Date: Fri, 07 Jun 1996 15:40:17 -0700 From: Paul Traina <pst@shockwave.com> To: Ollivier Robert <roberto@keltia.freenix.fr> Cc: ewb@zns.net (Will Brown), freebsd-security@freebsd.org Subject: Re: s/key and OTP [was: MD5 Crack code] Message-ID: <199606072240.PAA01013@precipice.shockwave.com> In-Reply-To: Your message of "Fri, 07 Jun 1996 21:26:41 %2B0200." <199606071926.VAA18214@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
It *is* compatible with S/Key in MD4 mode? If so, then it's reasonable
for us to incorporate their sources once it becomes stable.
Given the recent change date on the file...stability is a question, no?
Paul
From: Ollivier Robert <roberto@keltia.freenix.fr>
Subject: Re: s/key and OTP [was: MD5 Crack code]
It seems that Will Brown said:
> IF s/key is approaching "defacto standardization" then that process
> should be allowed to continue and OTP should go away. IMHO it is more
> important that a standard be established and rolled into the *many*
AFAIK S/Key -- the one from Bellcore -- is dead.
Some guys in the US Navy have taken over it and now release OPIE (look on
ftp.nrl.navy.mil). It is the same as S/Key although there are more features
(see below)
It conforms to the OTP defined by the IETF and is compatible with S/Key in
MD4 mode.
6 May 1996 169.3 Ko /sources/security/passwd/opie-2.21.tar.gz
Here is an extract from the README:
OPIE Software Distribution, Release 2.21 Important Informati
>>on
======================================== ===================
>>==
Introduction
============
"One-time Passwords In Everything" (OPIE) is a freely distributable
software package originally developed at and for the US Naval Research
Laboratory (NRL). Recent versions are the result of a cooperative effort
between of NRL, several of the original NRL authors, The Inner Net, and many
other contributors from the Internet community.
OPIE is an implementation of the One-Time Password (OTP) System that
is being considered for the Internet standards-track. OPIE provides a one-tim
>>e
password system. The system should be secure against the passive attacks
now commonplace on the Internet (see RFC 1704 for more details). The system
is vulnerable to active dictionary attacks, though these are not widespread
at present and can be detected through proper use of system audit
software.
OPIE is primarily written for UNIX-like operating systems, but
we are working to make applicable portions portable to other operating system
>>s.
The OPIE software is derived in part from and is fully interoperable with the
Bell Communications Research (Bellcore) S/Key Release 1 software. Because
Bellcore claims "S/Key" as a trademark for their software, NRL was forced to
use a different name (we picked "OPIE") for this software distribution.
OPIE includes the following additions/modifications to the
original Bellcore S/Key(tm) Version 1 software:
* Just about one-command installation for many common platforms. While we
still recommend that you follow instructions and test things by hand, the
more adventurous can install OPIE quickly.
* A modified BSD FTP daemon that does OPIE. The small and simple BSD ftpd(8)
was deliberately chosen over the wuarchive ftpd(8) because we didn't have
the time needed to convince ourselves that the wuarchive ftpd(8) didn't hav
>>e
any security holes lurking in its many extra features.
* By default, the "su" binary always gives you an OPIE challenge, even on the
console. This was a hole for rlogin/telnet sessions in the original S/Key
software.
* MD5 support. MD5 is now the default algorithm, though MD4 is still supporte
>>d
by changing a parameter in the Makefile. This change was made because MD5 i
>>s
widely believed to be cryptographically stronger than MD4 (see RFC 1321).
* A more portable version of MD4 has been substituted for the original MD4.
This should solve many of the endian problems.
* Most of the system-dependencies have been moved to a new file "opie_cfg.h".
* Configuration options have been moved to the Makefile.
* Isolated system dependencies (e.g. BSDisms) with appropriate #ifdefs.
* Revised the opiekey(1) program to simultaneously support MD4 and MD5, with
the default algorithm being tunable using the MDX symbol in the Makefile.
* More operating systems are supported by recent versions of OPIE, but older
BSD systems that aren't close to being compliant with the POSIX standard ar
>>e
no longer supported.
* Transition mechanisms are optional to prevent potential back doors.
* On systems using the /etc/opieaccess transition mechanism, users can choose
to require the use of OPIE to login to their accounts when it would
otherwise be optional.
* Bug fixes
* Cosmetic changes
* Prompts (optionally) identify specifically what kind of entry (system
password, secret pass phrase, or OTP response) is allowed.
* Changes to mostly conform with the draft Internet OTP standard.
* Optional autoconf support
--
Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #7: Thu Jun 6 20:43:22 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606072240.PAA01013>