OPIE considered insecure
Benjamin Lutz
mail at maxlor.com
Thu Feb 12 02:14:03 PST 2009
Hi Alexander,
On Thursday 12 February 2009 10:41:19 Alexander Leidinger wrote:
> - Implement something which is similar o freeauth.org, just better
> implemented and without the "not so good" stuff / design decissions.
>
> Short: they need something you know (PIN) + something you have (e.g.
> token, or mobile phone with java with some fixed key). You then enter
> your arbitrary long PIN into the phone, and it will give you a time
> limited key to login (so the time needs to be in sync to some extend).
> On the machine you login you need the cleartext version of your PIN,
> the fixed key, and ideally it saves the the PW you just used to login
> to prevent a relogin with the same PW. If you've seen the remote login
> tokens from RSA or similar, then you should get the idea what this is
> about.
I've stumbled accross freeauth.org while researching the subject. The reason
I didn't consider it is because so far I've been just printing out my otps,
and that's no longer possible with freeauth.org. And there are situations
where I can't run a Java program on my phone, for example when I'm using
the phone as a bluetooth modem.
I'm not saying that time-based pws wouldn't be nice to have, it just goes in
a different direction than OPIE, so it's not what I'm looking for at the
moment. Also, the thought of having to write programs in J2ME again
horrifies me :)
> I wrote down a while ago the algorithm somewhere (based upon my own
> thoughts how to do it, this was before I've seen freeauth, so it's
> independent), and also thought about the bells and whistles (some
> security pitfalls you need to think about). If you are interested in
> implementing this (ideally with a BSD license for inclusion into the
> base system)
While I most probably won't implement freeauth.org, I'd still like to see
your notes; the security pitfalls you considered are likely there for other
algorithms too.
Cheers
Benjamin
More information about the freebsd-security
mailing list