[NTLUG:Discuss] Brain puzzler

[Chris Cox]

Brian wrote:
> OK, here's a puzzler for you all:
> 
> I have three machines: C, M, and Z.
> 
> I desire a TCP connection between C and Z.
> 
> However, to establish the connection with Z, an authentication token known only to
> M and Z is necessary.  C has access to this token only in encrypted form (and can be
> decrypted by M, but not by Z). C can never have access to the unencrypted token.
> 
> Any ideas?

Uh... I guess I don't get it.  Sounds like M is the gateway from C to Z...
... which of course is what you probably do to get from the interior
to an outside location today.  You may have to setup M as a proxy rather
than a masquerade because of the "token" thing... not sure.

> 
> My solution would be to somehow initiate a connection between M and Z and spoof Z
> into thinking that C initiated the connection, maybe by altering the source IP on
> the SYN packet.  I don't know, however, how C would be made to respond to an ACK for
> a SYN it didn't initiate.

Possible... but unless this is some kind of overall packaged solution, I
think the KISS principle applies (though a good hacker would probably see
this spoofing as "simple").

Don't ask me the detail of how to make this happen, I just believe it to
be more than possible.


> 
>   --Brian