Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Feb 2009 10:41:19 +0100
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Benjamin Lutz <mail@maxlor.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: OPIE considered insecure
Message-ID:  <20090212104119.45583e6fcp63gcmc@webmail.leidinger.net>
In-Reply-To: <200902111821.53437.mail@maxlor.com>
References:  <200902090957.27318.mail@maxlor.com> <200902111821.53437.mail@maxlor.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Benjamin Lutz <mail@maxlor.com> (from Wed, 11 Feb 2009 =20
18:21:53 +0100):

> Hello,
>
> I've been thinking about what to do about OPIE, and I see the following
> possibilities. (Note: this is mainly just a braindump to collect my
> thoughts; many details that seem obvious to me are omitted. I'm making it
> public because others might be interested in it too.)
[...]
> - Implement another algorithm: OTPW
[...]

- Implement something which is similar o freeauth.org, just better =20
implemented and without the "not so good" stuff / design decissions.

Short: they need something you know (PIN) + something you have (e.g. =20
token, or mobile phone with java with some fixed key). You then enter =20
your arbitrary long PIN into the phone, and it will give you a time =20
limited key to login (so the time needs to be in sync to some extend). =20
On the machine you login you need the cleartext version of your PIN, =20
the fixed key, and ideally it saves the the PW you just used to login =20
to prevent a relogin with the same PW. If you've seen the remote login =20
tokens from RSA or similar, then you should get the idea what this is =20
about.

I wrote down a while ago the algorithm somewhere (based upon my own =20
thoughts how to do it, this was before I've seen freeauth, so it's =20
independent), and also thought about the bells and whistles (some =20
security pitfalls you need to think about). If you are interested in =20
implementing this (ideally with a BSD license for inclusion into the =20
base system)

--=20
Oh, yeah, life goes on, long after the thrill of livin' is gone.
=09=09-- John Cougar, "Jack and Diane"

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID =3D 72077137

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090212104119.45583e6fcp63gcmc>