From owner-freebsd-security@FreeBSD.ORG Tue Feb 17 10:20:36 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A12EE1065676 for ; Tue, 17 Feb 2009 10:20:36 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 486CB8FC12 for ; Tue, 17 Feb 2009 10:20:36 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (pD9E2DAF8.dip.t-dialin.net [217.226.218.248]) by redbull.bpaserver.net (Postfix) with ESMTP id 9ECB52E0CA; Tue, 17 Feb 2009 11:20:29 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 5886879D35; Tue, 17 Feb 2009 11:20:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1234866024; bh=l8rQawuIu0Aevdn96DrSJiZgW5AJ7tDXX Bxs1yjy6I8=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=3we6zDo4Ozts9AaIgKef4HTJK2MYRljRnyQly0a8320aGFoUSD7GUZi0xxlKPQN9p soiCkwkOFvwVEu2GRgivpuqn2YWx7+rkM4PVwU74rTXeS8Xb/QkA6hVCSQlbEo5t/GT UZMmNJcKAy5s/1LhZTkIhGZmVo8kmSZyDQIB9sOKkA3y9HgEsKqTy9glkKZPBWj6Rmi r05u00Q7NsFLPr7ICZZ85Tu8EvHB0gEfVZkIhyALS1pHxlMLcFGeQC5t7rhsbj/6oBn KwSU11d/sqlbAS+p2bXF0hcSXQ0mQ3Izma2f1Ws77z/HXuTJ+ofSnv9zZTExw8L1H8Q VC5tPlKOw== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id n1HAKMMl008442; Tue, 17 Feb 2009 11:20:22 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from Luna.Leidinger.net (Luna.Leidinger.net [192.168.2.100]) by webmail.leidinger.net (Horde Framework) with HTTP; Tue, 17 Feb 2009 11:20:21 +0100 Message-ID: <20090217112021.140370oxweabeacc@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 17 Feb 2009 11:20:21 +0100 From: Alexander Leidinger To: Benjamin Lutz References: <200902090957.27318.mail@maxlor.com> <200902111821.53437.mail@maxlor.com> <20090212104119.45583e6fcp63gcmc@webmail.leidinger.net> <200902121113.58828.mail@maxlor.com> In-Reply-To: <200902121113.58828.mail@maxlor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.3) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-MailScanner-ID: 9ECB52E0CA.373F2 X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-13.927, required 6, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, SMILEY -0.50, TW_PW 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Tue, 17 Feb 2009 12:28:22 +0000 Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 10:20:38 -0000 Quoting Benjamin Lutz (from Thu, 12 Feb 2009 =20 11:13:58 +0100): > Hi Alexander, Sorry for the delay, an illness is making its rounds here and I got hit too.= .. > On Thursday 12 February 2009 10:41:19 Alexander Leidinger wrote: >> - Implement something which is similar o freeauth.org, just better >> implemented and without the "not so good" stuff / design decissions. >> >> Short: they need something you know (PIN) + something you have (e.g. >> token, or mobile phone with java with some fixed key). You then enter >> your arbitrary long PIN into the phone, and it will give you a time >> limited key to login (so the time needs to be in sync to some extend). >> On the machine you login you need the cleartext version of your PIN, >> the fixed key, and ideally it saves the the PW you just used to login >> to prevent a relogin with the same PW. If you've seen the remote login >> tokens from RSA or similar, then you should get the idea what this is >> about. > > I've stumbled accross freeauth.org while researching the subject. The reas= on > I didn't consider it is because so far I've been just printing out my otps= , > and that's no longer possible with freeauth.org. And there are situations > where I can't run a Java program on my phone, for example when I'm using > the phone as a bluetooth modem. Nothing prevents you to write a program in C, perl, or whatever. This =20 way you can generate the PW on the system where you use the blutooth =20 modem (in case it is trusted). > I'm not saying that time-based pws wouldn't be nice to have, it just goes = in > a different direction than OPIE, so it's not what I'm looking for at the > moment. Also, the thought of having to write programs in J2ME again > horrifies me :) > >> I wrote down a while ago the algorithm somewhere (based upon my own >> thoughts how to do it, this was before I've seen freeauth, so it's >> independent), and also thought about the bells and whistles (some >> security pitfalls you need to think about). If you are interested in >> implementing this (ideally with a BSD license for inclusion into the >> base system) > > While I most probably won't implement freeauth.org, I'd still like to see > your notes; the security pitfalls you considered are likely there for othe= r > algorithms too. The notes are in the direction of notifying the user if the PIN can =20 hit non-volatile storage, or that the storage area of the PIN needs to =20 0ed in-place after use to prevent it to appear in (provoked) crash =20 dumps or just plain reading from memory. There are also notes about =20 the valid character set (there should be no NUL byte or newline, but =20 apart from that there should be not much restrictions (depends upon =20 the device you use to enter the PIN)), that the device which prints =20 out the PW should also have an indication for the lifetime of the PW, =20 that the server should save the valid PWs of the current valid =20 timeframe to prevent multiple logins with the same PW (also serves as =20 an indicator that someone spied out the PW in case you enter the PW =20 correctly and the timeframe is OK too). The algorithm itself is not 100% finished yet. The generic part is =20 done, but I haven't finished the details (important here is the format =20 of the date which is passed to the hash function, which hash funtion =20 to use, how long the PW can be (truncation of the hash and the =20 corresponding security implications... also in the light of user =20 convenience)). If someone really wants to put some amount of time/work =20 into this, I can put it up on the FreeBSD wiki and hand out =20 contributor access to it, but just to satisfy the curiosity of people, =20 I'm not interested to invest the necessary time to polish it and put =20 it up on the wiki. Bye, Alexander. --=20 A sect or party is an elegant incognito devised to save a man from the vexation of thinking. =09=09-- Ralph Waldo Emerson, Journals, 1831 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137