Date: Tue, 4 Jun 1996 01:12:12 +0200 (MET DST) From: Ollivier Robert <roberto@keltia.freenix.fr> To: ewb@zns.net (Will Brown) Cc: angio@aros.net, karpen@sea.campus.luth.se, freebsd-security@freebsd.org Subject: Re: MD5 Crack code Message-ID: <199606032312.BAA00415@keltia.freenix.fr> In-Reply-To: <199606032245.SAA02583@selway.i.com> from Will Brown at "Jun 3, 96 06:45:36 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
It seems that Will Brown said: > keyboard. It generates a new password every minute. That plus a PIN > are used to gain access. So you have to HAVE the card and KNOW the PIN > - two factors. Exactly how it stays in time-sync with servers I don't > know. Maybe there is more to it... (speak up folks). Yes I think there are two versions: 1. one with a keyboard on which you type the challenge and time-based generator, 2. one with only a time-based generator, you type as password what is displayed at the time. > unfortunately the target customer seems to be high-end security > freaks (with $$), not ISPs and the ilk (sigh). I'm wary of the time synchronisation of the SecurID and prefer cryptographic based calculator (such as SecureNetKey and ActiveCard, although ActiveCard is getting worse in matter of usability these days). > in security). Has anyone built a credit-card SKey calculator? STEL, a secure-telnet program made by the italian CERT, has a built-in S/Key calculator which is vey handy. > below withstanding). But, the certificate issue and patent issues and > legal issues associated with crypto solutions are real problems. I agree. The X.509 based key system of SSL is hard to setup and you need to trust the CA... > Skey (which is a one-time password scheme based on MD4) provides ONLY There are versions of SSH using the more secure MD5 and OPIE, the successor of S/Key, can use either. > BTW. I view it as weaker than a strong encryption approach but it has some > big plusses - it is *not* crypto, so there are no Big Brother restrictions > on its use in the Land of the Free (correct me if I'm wrong net.lawyers), > and its a LOT simpler, AND it doesn't have to be inconvenient. It protects your password but not your session. I tend to think you close the door but open the window. I knwo cryptographic solutions have drawbacks (especially here in France) but you cannot go halfway. > Skey. IMHO that simple step away from cleartext passwords would be a > big step forward for internet security. Agreed. "No cleartext passwords thru the Internet" should be a motto for everyone. That's why I use SSH everywhere :-) -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #6: Tue Jun 4 00:25:26 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606032312.BAA00415>