I can't find anywhere in the main book that lists the cost of Passkeys. Am I stupid or is it missing? How cost effective are these little pieces of hardware?
Would Lone Star be able to equip all vehicles, drones, terminals, patrol commlinks, and detectives' work commlinks to carry one? How hard is it for a corporation to keep track of what all their employees are doing with their passkey?
Basically, is it fair to say that all the A-Rated corps and up would have passkey only access to their nodes?
Full Version: Passkeys and Hackers
You're looking for Maglock Passkeys on pages 236-327. They're useful as a quick, first attempt to bypass a maglock. If it fails, you need someone with Hardware + Logic Test with a Sequencer adding to the attempt (I believe) to continue to try and "hack" through. Not sure if there's wireless alternatives, but it would be silly if there were.
That's assuming you're talking about hardware. My understanding of the Matrix rules are best defined as: ???
That's assuming you're talking about hardware. My understanding of the Matrix rules are best defined as: ???
| QUOTE (Doctor Funkenstein) |
| You're looking for Maglock Passkeys on pages 236-327. They're useful as a quick, first attempt to bypass a maglock. If it fails, you need someone with Hardware + Logic Test with a Sequencer adding to the attempt (I believe) to continue to try and "hack" through. Not sure if there's wireless alternatives, but it would be silly if there were. That's assuming you're talking about hardware. My understanding of the Matrix rules are best defined as: ??? |
no, i think he's talking about passkeys that you hook up to your commlink which are necessary to access certain nodes.
unfortunately, there's a statement about them existing, with no real followup on how they work _mechanically_
that is, if you take the book literally, they can make any node unreachable until you've gotten a passkey from someone who has one. there are no rules for forging them, no rules for bypassing them, or any rules which in any way deal with how the passkey works in terms of rules.
understandably, most people seem to just ignore that particular paragraph or two, as far as i can tell, because it doesn't really say anything much useful...
Ah, then I stand corrected. Sorry about that. 
I assume you are talking about the passkeys that are mentioned on pages 215-216
| QUOTE |
Passkeys are one of the most secure ways of controlling access to a node. Passkeys are unique encrypted modules that plug into a commlink or terminal. |
There's one sentence on how to copy then on page 221 just under 'Hacking and Accounts' but all the other mentions of passkey refer to maglock passkeys.
[edit]
As for how much they cost, somewhere between a regular RFID tag (1Y) and a security tag (100Y) I'd guess.
The only advantage of a passkey is, that you do not have to remember your passcode. There is no other.
Actually there aren't many people who can remember a 1024Gp passcode so it may be able to enhance the security, but it might be taken into account by the firewall rating, for example a rating 6 firewall might require biometric data or long codes (hence passkey) to log-in. This might help to explain why everybody isn't using a rating 6 firewall.
If you want these to be used as extra securities (for example, the user still has to enter his login/password/biometric data but also has to insert a passkey), what you can do is add modifiers (+2 to the threshold of the exploit test, for example).
But you might want to limit this to high security nodes if you don't want to end up with unhackable nodes everywhere.
If you want these to be used as extra securities (for example, the user still has to enter his login/password/biometric data but also has to insert a passkey), what you can do is add modifiers (+2 to the threshold of the exploit test, for example).
But you might want to limit this to high security nodes if you don't want to end up with unhackable nodes everywhere.
Passkeys wouldn't make them unhackable. Hackers would just need to be multi-function with them. You'd need to deal with corrupt cops, intimidate wageslaves, rummage through garbage bins, or other such innovative ways of getting one.
Also, no where does it state that you couldn't hack normally. I'd think you could still hack but you'd never be able to get legitimate access to anything without a passkey. They seem like great ways of justifying corps having LOWER node ratings instead of everything always being 6's across the board.
Basically, I just stumbled over the rules mention and I'm trying to justify reasons why someone WOULDN'T use these in their security set-up. They seem nothing but good right now and I don't want to use them if there is a compelling reason not to.
Also, no where does it state that you couldn't hack normally. I'd think you could still hack but you'd never be able to get legitimate access to anything without a passkey. They seem like great ways of justifying corps having LOWER node ratings instead of everything always being 6's across the board.
Basically, I just stumbled over the rules mention and I'm trying to justify reasons why someone WOULDN'T use these in their security set-up. They seem nothing but good right now and I don't want to use them if there is a compelling reason not to.
| QUOTE (Serbitar) |
| The only advantage of a passkey is, that you do not have to remember your passcode. There is no other. |
You mean except for the part where you need the physical passkey (or a copy thereof) in order to use it?
This is only a drawback for the regular user, not the hacker. He can just fake the electronic signature of the physical passkey, just like any electronic passkey itself.
There is no difference whatsoever wheter I enter a very complicated pattern, or a passkey sends this pattern. Thus, the hacker does not care.
There is no difference whatsoever wheter I enter a very complicated pattern, or a passkey sends this pattern. Thus, the hacker does not care.
Always wondered why I needed a dongle.
Passkey cost should be almost negligible ... I would rule that it costs less than 5 nuyen... and at this price, they should be programmable and non-copiable (burned into the ROM).
However, the ones that the corps uses are UNIQUE ... that means that they can't be found anywhere except issued to the corpo itself...
Obtaining a Security / Admin account passkey could be a really nice little side run for a shadowrunning group... and then, you have to make sure that the employee that got his passkey stolen doesn't report it to a superior.
You have to be imaginative. A "sick" employee is supposed to call his boss to report that he is sick at home. If the employee is dead / uncouncious or anything else, it might rise the employer doubt if he doesn't call. Especially if the employee doesn't miss work very often.
However, the ones that the corps uses are UNIQUE ... that means that they can't be found anywhere except issued to the corpo itself...
Obtaining a Security / Admin account passkey could be a really nice little side run for a shadowrunning group... and then, you have to make sure that the employee that got his passkey stolen doesn't report it to a superior.
You have to be imaginative. A "sick" employee is supposed to call his boss to report that he is sick at home. If the employee is dead / uncouncious or anything else, it might rise the employer doubt if he doesn't call. Especially if the employee doesn't miss work very often.
As Serbitar said, it's not because there's a need for a passkey that the hacker can't hack anything.
The only exception would be some hardwiring/hardcode (you can't hack something that's turned off).
If you really want to have the runners look for a passkey or something like that you can give negative modifiers for not having the passkey, or positive modifiers for having it... If the node's too hard to hack without it, they'll have to try to find it.
But saying that you can't hack something without the passkey is just like saying you can't enter a room without a key.
The only exception would be some hardwiring/hardcode (you can't hack something that's turned off).
If you really want to have the runners look for a passkey or something like that you can give negative modifiers for not having the passkey, or positive modifiers for having it... If the node's too hard to hack without it, they'll have to try to find it.
But saying that you can't hack something without the passkey is just like saying you can't enter a room without a key.
| QUOTE (Blade) |
| ...for example a rating 6 firewall might require biometric data or long codes (hence passkey) to log-in. This might help to explain why everybody isn't using a rating 6 firewall. |
...which is why KK has one for her commlink, even 6 - 8 alphanumerics can be challenging to her.
@Doctor Funkenstein. Sequencers are used in lieu of Hardware skill + Logic for defeating maglocks and then only if it is a keypad (Core Rules p. 255)
| QUOTE (Serbitar) |
| This is only a drawback for the regular user, not the hacker. He can just fake the electronic signature of the physical passkey, just like any electronic passkey itself. There is no difference whatsoever wheter I enter a very complicated pattern, or a passkey sends this pattern. Thus, the hacker does not care. |
If the limits of modern computing applied to the devices of the 2070s, I would agree with you completely. However, a glance at the rulebook reveals that the passkey is "one of the most secure ways of controlling access to a node." This suggests that passkeys are more than merely password holders, especially given the time and resources required to copy them, which you can read about if you turn to page 221 of your hymnal. They probably use some sort of system that is either just a concept now, or one that has not yet been discovered by modern science.
| QUOTE (Cheops) |
| I can't find anywhere in the main book that lists the cost of Passkeys. Am I stupid or is it missing? How cost effective are these little pieces of hardware? Would Lone Star be able to equip all vehicles, drones, terminals, patrol commlinks, and detectives' work commlinks to carry one? How hard is it for a corporation to keep track of what all their employees are doing with their passkey? Basically, is it fair to say that all the A-Rated corps and up would have passkey only access to their nodes? |
A Maglock costs Rating * 100
P. 326
"Maglock: Maglocks are electronic locks with a variety
of access control options, from keypads to passcards to biometrics.
For more information, see Maglocks, p. 255."
With the following options
Keypad or Card-reader +50¥
Anti-Tamper Circuits (Rating 1 - 4) +(Rating x 100¥)
Biometric Reader (per reader) +4 +200¥
For equiping all LS Vehicles it would depend on rating. The actual key itself is probably a neglible cost.
For Reference
"Maglock Passkey:
The passkey can be inserted
into a cardreader’s
maglock, fooling it into
believing that a legitimate
passkey has been inserted.
See Maglocks, p. 255."
And
p. 255
"Cardreaders verify the authenticity of swipe cards or
RFID proximity cards. Th ey can be defeated using the same
method as for keypads—by removing the case and tampering
with the works. Maglock passkeys (p. 326) may also be
used to defeat cardreaders, and don’t require breaking the case
open. If a valid keycard is acquired, it can be copied with a
keycard copier (p. 326) in order to create a forged keycard.
Make an Opposed Test between the passkey/forged keycard
rating and the maglock rating. If the passkey/forged keycard
wins, the maglock opens."
| QUOTE (Aaron @ Aug 21 2007, 06:51 PM) | ||
If the limits of modern computing applied to the devices of the 2070s, I would agree with you completely. However, a glance at the rulebook reveals that the passkey is "one of the most secure ways of controlling access to a node." This suggests that passkeys are more than merely password holders, especially given the time and resources required to copy them, which you can read about if you turn to page 221 of your hymnal. They probably use some sort of system that is either just a concept now, or one that has not yet been discovered by modern science. |
Well, even the BBB must bow to logic. If the code from the passkey is transmitted via matrix, it cant be different from just any other passcode you punch in manually, it might just be more complex. But you can save a complex passkey on your commlink and transmit it every time. This is covered by standard rules and there is no difference.
When hacking into a node you dont mimic one certain account anyways, so it doesnt matter whether some or all accounts are accessed via passkeys.
I personally think that the concept of passkeys was not thought through at all and should have been left out of BBB (especially in this "no rules, just contradictory fluff" state).
The way I see it, is that a Passkey is only a physical device (dongle) that authentificate the user to some degree.
additionally, the user might need and authorization code that could be biometric, specific gestures, a text login, a password and such.
Even if you have the right user name and password, you can't enter if you don't have the passkey connected to your Commlink/Datajack.
The passkey content might or might not have to be sended (and possibly intercepted) via the Matrix. It can be used only as an encryption key for the authentification.
Example: I have a passkey connected to my system. I type my password and the passkey encrypts it with is own hardware algorithm before sending it to the node.
In the later exemple, I never sent the content of the passkey, I merely used it to encrypt my password.
When the node receive the login name, it *knows* which passkey was issued to this user (Yes, it's in the corpo database!). The node can then decrypt the received password with the known passkey that was *never* sent via the Matrix!!!
additionally, the user might need and authorization code that could be biometric, specific gestures, a text login, a password and such.
Even if you have the right user name and password, you can't enter if you don't have the passkey connected to your Commlink/Datajack.
The passkey content might or might not have to be sended (and possibly intercepted) via the Matrix. It can be used only as an encryption key for the authentification.
Example: I have a passkey connected to my system. I type my password and the passkey encrypts it with is own hardware algorithm before sending it to the node.
In the later exemple, I never sent the content of the passkey, I merely used it to encrypt my password.
When the node receive the login name, it *knows* which passkey was issued to this user (Yes, it's in the corpo database!). The node can then decrypt the received password with the known passkey that was *never* sent via the Matrix!!!
You send something. This something can be of abitrary complexity and can be faked.
Furthermore: Hackers dont care. Hacking into a system does not involve decrypting/guessing or whatever logins and passwords.
There is no way how a passkey can be "one of the most secure ways of controlling access to a node".
Furthermore: Hackers dont care. Hacking into a system does not involve decrypting/guessing or whatever logins and passwords.
There is no way how a passkey can be "one of the most secure ways of controlling access to a node".
| QUOTE (Serbitar) |
| Well, even the BBB must bow to logic. If the code from the passkey is transmitted via matrix, it cant be different from just any other passcode you punch in manually, it might just be more complex. But you can save a complex passkey on your commlink and transmit it every time. This is covered by standard rules and there is no difference. |
Sure. Or it's a one-time pad. Or it's some form of quantum-state authentication. Or it's something else that can be used in such a manner that an attacker can know the information exchanged between the two parties without learning the algorithm that gets developed between now and then.
If you want to talk logic, then I'd point out that an argument from personal incredulity is a logical fallacy. That which is described in SR4 is not impossible. Even so, I'm willing to wait and see what, if anything, Unwired has to say about the subject.
We know that there is no such thing as a secure algorithm by design desicion.
Of course the sentence you quoted is not impossible by itself, but in the light of the other matrix rules, it definately is. A simple inconsistency. And that is true regardles of the physical or informationtechnological reality in SR 2070.
Furthermore: Perfect identificaiton and encryption does not make a node secure at all. Hackers dont decrypt login/pass combinations to hack in. You know that.
Of course the sentence you quoted is not impossible by itself, but in the light of the other matrix rules, it definately is. A simple inconsistency. And that is true regardles of the physical or informationtechnological reality in SR 2070.
Furthermore: Perfect identificaiton and encryption does not make a node secure at all. Hackers dont decrypt login/pass combinations to hack in. You know that.
| QUOTE (Serbitar @ Aug 21 2007, 04:58 PM) |
| Furthermore: Perfect identificaiton and encryption does not make a node secure at all. |
Nobody said anything about encryption; this is about authentication. Also, nobody said that one can't hack into a node using the rest of the rules as normal. But I imagine that once inside, one might be susceptible to spiders and IC using Analyze to check for passkeys.
As to the possibility of the security of a passkey, let me offer you an example and a challenge:
I'll use a modern method of authentication: a one-time pad. Let's say you're the attacker, and you capture a series of server challenges and responses. I'll give them to you in plaintext:
counting: express
hero: denizen
man: dragon
ermine: flowing
ever: falsetto
The next server challenge is "bear." I'll tell you what. I can be a sporting man. If you (Serbitar) can give me the correct response, or explain how to go about getting that correct response without access to my list of challenges and responses, I will concede the debate.
| QUOTE (Serbitar) |
| Hackers dont decrypt login/pass combinations to hack in. You know that. |
Actually, it's just one of a number of methods to hack into a system. It's what a certain student hacker used in the early 1990's to play around in the University of Wisconsin College of Engineering's system. It was among Karl Koch's methods in his (in)famous infiltration of US military systems.
| QUOTE (Aaron) |
| Actually, it's just one of a number of methods to hack into a system. It's what a certain student hacker used in the early 1990's to play around in the University of Wisconsin College of Engineering's system. It was among Karl Koch's methods in his (in)famous infiltration of US military systems. |
You don't need to decrypt the password, you just need something that generates the same hash. Which is why rainbow tables were created, so you can look at the hash on the wire and produce a workable password a high percentage of the time in many cases.
http://en.wikipedia.org/wiki/Rainbow_table
For the 1-time pad the solution (well, not exactly a solution because it's a brute force attack) is to try a full dictionary. If there's a limit or an alarm mechanism (which triggers an alarm after x tries), you just shift your session id/connecting adress/code/whathever after these x tries.
If you do it with multiple connections at the same time you'll be able to get lucky in a few hours.
(Or you can impersonate the server and challenge a legitimate user with bear)
But anyway, the hacking rules are (hopefully) abstractions. We don't have the OSI design of Matrix 2.0, we don't have the spec of 2070's encryption standards, we just know that there are nodes you can hack with some tools and techniques, there aren't node you can't hack but there are some ways to make the node more secure (which, for now, are just taken into account by the firewall's rating).
If you do it with multiple connections at the same time you'll be able to get lucky in a few hours.
(Or you can impersonate the server and challenge a legitimate user with bear)
But anyway, the hacking rules are (hopefully) abstractions. We don't have the OSI design of Matrix 2.0, we don't have the spec of 2070's encryption standards, we just know that there are nodes you can hack with some tools and techniques, there aren't node you can't hack but there are some ways to make the node more secure (which, for now, are just taken into account by the firewall's rating).
| QUOTE (Blade @ Aug 22 2007, 02:39 AM) |
| For the 1-time pad the solution (well, not exactly a solution because it's a brute force attack) is to try a full dictionary. |
I imagine one is doomed if it's not words in a natural language that the authentication is using, but very large numbers.
| QUOTE (blade) |
| But anyway, the hacking rules are (hopefully) abstractions. We don't have the OSI design of Matrix 2.0, we don't have the spec of 2070's encryption standards, we just know that there are nodes you can hack with some tools and techniques, there aren't node you can't hack but there are some ways to make the node more secure (which, for now, are just taken into account by the firewall's rating). |
Excellent point.
also, given the statement about weak security in the faq, i suspect that the whole rules set have been tweaked to allow on the go hacking rather then basement jobs, something people complained about in the last couple of versions (and even used npc deckers to get around).
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.