Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:48:35 -0700
From:      Mehmet Erol Sanliturk <>
To:        Doug Hardie <>
Cc:        " List" <>
Subject:   Re: Client Authentication
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, Mar 24, 2013 at 1:21 AM, Doug Hardie <> wrote:

> On 23 March 2013, at 22:59, Mehmet Erol Sanliturk <>
> wrote:
> > The following steps may be another idea :
> >
> > Assume that you supply to your users a small login program prepared for
> them specifically ( since you are using SSH )  :
> >
> > Compile that program for each user with a special identifier for him/her
>  and ship this program to your user and require that the login will be
> performed by this program  . This program will send a very long code to
> your system with user password which is only known to you and to your user
> .  Since external users will not know this code , they will not be able to
> login into their accounts by using only password .
> >
> > This will also easily identify fake login trials : It is very obvious
> that to estimate a very long code will require a large number of tries : If
> code fails , it means that login trial is from a fake user .
> > If password fails , it may be allowed a fixed number of trials ( The
> banks are allowing only TWO failed passwords , on third , a new attempt can
> be made after 24 hours , in Turkey ) .
> >
> > This program may also additionally send computer signature to your
> system which is previously send to you on subscription computed by a
> program prepared by you .
> >
> > If the user changes  / or uses a different computer , he/she should
> supply a signature of the computer .
> >
> > Here , important point is that , always you should verify that you are
> communicating the real user , not a faked user in behalf of the real user .
> >
> > For the stolen program/codes , prepare a new program and ship to the
> user .
> Thats an interesting approach but becomes difficult to use when traveling
> as you have no idea what computer you will be able to use today until you
> get to it.  Then you might have only a few minutes access to it before
> moving on.
> >
> > Another idea may be the following :
> >
> > Assume the user computer is NOT captured by a criminal bandit .
> >
> > On subscription , send to the user a square bar code printed on a card
> like credit card having a very long code specifically prepared for the user
> .
> > On login , the user will show this card to the camera of the computer
> and will be transmitted to your system . In your system , it will be
> decoded , and it will be used to identify the user with his/her password .
> >
> > If this application is used , it may not be necessary to send the users
> a special login program prepared for each of them .
> >
> This idea shows a lot of promise.  I have to figure out how to tie it into
> mail, web etc.  There is libqrencode for creating the QR images.  I am
> downloading it now.
> -- Doug

A single method may not be so much useful for ALL the users .

You may design a part for mostly static users .
For traveling persons , by using relevant information in your system , you
may use a approximate solution : QR code , password , computer signature :
If two of them is correct , and in user profile there is an information
that the user travels frequently , you may assume his/her login is correct .

Another point may be that the user inform your system that he will travel
between dates ( if foreing countries are involved , he may  specify them )
. By using such information , it may be possible
to identify users correctly as much as possible .

This requires a good user profile definition in your system , and temporary
exception which these exceptions should ALWAYS be obtained from fully
verified login to prevent fake changes .

As an example of bank robbery :

A criminal , applying to a user GSM company instead of another "person to
be robbed" by saying that "My GSM device has been stolen . Please cancel it
. Give a new GSM chip  and number ."

After getting the new GSM number , the criminal is applying to bank for
request "Change my GSM number ."  instead of another "person to be robbed" .

During money transfer of "person to be robbed" , the bank is sending a GSM
message to the person , but diverted to criminal to get authorization .

Person is giving authorization .

As a result : Money is stolen . Rest is not important .
The real person should go to court to prove that his/her money is stolen :
Such a trial is taking almost five years .

This means that security measures / steps should be designed with extremely
carefully .

All over the world , there a large millions of personal computers captured
by criminals and are used  for crime performance with the responsibility
being on the real owner of the computer .

For your users , some of them may obtain or have static IP numbers .
Therefore , it is not necessary completely discard such an alternative .

By using most secure method which can be implemented for the suitable users
to least secure methods have been implemented persons with difficulty may
be applied .

For least secure methods , some statistical measures may be implemented :

For example , average daily number of logins , average number of messages ,
a white list of target addresses , etc. If some of these measures violated
, the case may be inspected for possible security breaches .

Thank you very much .

Mehmet Erol Sanliturk

Want to link to this message? Use this URL: <>