Hi. My name is Sławomir Lach. I'm from Poland and I'm living in Mysłowice. I'm 19 years old. This is my first post into mailing list, so I must tell you I can't speak English very well :-( . I would to mark, I'm not secure expert. Sorry, that I get voice and please correct my opinion. Maybe I'm not secure expert, but if you have used my concept, please add some info about me as core author, of curse if you can ;-) . In my opinion all authentication method is poor(broken) in concept, because it's not secret. I don't wanna tell you the closed source software is better than open source software. I just thing, that If we have gained access to our computer, another person with camera installed at top of our head can read our information. Another thing is, that any authorisation devices can be steal and nobody can help us if thief have also our password and laptop. My conception is simple. I was trying to create some addition for currently using auth method. It make that for users authorisation always we be nearly the same, but intruder don't know how we authenticate, because the process is more configurable. The core of my idea is that in first dialog user must input minimal weight of information. This step it's inverted of standard password authenticate. User will read some needed information for screen and tell to computer that it's true. If user tell to system, that information isn't truth, the process will be continue as they don't type yes. If user typed yes, then probably are showed to him next authentication dialog, where user must type string matched to configure policy by him and contains some selected on configuration process information from previous dialog. If both method give are returning positive state(the user pass the both test), then we authenticate. In other way, we make some delay and returning to first dialog. This method is very funny, because user don't must remember any password and in first dialog only move with mouse. But the user can set auth string policy to: 2 random characters + "aka" + first name letter from previous dialog. The policy also can be: "akaI'm winner", so we have normal password. See the image: first-step.png and secound-step.png to imagine. But the conception is poor, because we must provide policy string in all authorisation mechanizm and we can make mistake in string input. In that situation, we can forget about second dialog, first dialog move into second step and provide normal method in first. If we now type wrong password, then we should seen password dialog again. Second option is good ex. for keyring. All configuration of our additional auth method can be stored in the keyring and dialog appear when the keyring are open. The configuration should contains: random seed, position of key words(it's used to decide we must click yes or not in letter dialog), random mesh seed, key words, position of generated auth words(it's can be used in second dialog). The same method can be used in gdm or other system parts. I don't tell you, the method is very good. If somebody installed secret camera in our hose, then probably some people can record our positive auth method and got access to our computer. You can in other hand imagine that situation: We take our laptop to our enemy from work and we should show him some photos/document's. We arrived to him, open our computer, drink some water, eat some things.... But we must go to WC. So we turn our laptop down, don't remove access hotdrive and go. He now can turn our laptop, retype our password and do lots of things. We can also set to system change our password after all authenticate, but it's hard to remember it all and simple mechanism can be not secure. With some random seeds and google for eyes, we can show him laptop turn on process and next turn it off. We can also make these thinks not once time, we can do it very often. We have also problem with change us password in this discomfortable situation. If anybody looks while we type our pass and looking for us anytime, we don't have moment to change our pass. If they sitting nearest to us, situation is very bad. By adding my mechanism to auth process we don't have any that kind problem. We can turn on computer several times and change our key words and random seed in home. And once one think. This mechanism(first version) can be used on One Laptop Per Child project, but in place of letters we have gained image of animals! What do you thinks about my concept? Please rewrite....
Attachment:
DO FSF.tar.gz
Description: application/compressed-tar