Re: Encrypted logins, configuration, The Chooser, etc.

Subject: Re: Encrypted logins, configuration, The Chooser, etc.
From: Leland Wallace (randall@apple.com)
Date: Mon Mar 12 2001 - 14:54:19 EST

• Next message: James Hammett: "Having printers other than an Apple Laserwrtiter IINT"
• Previous message: jeff: "Re: Encrypted logins, configuration, The Chooser, etc."
• In reply to: Bruce A. Burdick, Jr.: "Re: Encrypted logins, configuration, The Chooser, etc."
• Next in thread: Michael Clark: "RE: Encrypted logins, configuration, The Chooser, etc."
• Reply: Leland Wallace: "Re: Encrypted logins, configuration, The Chooser, etc."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Saturday, March 10, 2001, at 10:25 AM, Bruce A. Burdick, Jr. wrote:
>
> From: Bruce A. Burdick, Jr. <bucky@interaccess.com>
> Date: Tue, 06 Feb 2001 02:47:05 -0600
>
> I've perused the archives, but have mostly seen quick jots and morsels,
> all
> assuming quite a bit of pre-existing context. Let's assemble the full
> story
> on encrypted logins and netatalk. I'd like to see a robust how-to that
> leaves nothing unsaid. How about you?
>
<SNIP>

> What are the various methods for encrypted logins supported by The
> Chooser?
> In which versions?
Authentication methods supported by the AppleShare Client:
No User Authent -- aka guest

Cleartext passwd -- the lowest common denominator (just as bad as it
sounds)

Randnum Exchange -- only 8-byte random numbers are sent over the wire.
   vulnerable to offline dictionary attack, only the client is
authenticated. Requires
   a cleartext password on the server. Limited to 8 byte passwords. Uses
DES.

2-Way Randnum Exchange -- same as above, but the server is authenticated
as well,
   making it strong against Man in the Middle attacks. This has been the
mainstay of the
   Apple AFP services.

DHCast128 -- aka DHX, a 128 bit key is generated by Diffie-Hellman key
agreement,
   a 64 byte password is sent encrypted by the above key using CAST-128.
Weak
   against Man in the Middle attacks. This one is gaining popularity and
is supported in
   Mac OS X.

Third Party UAMs that I know of:
MicrosoftUAM
Netware UAM
There are at least 2 kerberos UAMs kicking around.

Clients up to 3.8.3, have the first 4, 3.8.3 shipped with DHX as a UAM
plug in. 3.8.4 and later
have DHX built in.

UAMs Id like to write if I had the time:
B-SPEKE - a robust alg, provably secure, does not use cleartext anywhere
except on the client
(as input). <http://world.std.com/~dpj>

SRP - very similar to B-SPEKE. <http://www-cs-
students.stanford.edu/~tjw/srp/>

RADIUS - don't know very much abt this one, but it looks like it would
be useful.

<SNIP>
>
> Do any end-to-end secure solutions exist? (i.e. no clear text passwords
> stored or transmitted) What are they? How (in detail) are they
> installed and
> configured?
By your definition DHX seems to fit the bill. I'd look at B-SPEKE and
SRP as well.

<SNIP>

> Lastly, to you fellas who've picked up the netatalk ball and put it back
> into development: thank you!
>
ditto.

I'm the lead engineer on the AppleShare Client at Apple.

Hope this helps
Leland

+-----------------------------------------------------------------------------------
Leland Wallace Working in AppleShare Engineering
randall@apple.com but not speaking for Apple Computer Inc.
http://www2.inow.com/~randall
+-----------------------------------------------------------------------------------

• Next message: James Hammett: "Having printers other than an Apple Laserwrtiter IINT"
• Previous message: jeff: "Re: Encrypted logins, configuration, The Chooser, etc."
• In reply to: Bruce A. Burdick, Jr.: "Re: Encrypted logins, configuration, The Chooser, etc."
• Next in thread: Michael Clark: "RE: Encrypted logins, configuration, The Chooser, etc."
• Reply: Leland Wallace: "Re: Encrypted logins, configuration, The Chooser, etc."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sun Oct 14 2001 - 03:04:34 EDT