From owner-freebsd-security@FreeBSD.ORG Wed Jul 9 19:54:28 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FE0A1065676 for ; Wed, 9 Jul 2008 19:54:28 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id 9BFC18FC2A for ; Wed, 9 Jul 2008 19:54:27 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail11.syd.optusnet.com.au (mail11.syd.optusnet.com.au [211.29.132.192]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m68BUX42022703 for ; Tue, 8 Jul 2008 21:30:33 +1000 Received: from server.vk2pj.dyndns.org (c122-106-215-175.belrs3.nsw.optusnet.com.au [122.106.215.175]) by mail11.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id m68BUUUr022985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Jul 2008 21:30:31 +1000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.2/8.14.2) with ESMTP id m68BUU2w070901; Tue, 8 Jul 2008 21:30:30 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.2/8.14.2/Submit) id m68BUU15070900; Tue, 8 Jul 2008 21:30:30 +1000 (EST) (envelope-from peter) Date: Tue, 8 Jul 2008 21:30:30 +1000 From: Peter Jeremy To: Ivan Grover Message-ID: <20080708113030.GN62764@server.vk2pj.dyndns.org> References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rWhLK7VZz0iBluhq" Content-Disposition: inline In-Reply-To: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@FreeBSD.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 19:54:28 -0000 --rWhLK7VZz0iBluhq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2008-Jul-08 15:46:37 +0530, Ivan Grover wrote: >Iam trying to choose OPIE as my OTP implementation for authenticating the >clients. I have the following queries, could anyone please let me know the= se >-- why does the challenge in OPIE are in predetermined form.. >is it for determining the decryption key for the encrypted passphrase(stor= ed >in opiekeys). The passphrase is not encrypted - it is hashed and cannot be "decrypted". Basically, the passphrase and seed are concatenated and the result is hashed (using MD5) the number of times specified by the iteration count and the seed, count and final hash are stored in /etc/opiekeys. The supplied response is easily verified because when you run it thru MD5, you should get the hash in /etc/opiekeys. You then replace that hash with the one the user supplied. >-- is it possible to generate random challenges using opiechallenge No. The seed has to match the seed that was used to generate the hash with opiepasswd. --=20 Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. --rWhLK7VZz0iBluhq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhzT9YACgkQ/opHv/APuIexBwCfbj3Hwop1K8yVLJIhFNLENSMQ 4asAoIorEgEO0jPeacEcyeyTFVJFV/e5 =gO0Y -----END PGP SIGNATURE----- --rWhLK7VZz0iBluhq--