LISTSERV - HP3000-L Archives

HP3000-L Archives

June 1998, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L June 1998, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re[2]: New version of QCTerm available
From:	Gavin Scott <[log in to unmask]>
Reply To:	Gavin Scott <[log in to unmask]>
Date:	Fri, 12 Jun 1998 11:42:34 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (26 lines)

Chris writes:
>  -md5 is NOT unbreakable;

As far as I know, md5 should still be as close to unbreakable as you
would ever want.  If you don't trust md5, then you can switch to SHA
or some other cryptographically secure message digest algorithm.
Unfortunately, you can easily attack the *protocol* rather than the
*algorithms* used, because:

> Client generates a hash code from a combination of the welcome
> banner and the (mailbox) password. Client sends the user name and
> the hash code to the server.

If Eve can monitor both sides of the connection then she can take the
welcome message and the hash sent back to the server and then go off
in a corner and guess passwords until she finds the one which generates
the right hash value.  This is the same process as cracking passwords
out of a copy of an /etc/passwd file.  It means that the resulting
system is only as secure as the pop3 passwords the user chooses (or is
assigned).

An encrypted login process is not of much value if the actual
session will be conducted in the clear once the user is authenticated,

G.

ATOM RSS1 RSS2

RAVEN.UTC.EDU