Home » Mailing list archives » freebsd-security » 2008 » July » 8

Re: OPIE Challenge sequence

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Dag-Erling Smørgrav <des@...>
To: Ivan Grover <ivangrvr299@...>
Cc: <freebsd-security@...>
Subject: Re: OPIE Challenge sequence
Date: Tuesday, July 8, 2008 - 11:37 am

"Ivan Grover"  writes:


There is no way to deduce the next challenge from the current one.  This

is documented in the opie(4) man page.


Here's the only advisory I could find for OPIE:


http://security.freebsd.org/advisories/FreeBSD-SA-06:12.opie.asc


> I ask this because usually the challenge/response implementations


OPIE cannot use random challenges, because one of the requirements is

that it should be possible to print a list of pre-generated responses.


The advantage of OPIE over traditional passwords is that OPIE is not

vulnerable to replay attacks, but this is not as relevant these days as

it was back when S/Key (on which OPIE is based) was designed.  Replay

attacks aren't very effective against encrypted protocols such as SSH.


> My problem is to determine the best challenge/response implementation


Systems like OPIE, where the challenge is actually issued to the user

and not just to the user's software, require the user to have access to

a response calculator, or to carry a sheet of precalculated responses.

The former is difficult unless the users always log in from their own

desktop or laptop computer, and the latter is usually a bad idea since

someone might steel the sheet.  On the bright side, it should be fairly

easy to write an OTP calculator that run on a cell phone, such as an

S60-based Nokia phones or an iPhone.


I'd say that the only advantage of OPIE today is that it's free.


DES

--

Dag-Erling Smørgrav - des@des.no

_______________________________________________

freebsd-security@freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-security

To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
ports/128698: [vuxml] new entry for Dovecot 1.1.4-1.1.5, Eygene Ryabinkin, (Sat Nov 8, 10:03 am)
RE: CVE-2008-4609, olli hauer, (Tue Sep 8, 4:58 pm)
Re: FreeBSD &lt;= 6.1 kqueue() NULL pointer dereference, lxn smth, (Mon Aug 24, 2:01 pm)
OCF, Raja FreeBSD, (Thu Sep 20, 5:49 am)
Re: OPIE Challenge sequence, Ivan Grover, (Tue Jul 8, 9:41 am)
Re: IPSEC help, john decot, (Sat Nov 17, 5:06 am)
Re: OPIE Challenge sequence, Dag-Erling Smørgrav, (Tue Jul 8, 11:37 am)
Re: OPIE Challenge sequence, Ivan Grover, (Wed Jul 9, 2:55 am)
Re: OPIE Challenge sequence, Dag-Erling Smørgrav, (Wed Jul 9, 4:29 am)
Re: OPIE Challenge sequence, Jason Stone, (Tue Jul 8, 3:27 pm)
Re: OPIE Challenge sequence, Ivan Grover, (Wed Jul 9, 4:18 am)
Re: IPSEC help, Shoichi Sakane, (Thu Nov 29, 9:56 pm)
Re: IPSEC help, VANHULLEBUS Yvan, (Mon Nov 19, 5:38 am)
Re: IPSEC help, john decot, (Tue Nov 20, 6:57 am)
Re: IPSEC help, VANHULLEBUS Yvan, (Tue Nov 20, 8:34 am)
Re: IPSEC help, john decot, (Tue Nov 20, 12:46 pm)
Re: IPSEC help, VANHULLEBUS Yvan, (Tue Nov 20, 12:56 pm)
Re: IPSEC help, john decot, (Thu Nov 22, 11:08 am)
Re: IPSEC help, Bjoern Engels, (Tue Nov 20, 7:08 am)
Re: OCF, Mohacsi Janos, (Fri Sep 21, 5:30 am)
Re: OCF, Eygene Ryabinkin, (Fri Sep 21, 11:58 am)