From owner-freebsd-security@FreeBSD.ORG Wed Dec 9 11:01:04 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0E47106566B for ; Wed, 9 Dec 2009 11:01:04 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 77A2C8FC08 for ; Wed, 9 Dec 2009 11:01:04 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2FFEE.dip.t-dialin.net [217.226.255.238]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 4D6778447AB; Wed, 9 Dec 2009 12:00:58 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id CF0A48DD68; Wed, 9 Dec 2009 12:00:54 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1260356455; bh=3c2bWLO0EKG3Y6buXHx+G8JgzXS7uWjSIDkhpbydslQ=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=x2V9++0v9Hq5zo8pLy46EPAdOx2X3b27AnVRVK9z3BnhfAQdLOcJ1fct8fu6JMbLH qd9BO5cmJBYGzArs60d78eR0FymHTiWiTc/MhoNVO2ns6ThnwsY0xX94vaQEgsP/eY pANdfF+t0TJgGhXClTSByEHJaStxY6DnxFzKt5cwpFqhvbbMY4CaX5vKntXCKJmA+e n6ajTIxGN1mjfuO/hA4ThYKeP1uxrFWxVkmnHWZ7X0+vthdIUSTJYPh6H/MObbvS3D bN7qyOj+08GjJl3GxDaKYqkgLm4eEp1kkF1pCcq5BjCYGbXMMHxxf3lzcvQ8b/AcJL r/TxCU7S8bsNQ== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id nB9B0rfb020570; Wed, 9 Dec 2009 12:00:53 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Wed, 09 Dec 2009 12:00:53 +0100 Message-ID: <20091209120053.17563x5e4o354bcw@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 09 Dec 2009 12:00:53 +0100 From: Alexander Leidinger To: Mark Fullmer References: <20091207201924.5d6ef1bf@thera.be> <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net> <20091208095410.68368l6s44h5u9f4@webmail.leidinger.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.5) / FreeBSD-8.0 X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 4D6778447AB.959B9 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.44, required 6, autolearn=disabled, ALL_TRUSTED -1.44, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1260961259.09638@34E2W6XeC/GcTGWhoLbiVA X-EBL-Spam-Status: No X-Mailman-Approved-At: Wed, 09 Dec 2009 12:53:23 +0000 Cc: freebsd-security@freebsd.org, Tomasz bla Fortuna Subject: Re: One-time password implementation. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2009 11:01:04 -0000 Quoting Mark Fullmer (from Tue, 8 Dec 2009 17:01:11 -0500): > HOTP is defined in rfc4226, it's not my own. There is variant > called TOTP which ties the count to a clock. > > The Spyrus reader has an RTCC which could be used to drive the > count. What scenario do you see a time based token having advantage > over a loosely synchronized count? Situations where the generated passwd is sniffed somehow (e.g. looking over the shoulder) and then the person is tricked in not logging in for a while. Currently he would notice the compromise, but it would be still possible to compromise until the owner of the account wants to login himself. With a time based limit, the attack has to be fast. Bye, Alexander. -- "I never got in on my looks, you know." "You were always better looking than you photographed." -- Johnny Fontane and Virginia, "Chapter 12", page 160 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137