Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)

From: -=ArkanoiD=- (arkat_private)
Date: Mon Jan 31 2000 - 15:17:42 PST

Next message: Nobuo Miwa: "Tiny FTPd 0.52 beta3 Buffer Overflow"

Next in thread: Greg A. Woods: "Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

nuqneH,

I've seen several s/key (opie, whatever you call it) implementations
and all of them used some combination of hostname and pseudo-random number
as authomatically generated seed. What systems have the problem you described?

I see no problem in elimination shared accounts.

BTW i've seen only one OTP thingie that was ~100% shoulder-surfing protected
without using hardware tokens that may be lost, stolen, or something..
But - it was only useful if your communication channel is protected and no one
can capture your screen image. It was based on selecting numbers from the
big numbers sheet (full screen) using positions known by user.
It was based on the assumtion that no one can memorize the whole screen of
numbers, though. (OS/360, russian version called OC EC, interactive subsystem
"Jessy").

I was thinking about improvement that could make such a thing usable even
if data can be sniffed, but haven't found a good solution yet.


Somebody (maybe you, Greg A. Woods) WROTE:
>  In fact I've seen several sites where due to configuration (and
>  implementation?) errors this algorithmic relationship resulted in the
>  exact same sequence of challenge/response pairs being used on all hosts
>  for any given account (because the same secret password was used on all
>  hosts).  Simple network sniffing or shoulder-surfing would have enabled
>  a watchful cracker to win in very short order by simply watching the
>  N'th login on one host and then simply finding another host where the
>  N'th login is next replaying the phrase.
>
>  Auditing to ensure that all successfull logins are accounted for is of
>  course critical with any "one-time password" scheme.  Unfortunately
>  people will still use shared accounts (eg. root!) making such auditing
>  very difficult and almost never done.
>
>  I personally will never use s/key again.


--
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

Next message: Nobuo Miwa: "Tiny FTPd 0.52 beta3 Buffer Overflow"
Next in thread: Greg A. Woods: "Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:38 PDT