two-person login?

Woodchuck marmot at pennswoods.net
Wed Jan 30 12:50:32 EST 2008 

On Tue, 29 Jan 2008, John Denker wrote:

> The foregoing makes sense, and is in extreme contrast to the situation
> I am faced with, where Joe logs in with the help of Jane, and then
> Jane leaves.  Jane has not the slightest control over what Joe does
> while logged in.  I don't see a sane procedure here.  It seems Jane 
> is signing a blank check.

Ah.  Jane need not have a requirement to know what Joe is doing;
in fact, Jane may not even be cleared for Joe's material.  (This
is not uncommon.  Jane may be security officer, Joe may be payroll
manager.  Jane is not authorized to see payroll data or even
use the payroll "joe" account.)

What has transpired is that Joe cannot deny that he was logged on.
He can further deny that other logins that he did not perform were
done by him, assuming Jane is honest.  Jane can attest that the
login by user joe was done by human Joe.

> It wouldn't be so bad if there were a development system separate
> from the production system, but there isn't, so Joe spends all day
> every day logged into the "high security" production system.  Joe
> can commit anything he wishes.  There is no two-party review of the
> commit, just two-party review of the login.

Correct.  Logins by Joe-impersonators, even those who have stolen
Joe's password, say, are impossible without Jane's collusion.

> Just to rub salt in the wound, they've got it set up so that everybody
> uses the "Admin" account.  There are N people who know the first half
> of the Admin password, and M people who know the second half.  Besides
> being an incredibly lame form of secret-splitting, this has the nasty
> property that when Admin logs in, you don't even know who was involved.  
> There are M*N/2 possibilities.  There is no accountability anywhere.

This is sounding something like the FBI's method for getting at
certain sensitive info, that was recently subjected to criticism.
There was only one account to access the data, all operatives had
the password.  Adding "Jane" sounds like an inept fix.

Dave

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list