From owner-freebsd-security@FreeBSD.ORG Tue Dec 8 09:12:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 941BE106566C for ; Tue, 8 Dec 2009 09:12:17 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 221128FC0A for ; Tue, 8 Dec 2009 09:12:17 +0000 (UTC) Received: from outgoing.leidinger.net (pD954FBFC.dip.t-dialin.net [217.84.251.252]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 53BA9844DE0; Tue, 8 Dec 2009 09:54:15 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id AD169AC139; Tue, 8 Dec 2009 09:54:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1260262451; bh=pzBFNeGXI9aAV8HN9ovzUHY+RoFi9IFZwxY2v6gmkgQ=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=aDlXzLPAjbIWVwCLz9Ixr2uGxyxOO9Ht7g72tc7I8MXmZpRH30zi6OPn4/Mm5/cd2 rhX+FTn4+v4PLLKc8IeiUbzwOFSDOdDY1hsxAAjMdkvAg+PmITs8Uez4gpMy+vBuXv 3F3zGzhANKCOI7AP05hrc9b3DGoiCEeqBUTSv+ftHPZKmQE5FfKbOueTktb5sD0flx nClTgULnt0zi4igDKwXNa7dDtO+mpN7WWIj60/I6HfNp+wwlZ4br6pnMNGUq2eQw2p eMTF3uPH/qEcjMlS+QuLoBNzOMFSDl9ELLfjdZoi8w2JyRxNSVlB5UoNCSYaIIHi9r VGatVtNxfn3GQ== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id nB88sAvN060049; Tue, 8 Dec 2009 09:54:10 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Tue, 08 Dec 2009 09:54:10 +0100 Message-ID: <20091208095410.68368l6s44h5u9f4@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 08 Dec 2009 09:54:10 +0100 From: Alexander Leidinger To: Mark Fullmer References: <20091207201924.5d6ef1bf@thera.be> <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net> In-Reply-To: <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.5) / FreeBSD-8.0 X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 53BA9844DE0.A94EB X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.44, required 6, autolearn=disabled, ALL_TRUSTED -1.44, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1260867256.17389@ihSfNPR3882JtQ6DSv7xdg X-EBL-Spam-Status: No X-Mailman-Approved-At: Tue, 08 Dec 2009 12:23:28 +0000 Cc: freebsd-security@freebsd.org, Tomasz bla Fortuna Subject: Re: One-time password implementation. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2009 09:12:17 -0000 Quoting Mark Fullmer (from Mon, 7 Dec 2009 19:11:23 -0500): > I recently released a BSD licensed smart card based OTP system we've > used over the past few years. It uses the OATH HOTP algorithm and > includes an OTP library, PAM module, smart card firmware, pin pad > reader firmware, associated management utilities and man page > documentation. The smart card and reader(s) hardware can be > purchased in single quantities and it all works natively with > FreeBSD. The HOTP algorithm has gained some momentum with a few > vendors now selling hardware tokens which should work with this > software. > > http://www.splintered.net/sw/otp > > It might be easier to add GRC PPP to this than to start from scratch. After reading your presentation it seems that your algorithm does not limit the time the user is able to use a specific generated password. Are you interested in an algorithm which does this (requires a more or less synchronisated clock on client and destination sides, some seconds difference does not matter, but some minutes difference does). Yes, this would require a smart card which is able to produce the current time, and I do not know if there is such a card and how much it costs, but there are scenarios where you do not need the additional security of a tamper-resistant smart card and a mobile with a java app would be enough (and this would then allow to have a more or less unlimited amount of different destinations with different passwords on one device). Bye, Alexander. -- What makes us so bitter against people who outwit us is that they think themselves cleverer than we are. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137