As an authentication protocol, it looks vulnerable to a time synchronization attack: an attacker that can desynchronize the server and client's clocks predictably can block the client's authentication and use it as his own. (Assuming the server's clock is monotonically increasing, the command can only be used once.) If the command utilizes the IP address (e.g. as a port knock), this is a security hole.
Karl On Tue, 2005-08-02 at 17:56 +0530, Udhay Shankar N wrote: > Sounds interesting. Has anybody used this, and are there any comments? > > Udhay > > http://ingles.homeunix.org/software/ost/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
