Back again with more questions about how the rules are intended to work.
On page 253 of the Core Rulebook, in the examples of different kinds of authentication, it says: "Mesh ID: Some systems accept mesh IDs as authentication. This is extremely common with most public systems, which merely log the mesh ID of any user that wishes access. Other systems will only allow access to specific mesh IDs, but these are vulnerable to spoofing (p. 255)."
This sort of seems to imply that the other listed means of authentication (passcode, passkey, biometric scan, ego scan, and quantum key) are not vulnerable to spoofing.
However, on page 255, under Circumventing Authentication, it says "Lacking a passcode, the hacker can try to subvert the authentication system in one of two other ways: spoofing or forgery."
That strongly implies that you can spoof your way into a system even if it requires a passcode and you don't have it. And it sort of implies that you can spoof your way into a system that requires other kinds of authentication as well.
So what is the intent? It's clear that if a system only requires a mesh ID for authentication, I can easily spoof it (just assume that the signal is not encrypted, or that I have the encryption key). What if it requires a passcode? Do I have to acquire that separately, or can that be simulated with a successful spoof? What about a physical passkey? What about a biometric or ego scan?
(Side question: if a system is important enough to require authentication beyond a simple mesh ID, what are the chance of the authentication *not* being encrypted?)
Finally, the Core Rulebook also says, "Rather than hacking in, an intruder can try to subvert the authentication system." I'm assuming this is meant to imply that straight-up hacking bypasses all authentication requirements -- I can always attempt to hack into any system, regardless of whether it requires passcodes or passkeys or ego scans or whatever. Is this correct?
Thanks as always.
Welcome! These forums will be deactivated by the end of this year. The conversation continues in a new morph over on Discord! Please join us there for a more active conversation and the occasional opportunity to ask developers questions directly! Go to the PS+ Discord Server.
making sense of spoofing
Sun, 2013-11-10 22:30
#1
mikegentry
making sense of spoofing
Tue, 2013-11-12 17:25
#2
Smokeskin
Pretty much everything is
Pretty much everything is encrypted. Without the encryption key or direct access to a device, you're dead in the water.
You can hack anything yes. It bypasses the normal authentication system.
Spoofing implies that you either spoof the passcode/fingerprint scan/whatever getting sent from the keypad/scanner/whatever to wherever it is authenticated, or the "this user is ok" from the authentication system, by reading the signal and then transmitting a spoofed signal later. You will need to have broken the encryption for this to work, or in some cases physically gain access to the proper bits of the hardware, or have software installed on one of the devices that has access to the data before or after encryption.
In general, it comes down to getting past the encryption. Spoofing authentication is nothing more than sniffing your logon password - if the bad guys have keylogger software on your computer, you're hosed. And that's what it typically comes down to. Get access to a user's device that allows you to sniff passcodes and steal the encryption keys, and you're golden.
Note that some systems are impossible to spoof from sniffing alone even if you have compromised their encryption, like for example two-part verification systems (current day versions are cards with one-shot auth codes, or a token key generator, or a code is sent to their cell phone).