In this final post on fraud protection in DOCSIS networks, let’s examine how security roles in the Incognito solution can be utilized to prevent service theft.
Administrator accounts enable you to set up users that function in different assigned security roles:
Super User: Super user accounts always have access to all aspects of the DHCP service configuration. This access cannot be removed or restricted by any other security settings or Access Control Lists.
Account Administrator: Only super users and account administrators are able to add, modify or delete existing accounts, with one exception: every user can change his or her own password from the File –> Change Password menu item
Service Manager: Only super users and users with this attribute set can access service configuration and operations
In addition to the security roles, the DHCP service also supports specific database access privileges. User can be set to have either “read-only” or “manage” access to specific service features.
Administrator Password Security
The user’s password is never communicated over the network at login time. Instead, the password is used to create a non-reversible MD5 hash over the user’s login name and login time. The service looks up the user’s password from its database and then creates its own MD5 hash over the user’s login name and login time. If the two hash results match, then the client must have known the user’s password, therefore the login succeeds.
If the two hash results do not match, then the client did not know the user’s password and therefore the login fails. The client login time is used to prevent replay attacks involving playback of a sniffed MD5 hash result.
The only time a password is communicated over the network is when adding an account, or changing a password. In this case, the password is encrypted using triple DES encryption. The key for the encryption is the password of the current login user making the change.