Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 08 Dec 2009 09:54:10 +0100
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Mark Fullmer <maf@eng.oar.net>
Cc:        freebsd-security@freebsd.org, Tomasz bla Fortuna <bla@thera.be>
Subject:   Re: One-time password implementation.
Message-ID:  <20091208095410.68368l6s44h5u9f4@webmail.leidinger.net>
In-Reply-To: <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net>
References:  <20091207201924.5d6ef1bf@thera.be> <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Mark Fullmer <maf@eng.oar.net> (from Mon, 7 Dec 2009 19:11:23 -0500):

> I recently released a BSD licensed smart card based OTP system we've  
> used over the past few years.  It uses the OATH HOTP algorithm and  
> includes an OTP library, PAM module, smart card firmware, pin pad  
> reader firmware, associated management utilities and man page  
> documentation.  The smart card and reader(s) hardware can be  
> purchased in single quantities and it all works natively with  
> FreeBSD.  The HOTP algorithm has gained some momentum with a few  
> vendors now selling hardware tokens which should work with this  
> software.
>
> http://www.splintered.net/sw/otp
>
> It might be easier to add GRC PPP to this than to start from scratch.

After reading your presentation it seems that your algorithm does not  
limit the time the user is able to use a specific generated password.  
Are you interested in an algorithm which does this (requires a more or  
less synchronisated clock on client and destination sides, some  
seconds difference does not matter, but some minutes difference does).  
Yes, this would require a smart card which is able to produce the  
current time, and I do not know if there is such a card and how much  
it costs, but there are scenarios where you do not need the additional  
security of a tamper-resistant smart card and a mobile with a java app  
would be enough (and this would then allow to have a more or less  
unlimited amount of different destinations with different passwords on  
one device).

Bye,
Alexander.

-- 
What makes us so bitter against people who outwit us
is that they think themselves cleverer than we are.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091208095410.68368l6s44h5u9f4>