SYSTEM PERFORMANCE
CHAPTER 11 ACCESS CONTROLS
11.2 PASSWORD ENCRYPTION
One way to violate system security is through unauthorized use of directory passwords. Having acquired someone's password, an intruder could log in or gain access to restricted system resources. The password encryption facility in TOPS-20, however, makes it hard to steal passwords.
With encryption enabled, passwords entered into the system are translated to an indecipherable cyphertext format before they are stored or otherwise used. Nowhere in the system is the original plaintext form of a password kept. As a further security measure, there is no TOPS-20 utility to convert the cyphertext to plaintext.
And whether or not encryption is enabled, ~2 command or utility, not even INFORMATION DIRECTORY or ULIST, displays passwords.
NOTE
Password encryption is irreversible. Therefore, before enabling encryption, be sure you will never need to revert back to an earlier version of the operating system.
To enable password encryption, use the CHECKD program. You can do this during or after system installation. (Refer to the TQ~§=~Q KL
M2g~! ~ !~§~~!!~~!2~ g~!g~ for details.) With CHECKD, password encryption is enabled on a structure-by-structure basis; after the procedure, all passwords for a particular structure are encrypted as previously described. If you enable encryption after installation, run the KRYPTN program after CHECKD to convert existing plaintext passwords on a structure to cyphertext. The KRYPTN program is located on the tools tape, which is part of the TOPS-20 software installation package.
Encryption should be enabled for all structures except those that will be used on a TOPS-20 pre-Version 6 system. (Section 11.2.1 discusses this topic.)
You can add your own encryption algorithm to the system if you choose not to use TOPS-20's algorithm. Refer to Section 11.2.2.
Because the encryption algorithm is irreversible, care is requ~red in the following areas:
ACCESS CONTROLS
o Remembering one's password
o Working in a multiple-system environment o Adding new algorithms to the system o Using DUMPER
Mistakes in these areas could invalidate passwords so that they may need to be respecified with BUILD or
AECREATE.
These interrelated topics are discussed in the following sections.11.2.1 Moving Structures Among Systems
If you are in a multiple-system environment, you may need to move structures from one system to another. Problems could arise, however, if some systems are running TOPS-20 pre-Version 6 software and others are running TOPS-20 Version 6. For example, when a structure containing encrypted passwords is taken to a TOPS-20 pre-Version 6
system, any access to files on the pack that requires a password to be supplied fails, because, in validating a password, the older monitor simply compares the entered plaintext to the cyphertext stored on disk. The older monitor is unfamiliar with the encryption process.
To avoid this problem, you should postpone encryption for relevant structures until all systems are upgraded.
Any TOPS-20 system can correctly handle unencrypted structures.
You could also encounter problems in moving structures to other systems if you use your own encryption algorithm. This topic is discussed below.
11.2.2 Adding Encryption Algorithms to the System.
You can use one or more of your own encryption algorithms exclusively or in addition to TOPS-20's algorithm. For a description of the procedures involved, refer to the monitor module, STG.MAC.
Each time a password is encrypted and stored in a directory, the version number of the algorithm used to encrypt it is also stored.
This allows new encryption algorithms to be added to the system with no impact on currently encrypted passwords, provided the old algorithms have not been removed from the monitor. Only passwords created since the installation of the new (current) algorithm will be encrypted with that algorithm. Older passwords invoke the appropriate algorithms during password-required accesses.
11-6
ACCESS CONTROLS
If you also want existing passwords to use the new algorithm, the operator must individually respecify the passwords with BUILD or -ECREATE. The operator does this after the new algorithm is installed. Note that KRYPTN cannot be used here to convert existing cyphertext to new cyphertext.
In using your own encryption algorithms, be aware that directories on structures and on DUMPER-created tapes include passwords that may be unusable at other sites. Other TOPS-20 monitors could consider the passwords' algorithm version numbers to be invalid. For example, these monitors may acknowledge only the standard TOPS-20 algorithm.
Even if a site accepts the version numbers, its corresponding
"passwords" are considered unencrypted, and should cause no problem on any system.
11.2.3 Using DUMPER
Section 11.2.2 addressed using DUMPER with nonstandard algorithms.
This section continues the discussion of DUMPER.
Care must be taken when restoring directories that were saved with DUMPER's CREATE command. Incompatible versions of tapes, DUMPER, and TOPS-20, when combined, can produce a number of password-related
ACCESS CONTROLS
Tape Version DUMPER MONITOR Result
4 4.1 6 OK (Nl)
5 5 5 E2
4 5 5 OK
5 4.1 5 E3
4 4.1 5 OK
Table 11-1: DUMPER Directory Restorations
Legend:
N1 Passwords are correctly encrypted for the first time using the monitor's current encryption algorithm.
E1 The tape version number is incompatible with this DU1WER.
DUMPER reports this fact before restoring the tape data. If directories are restored from this tape, encrypted passwords are re-encrypted, causing all uses of these passwords to fail. The passwords will then have to be individually respecified with BUILD or AECREATE. However, if a password is unencrypted on the tape, then it will be encrypted for the first time, and will be usable.
Any files on this tape are restored correctly.
E2 Pre-version 6 monitors have no logic to handle encryption-related data that the tape may contain. Therefore, restored encrypted passwords will be unusable and must 'be respecified with BUILD or AECREATE. Note that directory blocks on the tape may contain password descriptor information, such as the encryption version number. This descriptor data is not restored.
Any files on this tape are restored correctly.
E3 The tape version number is incompatible with this DUMPER.
DUMPER reports this fact before restoring the tape data. This incompatibility results in the same situation as E2.
If these problems occur often, users and operators could refrain from saving directory information on tapes, or they could use null passwords for directories that are to be saved. Null passwords are considered to be unencrypted and should cause no access problems.
11-8
ACCESS CONTROLS