Information System Security: User Authentication Protection at Central Design Activities

Abstract

Officials and administrators who are responsible for DoD information systems should read this report. The report explains the extent of transmitting user passwords in plain text while accessing software development environments and the vulnerabilities associated with it. A Central Design Activity is defined as a designated organization within a Component that has responsibility for designing, converting, programming, testing, documenting, or subsequently maintaining computer operating or applications software for use at more than one location. We evaluated authentication protection at an Army, a Navy, and an Air Force Central Design Activity. Central Design Activities use software development environments to develop and maintain the software for which they are responsible. A software development environment is an integrated suite of tools to aid the development of software in a particular programming language or for a particular application. Logging on to the vast majority of computing systems, including software development environments, is protected by passwords. The person logging on must supply a user name plus the password associated with that user name. The system evaluates the password to verify the user's identity claim. This process is called authentication. Password authentication mechanisms work if passwords are kept secret at all stages. During a previous evaluation, we confirmed at one central design activity that user names and passwords were transmitted in plain text to software development environments located at the Defense Information Systems Agency Defense Enterprise Computing Centers. Readily available software would permit an attacker to capture the transmitted user name and password for possible unauthorized accesses.

Document Details

Document Type

Technical Report

Publication Date

Jul 29, 2002

Accession Number

ADA405067

Entities

Tags