rest is not important . The real person should go to court to prove that his/her money is stolen : Such a trial is taking almost five years . This means that security measures / steps should be designed with extremely carefully . All over the world , there a large millions of personal computers captured by criminals and are used for crime performance with the responsibility being on the real owner of the computer . For your users , some of them may obtain or have static IP numbers . Therefore , it is not necessary completely discard such an alternative . By using most secure method which can be implemented for the suitable users to least secure methods have been implemented persons with difficulty may be applied . For least secure methods , some statistical measures may be implemented : For example , average daily number of logins , average number of messages , a white list of target addresses , etc. If some of these measures violated , the case may be inspected for possible security breaches . Thank you very much . Mehmet Erol Sanliturk