From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 17:05:51 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BED21106564A for ; Mon, 9 Feb 2009 17:05:51 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch [IPv6:2001:41e0:ff17:face::26]) by mx1.freebsd.org (Postfix) with ESMTP id 2536D8FC17 for ; Mon, 9 Feb 2009 17:05:51 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from roe (ssh-from [212.254.178.176]) by calvin.ustdmz.roe.ch (envelope-from ) with LOCAL id 1LWZZu-000Fuq-1J for freebsd-security@freebsd.org; Mon, 09 Feb 2009 18:05:50 +0100 Date: Mon, 9 Feb 2009 18:05:50 +0100 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Message-ID: <20090209170550.GA60223@hobbes.ustdmz.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <200902090957.27318.mail@maxlor.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200902090957.27318.mail@maxlor.com> User-Agent: Mutt/1.4.2.3i Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 17:05:52 -0000 Benjamin Lutz 2009-02-09: [...] > Then I noticed that the one time passwords don't increase in > length with SHA-1. That's weird, since MD5 produces 128bit > digests, while SHA-1 produces 160bit digests. So I had a closer > look at how the one time passwords are used with in OPIE. > > I was a bit shocked to find out that OPIE truncates all digests > to 64 bits, no matter which algorithm you use. Some quick > research into the current speed of MD5 brute-forcing produced > this result: > > http://img519.imageshack.us/my.php?image=eightni6.jpg > > This ^ was produced on a quad core machine with 4 eVGA 9800GX2 > graphics cards, i.e. a top end gaming machine; it can calculate > 3611.81 million md5 hashes per second. Using that machine and > that speed as a baseline, it's possible to produce a rainbow > table with all hashes that OPIE is ever going to use and > produce within 16 years. If you can live with a thinned out > rainbow table (say, because you can the observe the user enter > 8 passwords), and your budget allows a small cluster of these > machines, you quickly get into the range of months. Add a few > iterations of moore's law... well, you get the point. > > So, is there an existing alternative one time password > implementation that works on FreeBSD? Also, as a suggestion to > the security team, maybe it's time to deprecate or remove OPIE? While I agree that OPIE can be improved, I think that the current OPIE implementation is still much better than having to use passwords from untrusted machines. I also prefer current OPIE to copying SSH private keys to untrusted machines. So until there is a more secure alternative, I really don't think removing OPIE would have a positive effect on security. -- Daniel Roethlisberger http://daniel.roe.ch/