nanogui: Access control
Subject:
RE: Access control
From:
"Gray, Tim" ####@####.####
Date:
15 Dec 2000 20:01:58 -0000
Message-Id: <FDEAFB323166D311BF6A00805F954F1E1FC43B@rosetti.tci.com>
Thanks, That's clears it up for me. I was at a loss in understanding how
things came together.
-----Original Message-----
From: Alex Holden ####@####.####
Sent: Friday, December 15, 2000 12:30 PM
To: Gray, Tim
Cc: ####@####.####
Subject: RE: Access control
On Fri, 15 Dec 2000, Gray, Tim wrote:
> Ok, I have a question. Other than trying to run a session across the
> internet or another unprotected network, what would be the use of adding
> security to the system? Wouldn't it be better to leave the security to a
> seperate piece of hardware by running your microwindows session inside a
> protected network?
It's very difficult and expensive to ensure that a network is 100%
physically secure (ie. there's no point where somebody could install a
tap without it being immediately detected) over any significant distance.
Arguably strong encryption and the clock cycles to run it is almost free
in comparison. I'm sure there will be people who want to use Nano-X in a
networked situation, and I would say it's likely that a significant number
of those will be running on an insecure network and will want to protect
against crackers from being able to take control of their machine
remotely. Using strong encryption both protects against unauthorised
access and has the additional advantage of preventing people from being
able to snoop the traffic between the application and the server. Consider
when PDAs with high speed wireless Internet access start to get widely
available and portable, and you want to be able to run graphical
applications on your high powered (but non portable) server with the PDA
as the display...
> I admit that I am far from a security expert, but it seems to me that
adding
> md5 encryption on all transmissions would severly tax a minimal resource
> platform that microwindows is written for.
MD5 is a hash algorithm, not encryption. It is possible to do
authentication using hash algorithms and this would be really nice
because it's simple and only incurs an overhead at connection time, but
unfortunately as Alan pointed out it isn't really much use because it's
possible to hijack a TCP session after the authentication has already
taken place. I'm actually writing a tiny encryption suite based on TEA
(Tiny Encryption Algorithm). So far I've done a key generator and a file
encryption and decryption program (I tried to announce it to Freshmeat
last night but it was down at the time), and I'm working on a set of
network forwarding programs. The algorithm is actually pretty fast- my
old P166 can encrypt and decrypt at about 760KB/s. I think it will be
usably fast on even very slow machines, and the memory and flash usage is
trivial.
--
------- Alex Holden -------
http://www.linuxhacker.org/
http://www.robogeeks.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: ####@####.####
For additional commands, e-mail: ####@####.####
