From owner-freebsd-security@FreeBSD.ORG Tue Mar 15 21:03:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AF9F106566B for ; Tue, 15 Mar 2011 21:03:24 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 1BB478FC1B for ; Tue, 15 Mar 2011 21:03:24 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id D5C92594030; Tue, 15 Mar 2011 14:03:10 -0700 (PDT) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Tue, 15 Mar 2011 14:03:10 -0700 (PDT) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2FL2v9F009115; Tue, 15 Mar 2011 21:02:57 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2FL2vQV009113; Tue, 15 Mar 2011 21:02:57 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: RW , Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <20110313220552.5b79de13@gumby.homeunix.com> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110313204054.GA5392@server.vk2pj.dyndns.org> <1300050377.5900.12.camel@w500.local> <20110313220552.5b79de13@gumby.homeunix.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Tue, 15 Mar 2011 21:02:56 +0000 Message-ID: <1300222976.7909.19.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 63fb.4d7fd40e.73385.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2011 21:03:24 -0000 Dom, 2011-03-13 =C3=A0s 22:05 +0000, RW escreveu: > On Sun, 13 Mar 2011 21:06:17 +0000 > Miguel Lopes Santos Ramos wrote: > > Ok, admittedly, it took me a while to see in what way that could be a > > weekness. It's a bit like hoping for a little remaining security after > > the password list was compromised. >=20 > It means they can compute keys that they already have on the printout > plus obsolete keys. In what sense is that a weakness? Yes, also in my opinion that is not a weakness. I was trying to see the thing through the perspective of those who call it a weakness (it was a reply). Let's call it a non-strongness. The point that I took a while to see and which I think it's the reason why they say it's a weakness, is that if an attacker only came to possess a future password (one with a lower sequence number), then he can trivially compute all previous passwords. This is a non-strongness in the sense that if it weren't so, he might never get a chance of using that password. Ter, 2011-03-15 =C3=A0s 11:43 +0100, Dag-Erling Sm=C3=B8rgrav escreveu: Miguel Lopes Santos Ramos writes: > > Ok, admittedly, it took me a while to see in what way that could be a > > weekness. It's a bit like hoping for a little remaining security after > > the password list was compromised. >=20 > OPIE is not designed to protect against a stolen password list; it is > designed to protect against replay attacks. So I understand. That's why my words were such a faible concession to that point of view. The wikipedia page for OTPW actually states that as a disadvantage of OPIE, making several times the point that OTPW is resistent to the case of a stolen password list. They also make the questionable argument of a paper being more portable than a calculator, which I also understand but don't agree, because a calculator can be "transported" over the Internet easily. I've been using OPIE for several years now, and I don't think OTPW would fit my usage patterns. Sorry for cross-thread posting. --=20 Miguel Ramos PGP A006A14C