Mudge writes: > Just as an FYI - MONkey, the S/Key cracker and a white paper talking about > the problems with having the skeykeys file readable was released by the > L0pht in May of 1996. > > The tool allows one to not only use the skeykeys file as entry to the > crypt and compare but also the network response due to too much server > side information being present. > > The tool and paper are still available > at: http://www.l0pht.com/advisories/skey_paper_and_tool It doesn't surprise me that S/Key cracking software has existed for a while, and I certainly did not mean to imply that S/Key is immune to dictionary attacks on user secrets. My point was that the skeykeys/opiekeys file does not contain any information that has not already been exposed on the network, so making those files unreadable is not truly hiding the information they contain; at best it only keeping attackers away from a convenient central repository of previously exposed information. There are also other ways to attack S/Key secrets. Users of S/Key may keep their secrets in a laptop or palmtop in easily readable form. If the user keeps the secret in his head, then it's possible to "shoulder-surf" the secret as it's typed in. Some users of S/Key may also print out and carry lists of precomputed challenge responses if they don't have a portable response calculator. Users who are particularly weak on S/Key concepts may actually use one remote system to compute S/Key responses for another and expose their secret in the process, or keep their S/Key secret on the same system that they use S/Key authentication on.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:29 PDT