From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 19:54:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 462D51065674 for ; Tue, 8 Jul 2008 19:54:02 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 0DE018FC15 for ; Tue, 8 Jul 2008 19:54:01 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 47840 invoked by uid 1000); 8 Jul 2008 19:27:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Jul 2008 19:27:20 -0000 Date: Tue, 8 Jul 2008 12:27:20 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: freebsd-security@freebsd.org In-Reply-To: <8663rg5qvd.fsf@ds4.des.no> Message-ID: References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> <8663rg5qvd.fsf@ds4.des.no> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 19:54:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On the bright side, it should be fairly easy to write an OTP calculator > that run on a cell phone These already exist for J2ME-enabled mobiles (which is most of them?): http://tanso.net/j2me-otp/ http://otp-j2me.sourceforge.net/ > Systems like OPIE, where the challenge is actually issued to the user > and not just to the user's software, require the user to have access to > a response calculator, or to carry a sheet of precalculated responses. There exist apps (i.e., browsers, FTP clients, mailers, etc) that integrate OPIE and can transparently respond to challenges. The user just puts in his password, and he doesn't worry about plaintext or OPIE or whatever; the app just does the right thing. Fetch, an FTP client for the Mac, is one such app. One could argue that this encourages users to just punch in their password and not understand if it's going to go over the wire in the clear or be used to answer a challenge, but it's very useful when you have users who are incapable of making such distinction in the first place and you just need to make sure their password is secure for _your_ service. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIc7+YswXMWWtptckRAoaAAJkBnis9pNHnwuXCc6zjqESrDh8zGwCfTYWC 41JZRoD12LhIpG3QK7cfhMU= =w11K -----END PGP SIGNATURE-----