Date: Thu, 12 Feb 2009 10:41:19 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Benjamin Lutz <mail@maxlor.com> Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure Message-ID: <20090212104119.45583e6fcp63gcmc@webmail.leidinger.net> In-Reply-To: <200902111821.53437.mail@maxlor.com> References: <200902090957.27318.mail@maxlor.com> <200902111821.53437.mail@maxlor.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Benjamin Lutz <mail@maxlor.com> (from Wed, 11 Feb 2009 18:21:53 +0100): > Hello, > > I've been thinking about what to do about OPIE, and I see the following > possibilities. (Note: this is mainly just a braindump to collect my > thoughts; many details that seem obvious to me are omitted. I'm making it > public because others might be interested in it too.) [...] > - Implement another algorithm: OTPW [...] - Implement something which is similar o freeauth.org, just better implemented and without the "not so good" stuff / design decissions. Short: they need something you know (PIN) + something you have (e.g. token, or mobile phone with java with some fixed key). You then enter your arbitrary long PIN into the phone, and it will give you a time limited key to login (so the time needs to be in sync to some extend). On the machine you login you need the cleartext version of your PIN, the fixed key, and ideally it saves the the PW you just used to login to prevent a relogin with the same PW. If you've seen the remote login tokens from RSA or similar, then you should get the idea what this is about. I wrote down a while ago the algorithm somewhere (based upon my own thoughts how to do it, this was before I've seen freeauth, so it's independent), and also thought about the bells and whistles (some security pitfalls you need to think about). If you are interested in implementing this (ideally with a BSD license for inclusion into the base system) -- Oh, yeah, life goes on, long after the thrill of livin' is gone. -- John Cougar, "Jack and Diane" http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090212104119.45583e6fcp63gcmc>