From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 09:49:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B183106564A for ; Mon, 9 Feb 2009 09:49:26 +0000 (UTC) (envelope-from mail@maxlor.com) Received: from mxout005.mail.hostpoint.ch (mxout005.mail.hostpoint.ch [217.26.49.184]) by mx1.freebsd.org (Postfix) with ESMTP id 0FE748FC1C for ; Mon, 9 Feb 2009 09:49:25 +0000 (UTC) (envelope-from mail@maxlor.com) Received: from [10.0.2.20] (helo=asmtp002.mail.hostpoint.ch) by mxout005.mail.hostpoint.ch with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LWRxM-000Nbk-E6 for freebsd-security@freebsd.org; Mon, 09 Feb 2009 09:57:32 +0100 Received: from [82.136.101.181] (helo=maxlor.mine.nu) by asmtp002.mail.hostpoint.ch with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LWRxL-000Pns-6O for freebsd-security@freebsd.org; Mon, 09 Feb 2009 09:57:32 +0100 Received: from localhost (unknown [127.0.0.1]) by maxlor.mine.nu (Postfix) with ESMTP id EA0242E573 for ; Mon, 9 Feb 2009 09:57:30 +0100 (CET) X-Authenticated-Sender-Id: mail@maxlor.com X-Virus-Scanned: amavisd-new at atlantis.intranet Received: from maxlor.mine.nu ([127.0.0.1]) by localhost (atlantis.intranet [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aiRyc69Z1N6V for ; Mon, 9 Feb 2009 09:57:30 +0100 (CET) Received: from [192.168.10.159] (pub212004072186.fx-hfc.datazug.ch [212.4.72.186]) by maxlor.mine.nu (Postfix) with ESMTPSA id 93E4A2E572 for ; Mon, 9 Feb 2009 09:57:30 +0100 (CET) From: Benjamin Lutz To: freebsd-security@freebsd.org Date: Mon, 9 Feb 2009 09:57:27 +0100 User-Agent: KMail/1.9.9 X-Face: $Ov27?7*N,h60fIEfNJdb!m,@#4T/d; 1hw|W0zvsHM(a$Yn6BYQ0^SEEXvi8>D`|V*F"=?utf-8?q?=5F+=0A=09R2?=@Aq>+mNb4`,'[[%z9v0Fa~]AD1}xQO3|>b.z&}l#R-_(P`?@Mz"kS; XC>Eti,i3>%@=?utf-8?q?g=3F=0A=094f?=,\c7|Ghwb&ky$b2PJ^\0b83NkLsFKv|smL/cI4UD%Tu8alAD MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200902090957.27318.mail@maxlor.com> Subject: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 09:49:26 -0000 Hello, I run a firewall where I use OPIE one time passwords for external logins, figuring that this gives me some added protections if I ever need to access it from untrustworthy hosts. A message about the weakness of MD5 got me thinking that maybe a better algorithm could be used for OPIE, and I was delighted to see that some clever hacked has added SHA-1 support to it (although it's a bit under-documented). Then I noticed that the one time passwords don't increase in length with SHA-1. That's weird, since MD5 produces 128bit digests, while SHA-1 produces 160bit digests. So I had a closer look at how the one time passwords are used with in OPIE. I was a bit shocked to find out that OPIE truncates all digests to 64 bits, no matter which algorithm you use. Some quick research into the current speed of MD5 brute-forcing produced this result: http://img519.imageshack.us/my.php?image=eightni6.jpg This ^ was produced on a quad core machine with 4 eVGA 9800GX2 graphics cards, i.e. a top end gaming machine; it can calculate 3611.81 million md5 hashes per second. Using that machine and that speed as a baseline, it's possible to produce a rainbow table with all hashes that OPIE is ever going to use and produce within 16 years. If you can live with a thinned out rainbow table (say, because you can the observe the user enter 8 passwords), and your budget allows a small cluster of these machines, you quickly get into the range of months. Add a few iterations of moore's law... well, you get the point. So, is there an existing alternative one time password implementation that works on FreeBSD? Also, as a suggestion to the security team, maybe it's time to deprecate or remove OPIE? Cheers Benjamin