From owner-freebsd-security Mon Jun 3 11:17:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA07774 for security-outgoing; Mon, 3 Jun 1996 11:17:55 -0700 (PDT) Received: from mailhub.aros.net (mailhub.aros.net [205.164.111.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA07760 for ; Mon, 3 Jun 1996 11:17:50 -0700 (PDT) Received: from terra.aros.net (terra.aros.net [205.164.111.10]) by mailhub.aros.net (8.7.5/Unknown) with ESMTP id MAA12119; Mon, 3 Jun 1996 12:50:58 -0600 (MDT) Received: (from angio@localhost) by terra.aros.net (8.7.5/8.6.12) id MAA21767; Mon, 3 Jun 1996 12:17:34 -0600 From: Dave Andersen Message-Id: <199606031817.MAA21767@terra.aros.net> Subject: Re: MD5 Crack code To: karpen@sea.campus.luth.se (Mikael Karpberg) Date: Mon, 3 Jun 1996 12:17:34 -0600 (MDT) Cc: freebsd-security@freebsd.org In-Reply-To: <199606031435.QAA06701@sea.campus.luth.se> from "Mikael Karpberg" at Jun 3, 96 04:35:08 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Lo and behold, Mikael Karpberg once said: > > SecurID (for example) may be "better" because it is "two factor" > > but it seems like they are using that to justify a system that is far > > more complex than is required (backend relational databases, etc. etc.) > > Never heard of. Short description of what it is? SecurID is a challenge/response one-time authentication system. You log on, the system tells you the challenge, you enter the challenge in to your SecurID calculator along with your calculator password, the calc. hands you back a response, you type the response in, you're authenticated. Good stuff for high-security applications. > > Anybody know of work going on in this direction? In particular, > > cross-platform SKey aware clients? > > Why not simply something like SSL which is being developed and used a lot > just because the WWW is growing with enormous speed? If you have a secure > link, there is no need for a lot of hassle. You can send anything over the > socket and it'll be safe. Umm.. No? There's still a difference between a one-time password system and a constant password, and for security reasons, the one-time system is preferable if you can abide by the inconvenience of having to use it. Even if life is encrypted, there's always the off chance that someone could: a) steal the original password (social enginnering, actual theft, hacking the password file) b) Use some form of playback attack against the system, because the password doesn't change. Yes, the encryption does, but it's one more level of security. For best results, add water, and let rest for twenty minutes. Use both encryption and a one-time password scheme. -Dave Andersen -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual "There are only two industries that refer to thier customers as 'users'."