OPIE considered insecure
Benjamin Lutz
mail at maxlor.com
Mon Feb 9 01:49:26 PST 2009
Hello,
I run a firewall where I use OPIE one time passwords for external logins,
figuring that this gives me some added protections if I ever need to access
it from untrustworthy hosts. A message about the weakness of MD5 got me
thinking that maybe a better algorithm could be used for OPIE, and I was
delighted to see that some clever hacked has added SHA-1 support to it
(although it's a bit under-documented).
Then I noticed that the one time passwords don't increase in length with
SHA-1. That's weird, since MD5 produces 128bit digests, while SHA-1
produces 160bit digests. So I had a closer look at how the one time
passwords are used with in OPIE.
I was a bit shocked to find out that OPIE truncates all digests to 64 bits,
no matter which algorithm you use. Some quick research into the current
speed of MD5 brute-forcing produced this result:
http://img519.imageshack.us/my.php?image=eightni6.jpg
This ^ was produced on a quad core machine with 4 eVGA 9800GX2 graphics
cards, i.e. a top end gaming machine; it can calculate 3611.81 million md5
hashes per second. Using that machine and that speed as a baseline, it's
possible to produce a rainbow table with all hashes that OPIE is ever going
to use and produce within 16 years. If you can live with a thinned out
rainbow table (say, because you can the observe the user enter 8
passwords), and your budget allows a small cluster of these machines, you
quickly get into the range of months. Add a few iterations of moore's
law... well, you get the point.
So, is there an existing alternative one time password implementation that
works on FreeBSD? Also, as a suggestion to the security team, maybe it's
time to deprecate or remove OPIE?
Cheers
Benjamin
More information about the freebsd-security
mailing list