Date: Sun, 24 Mar 2013 01:48:35 -0700 From: Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> To: Doug Hardie <bc979@lafn.org> Cc: "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org> Subject: Re: Client Authentication Message-ID: <CAOgwaMsrvM-nhQ9FLD0KHzw2T%2BeeG4MPO18z9y32Dvn17MT1jA@mail.gmail.com> In-Reply-To: <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org> References: <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAOgwaMvu%2BOC4PiPfNNwoj7aB%2B631Nt_=SwjFG9y89%2BavB6Mp9Q@mail.gmail.com> <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> <CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw@mail.gmail.com> <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 24, 2013 at 1:21 AM, Doug Hardie <bc979@lafn.org> wrote: > > On 23 March 2013, at 22:59, Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> > wrote: > > > The following steps may be another idea : > > > > Assume that you supply to your users a small login program prepared for > them specifically ( since you are using SSH ) : > > > > Compile that program for each user with a special identifier for him/her > and ship this program to your user and require that the login will be > performed by this program . This program will send a very long code to > your system with user password which is only known to you and to your user > . Since external users will not know this code , they will not be able to > login into their accounts by using only password . > > > > This will also easily identify fake login trials : It is very obvious > that to estimate a very long code will require a large number of tries : If > code fails , it means that login trial is from a fake user . > > If password fails , it may be allowed a fixed number of trials ( The > banks are allowing only TWO failed passwords , on third , a new attempt can > be made after 24 hours , in Turkey ) . > > > > This program may also additionally send computer signature to your > system which is previously send to you on subscription computed by a > program prepared by you . > > > > If the user changes / or uses a different computer , he/she should > supply a signature of the computer . > > > > Here , important point is that , always you should verify that you are > communicating the real user , not a faked user in behalf of the real user . > > > > For the stolen program/codes , prepare a new program and ship to the > user . > > Thats an interesting approach but becomes difficult to use when traveling > as you have no idea what computer you will be able to use today until you > get to it. Then you might have only a few minutes access to it before > moving on. > > > > > Another idea may be the following : > > > > Assume the user computer is NOT captured by a criminal bandit . > > > > On subscription , send to the user a square bar code printed on a card > like credit card having a very long code specifically prepared for the user > . > > On login , the user will show this card to the camera of the computer > and will be transmitted to your system . In your system , it will be > decoded , and it will be used to identify the user with his/her password . > > > > If this application is used , it may not be necessary to send the users > a special login program prepared for each of them . > > > > This idea shows a lot of promise. I have to figure out how to tie it into > mail, web etc. There is libqrencode for creating the QR images. I am > downloading it now. > > -- Doug > > A single method may not be so much useful for ALL the users . You may design a part for mostly static users . For traveling persons , by using relevant information in your system , you may use a approximate solution : QR code , password , computer signature : If two of them is correct , and in user profile there is an information that the user travels frequently , you may assume his/her login is correct . Another point may be that the user inform your system that he will travel between dates ( if foreing countries are involved , he may specify them ) . By using such information , it may be possible to identify users correctly as much as possible . This requires a good user profile definition in your system , and temporary exception which these exceptions should ALWAYS be obtained from fully verified login to prevent fake changes . As an example of bank robbery : A criminal , applying to a user GSM company instead of another "person to be robbed" by saying that "My GSM device has been stolen . Please cancel it . Give a new GSM chip and number ." After getting the new GSM number , the criminal is applying to bank for request "Change my GSM number ." instead of another "person to be robbed" . During money transfer of "person to be robbed" , the bank is sending a GSM message to the person , but diverted to criminal to get authorization . Person is giving authorization . As a result : Money is stolen . Rest is not important . The real person should go to court to prove that his/her money is stolen : Such a trial is taking almost five years . This means that security measures / steps should be designed with extremely carefully . All over the world , there a large millions of personal computers captured by criminals and are used for crime performance with the responsibility being on the real owner of the computer . For your users , some of them may obtain or have static IP numbers . Therefore , it is not necessary completely discard such an alternative . By using most secure method which can be implemented for the suitable users to least secure methods have been implemented persons with difficulty may be applied . For least secure methods , some statistical measures may be implemented : For example , average daily number of logins , average number of messages , a white list of target addresses , etc. If some of these measures violated , the case may be inspected for possible security breaches . Thank you very much . Mehmet Erol Sanliturk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOgwaMsrvM-nhQ9FLD0KHzw2T%2BeeG4MPO18z9y32Dvn17MT1jA>