Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Jun 1996 12:17:34 -0600 (MDT)
From:      Dave Andersen <angio@aros.net>
To:        karpen@sea.campus.luth.se (Mikael Karpberg)
Cc:        freebsd-security@freebsd.org
Subject:   Re: MD5 Crack code
Message-ID:  <199606031817.MAA21767@terra.aros.net>
In-Reply-To: <199606031435.QAA06701@sea.campus.luth.se> from "Mikael Karpberg" at Jun 3, 96 04:35:08 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
Lo and behold, Mikael Karpberg once said:

> > SecurID (for example) may be "better" because it is "two factor"
> > but it seems like they are using that to justify a system that is far
> > more complex than is required (backend relational databases, etc. etc.)
> 
> Never heard of. Short description of what it is?

   SecurID is a challenge/response one-time authentication system.  You 
log on, the system tells you the challenge, you enter the challenge in to 
your SecurID calculator along with your calculator password, the calc. 
hands you back a response, you type the response in, you're authenticated.
Good stuff for high-security applications.

> > Anybody know of work going on in this direction? In particular,
> > cross-platform SKey aware clients?
> 
> Why not simply something like SSL which is being developed and used a lot
> just because the WWW is growing with enormous speed? If you have a secure
> link, there is no need for a lot of hassle. You can send anything over the
> socket and it'll be safe. Umm.. No?

   There's still a difference between a one-time password system and a 
constant password, and for security reasons, the one-time system is 
preferable if you can abide by the inconvenience of having to use it.  
Even if life is encrypted, there's always the off chance that someone 
could:
   a) steal the original password (social enginnering, actual theft,
                                   hacking the password file)
   b) Use some form of playback attack against the system, because the
      password doesn't change.  Yes, the encryption does, but it's one
      more level of security.

    For best results, add water, and let rest for twenty minutes.  Use both 
encryption and a one-time password scheme.

  -Dave Andersen

-- 
angio@aros.net                Complete virtual hosting and business-oriented
system administration         Internet services.  (WWW, FTP, email)
http://www.aros.net/          http://www.aros.net/about/virtual
  "There are only two industries that refer to thier customers as 'users'."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606031817.MAA21767>