On Thursday 25 January 2001 02:44, you wrote:
[snip]
> As for the randomosity argument, this may be fixable on UNIX systems but
> not on conventional desktop systems (Mac, Windows). Any ideas on how to
> deal with the problem on systems without any true entropy gathering? If
> there is a sensible way, I propose it should be incorporated into the RFB
> protocol spec in the very near future, as part of an authentication update
> including long password support as well.
Long passwords are not really the issue. If there's going to be a RFB
protocol improvement, then I suggest either going for a proper C/R mechanism,
such as Kerberos (which is MiM resistant), or going for a relatively
lightweight mechanism such as Wide Mouth Frog (see Applied Cryptography,
Scheiner).
I'm a great believer in that home spun crypto sucks. Crypto and
authentication are Hard (tm) with a capital H. There are known algorithms in
the field, we should use them instead of inventing our own. This is why this
dicsussion is here at all - someone thought 3DES + a MD5 C/R would be great,
but failed to see that a static salt and weak registry permissions were going
to be a problem.
RFB auth type 2 is weak, and will always be exploitable until it is removed
from all VNC servers (ie we HAVE to break the protocol to force the zillions
of clients to update).
Andrew
-------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
