Date: Wed, 10 Dec 2003 19:40:50 -0700 From: Brett Glass <brett@lariat.org> To: Michael Sierchio <kudzu@tenebras.com> Cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? Message-ID: <6.0.0.22.2.20031210193940.04f82c20@localhost> In-Reply-To: <3FD7C240.4030005@tenebras.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost> <3FD7C240.4030005@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
An excellent reason to use SSL together with S/key. --Brett At 06:02 PM 12/10/2003, Michael Sierchio wrote: >The problem with S/key or OPIE authentication is that it >is sadly subject to a MITM attack, and relies on >blind trust in the server. > >The challenge is not a random challenge, it is unfortunately >a sequence number and salt -- if I trick you into typing in >the one-time password with a lower sequence number than the >current one you are proper fucked. I can then generate all of >the subsequent "one-time" passwords. > >If you have a half-authenticated SSL connection, and are >conducting the exchange over it, then it should be fine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031210193940.04f82c20>