CHALLENGE_RESPONSE
                                   by
                               Peter Smode
                         (psmode@jeslacs.bc.ca)


    This package implements a Simple-Simon challenge/response password
    mechanism for interactive logins. While it is missing a few bells
    and whistles, it does seem to do the job despite the fact that it
    was cobbled together rather quickly.

    This package was written to help combat the ongoing network
    monitoring attacks as reported by CERT (see CERT advisory dated
    3-Feb-1994). System and security managers of sites running TCP/IP
    (especially Internet sites) are advised to examine this report.

    This package does not make your system invulnerable to network
    monitoring attacks; however, it can make the hackers job much more
    difficult.

    Challenge/response passwords help in situations where
    username/password combinations must be sent over network links in
    plain text. This mechanism depends upon a long key phrase. This
    phrase may be unique to the user, his group, the system, etc.,
    depending upon the policy implemented. Key phrases are usually
    long, and thirty character phrases are not uncommon.

    When a user logs in, the system will identify the key phrase
    appropriate to the user (according to site policy), and will
    randomly select a number of offsets to the text of the key phrase.
    The number of offsets selected will be a small number relative to
    the length of the key phrase.

    The user is then shown the offsets, and must respond with the
    characters from the key phrase at those offsets.

    The idea is that the exposure of the system is limited by virtue
    of the fact that so few of the characters from the key phrase are
    demanded at any one time. To futher confound network monitors, the
    user is given a number (say three) input lines to enter the
    correct response; the user may enter the correct response on any
    one of those input lines. For the network monitor, this
    complicates their task since they don't even know which line
    contained the correct response.

    [ Further details can be found in the readme file. ]

-- 
**************************************************************************
*   Peter Smode                 E-mail:    psmode@jeslacs.bc.ca          *
*   JES Library Automation      Voice:     (604)939-6775                 *
*   Coquitlam, BC, CANADA       Fax:       (604)939-5427                 *
**************************************************************************