From owner-freebsd-security Mon Jun 3 22:36:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA17302 for security-outgoing; Mon, 3 Jun 1996 22:36:58 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA17296 for ; Mon, 3 Jun 1996 22:36:55 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id HAA00655; Tue, 4 Jun 1996 07:36:50 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id HAA08782; Tue, 4 Jun 1996 07:36:17 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.4/keltia-uucp-2.8) id BAA00415; Tue, 4 Jun 1996 01:12:13 +0200 (MET DST) From: Ollivier Robert Message-Id: <199606032312.BAA00415@keltia.freenix.fr> Subject: Re: MD5 Crack code To: ewb@zns.net (Will Brown) Date: Tue, 4 Jun 1996 01:12:12 +0200 (MET DST) Cc: angio@aros.net, karpen@sea.campus.luth.se, freebsd-security@freebsd.org In-Reply-To: <199606032245.SAA02583@selway.i.com> from Will Brown at "Jun 3, 96 06:45:36 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#2073 X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk It seems that Will Brown said: > keyboard. It generates a new password every minute. That plus a PIN > are used to gain access. So you have to HAVE the card and KNOW the PIN > - two factors. Exactly how it stays in time-sync with servers I don't > know. Maybe there is more to it... (speak up folks). Yes I think there are two versions: 1. one with a keyboard on which you type the challenge and time-based generator, 2. one with only a time-based generator, you type as password what is displayed at the time. > unfortunately the target customer seems to be high-end security > freaks (with $$), not ISPs and the ilk (sigh). I'm wary of the time synchronisation of the SecurID and prefer cryptographic based calculator (such as SecureNetKey and ActiveCard, although ActiveCard is getting worse in matter of usability these days). > in security). Has anyone built a credit-card SKey calculator? STEL, a secure-telnet program made by the italian CERT, has a built-in S/Key calculator which is vey handy. > below withstanding). But, the certificate issue and patent issues and > legal issues associated with crypto solutions are real problems. I agree. The X.509 based key system of SSL is hard to setup and you need to trust the CA... > Skey (which is a one-time password scheme based on MD4) provides ONLY There are versions of SSH using the more secure MD5 and OPIE, the successor of S/Key, can use either. > BTW. I view it as weaker than a strong encryption approach but it has some > big plusses - it is *not* crypto, so there are no Big Brother restrictions > on its use in the Land of the Free (correct me if I'm wrong net.lawyers), > and its a LOT simpler, AND it doesn't have to be inconvenient. It protects your password but not your session. I tend to think you close the door but open the window. I knwo cryptographic solutions have drawbacks (especially here in France) but you cannot go halfway. > Skey. IMHO that simple step away from cleartext passwords would be a > big step forward for internet security. Agreed. "No cleartext passwords thru the Internet" should be a motto for everyone. That's why I use SSH everywhere :-) -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #6: Tue Jun 4 00:25:26 MET DST 1996