Date: Thu, 12 Feb 2009 11:13:58 +0100 From: Benjamin Lutz <mail@maxlor.com> To: Alexander Leidinger <Alexander@leidinger.net> Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure Message-ID: <200902121113.58828.mail@maxlor.com> In-Reply-To: <20090212104119.45583e6fcp63gcmc@webmail.leidinger.net> References: <200902090957.27318.mail@maxlor.com> <200902111821.53437.mail@maxlor.com> <20090212104119.45583e6fcp63gcmc@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Alexander, On Thursday 12 February 2009 10:41:19 Alexander Leidinger wrote: > - Implement something which is similar o freeauth.org, just better > implemented and without the "not so good" stuff / design decissions. > > Short: they need something you know (PIN) + something you have (e.g. > token, or mobile phone with java with some fixed key). You then enter > your arbitrary long PIN into the phone, and it will give you a time > limited key to login (so the time needs to be in sync to some extend). > On the machine you login you need the cleartext version of your PIN, > the fixed key, and ideally it saves the the PW you just used to login > to prevent a relogin with the same PW. If you've seen the remote login > tokens from RSA or similar, then you should get the idea what this is > about. I've stumbled accross freeauth.org while researching the subject. The reason I didn't consider it is because so far I've been just printing out my otps, and that's no longer possible with freeauth.org. And there are situations where I can't run a Java program on my phone, for example when I'm using the phone as a bluetooth modem. I'm not saying that time-based pws wouldn't be nice to have, it just goes in a different direction than OPIE, so it's not what I'm looking for at the moment. Also, the thought of having to write programs in J2ME again horrifies me :) > I wrote down a while ago the algorithm somewhere (based upon my own > thoughts how to do it, this was before I've seen freeauth, so it's > independent), and also thought about the bells and whistles (some > security pitfalls you need to think about). If you are interested in > implementing this (ideally with a BSD license for inclusion into the > base system) While I most probably won't implement freeauth.org, I'd still like to see your notes; the security pitfalls you considered are likely there for other algorithms too. Cheers Benjamin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902121113.58828.mail>