httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@ooo.lanl.gov>
Subject Re: authentication algorithm
Date Mon, 10 Jul 1995 16:15:46 GMT
 
>    From: Rob Hartill <hartill@ooo.lanl.gov>
>    Date: Mon, 10 Jul 95 14:59:36 MDT
> 
>    Is it possible to have authentication based on a simple algorithm ?
> 
> In Shambhala, you can write a module which does it however you like.
> (DBM auth is a separate module, for instance, and the rest of the
> server knows nothing about it).  However, I'm not sure what security
> the scheme outlined below would offer over simply setting up a group
> account with the standard mechanisms...

AFAIK, existing authentication requires a database of name/passwords.
We don't want to maintain such a database, no matter how simple it is.
We just need a password checker which uses a name->password algorithm.

>    If that's no clear, here's an example...
>      password =  name + 1    (e.g.   abcdef -> bcdefg)
> 
> So, anyone who knows this rule can get in using any username?

The rule will not be publicised.
We're not trying to make a secure system here, just keep impatient
physicists from polling our site looking for any kind of early info about
papers from their rivals... Our URLs contain a number which increases
for each new paper, so people just keep adding 1 and hitting our server in
the hope that they can find a rival's paper half a day before it is
announced.

We want to be able to let authors test their submissions via the web
(and fix things accordingly) whilst locking out all the impatient spies.

Only the author will be told name/password to use. The algorithm we use
will be simple but "impossible" to crack... nobody will see enough examples
to find a pattern. If it gets cracked, we modify it. Anyone smart
enough to crack the algorithm won't need to spy on their rivals  :-)

rob

Mime
View raw message