From owner-freebsd-security@FreeBSD.ORG Tue Mar 15 22:44:31 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B80DB106564A for ; Tue, 15 Mar 2011 22:44:31 +0000 (UTC) (envelope-from simias.n@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 40EE98FC08 for ; Tue, 15 Mar 2011 22:44:31 +0000 (UTC) Received: by wyf23 with SMTP id 23so1166059wyf.13 for ; Tue, 15 Mar 2011 15:44:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:to:subject:message-id :mail-followup-to:references:mime-version:content-type :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=TaCuErHdB+Hj/GbezKAtdygeZKint80nPmjA5UTNaLI=; b=u29FjzgM5iN2HPaoxWJcpWvL19QxpK9CbgtDfBnsQANzKOzGY2VfgI/UazjWAmnVUK JZYNS/m3ZB6hpjg49AvDJW2JHhxcNNDsD+vAMHe+yGkph5bTozxn1cWzNdjkQ+GXXLj3 mYBO+sBtbptwJt1ASiFh3UEkVVmm3JY6tY0rE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; b=vMYNRe9yqj3Vbjn3dJQuevUCDLDJG1NV8RslxzCveGco64KU0cHt25dyGDBZ5Sjbtl S64DXtt/3+YhrQuS3kNC4PU7JAc+dNUYmRyfESYD1hag8K9ygZhMEmZg/elWK3tzVchh YG4BJqacqNQ4Cxw+9UHEyaaRpc9+xEn3ol/rc= Received: by 10.216.142.13 with SMTP id h13mr4238285wej.7.1300229070350; Tue, 15 Mar 2011 15:44:30 -0700 (PDT) Received: from localhost (home.svkt.org [82.243.51.8]) by mx.google.com with ESMTPS id a50sm198537wer.18.2011.03.15.15.44.28 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 15 Mar 2011 15:44:29 -0700 (PDT) Date: Tue, 15 Mar 2011 22:44:27 +0000 From: Lionel Flandrin To: freebsd-security@freebsd.org Message-ID: <20110315224427.GN9421@shame.svkt.org> Mail-Followup-To: freebsd-security@freebsd.org References: <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110313204054.GA5392@server.vk2pj.dyndns.org> <1300050377.5900.12.camel@w500.local> <20110313220552.5b79de13@gumby.homeunix.com> <1300222976.7909.19.camel@w500.local> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1300222976.7909.19.camel@w500.local> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2011 22:44:31 -0000 On Tue, Mar 15, 2011 at 09:02:56PM +0000, Miguel Lopes Santos Ramos wrote: > > Dom, 2011-03-13 ąs 22:05 +0000, RW escreveu: > > On Sun, 13 Mar 2011 21:06:17 +0000 > > Miguel Lopes Santos Ramos wrote: > > > Ok, admittedly, it took me a while to see in what way that could be a > > > weekness. It's a bit like hoping for a little remaining security after > > > the password list was compromised. > > > > It means they can compute keys that they already have on the printout > > plus obsolete keys. In what sense is that a weakness? > > Yes, also in my opinion that is not a weakness. > I was trying to see the thing through the perspective of those who call > it a weakness (it was a reply). > Let's call it a non-strongness. > > The point that I took a while to see and which I think it's the reason > why they say it's a weakness, is that if an attacker only came to > possess a future password (one with a lower sequence number), then he > can trivially compute all previous passwords. > > This is a non-strongness in the sense that if it weren't so, he might > never get a chance of using that password. > Ter, 2011-03-15 ąs 11:43 +0100, Dag-Erling Smųrgrav escreveu: > Miguel Lopes Santos Ramos writes: > > > Ok, admittedly, it took me a while to see in what way that could be > a > > > weekness. It's a bit like hoping for a little remaining security > after > > > the password list was compromised. > > > > OPIE is not designed to protect against a stolen password list; it is > > designed to protect against replay attacks. > > So I understand. That's why my words were such a faible concession to > that point of view. > > The wikipedia page for OTPW actually states that as a disadvantage of > OPIE, making several times the point that OTPW is resistent to the case > of a stolen password list. > They also make the questionable argument of a paper being more portable > than a calculator, which I also understand but don't agree, because a > calculator can be "transported" over the Internet easily. > > I've been using OPIE for several years now, and I don't think OTPW would > fit my usage patterns. Agreed, I re-read the OTPW page in greater details, I didn't realize in my first read that it generates its password list "at random" and not using a master password. It does make calculators useless and is not what I was looking for. Sorry for not understanding that earlier. Still, some other features of OTPW could be integrated into OPIE's existing S/KEY algorithm, mainly the password prefix (gives me some time to revoke the master password if my cell phone gets stolen) and the locking preventing replay attacks. By reading more about the S/KEY algorithm I see why by design you can compute "higher" responses from any password and why it's clever, so it's probably a good idea not to mess with that; however 64 bits of entropy by password feels a bit short by today's standards. Of course increasing that might mean dropping the word list approach for a more random stream of characters unless you want to type a 50+ char passphrase to log in. > Sorry for cross-thread posting. -- Lionel Flandrin