On Tue, Jul 8, 2008 at 9:07 PM, Dag-Erling Smørgrav <[EMAIL PROTECTED]> wrote:
> "Ivan Grover" <[EMAIL PROTECTED]> writes: > > Thank you so much for your responses. By "predetermined ", i meant the > > challenges appear sequentially in decremented fashion, so are we aware of > > any security hole with this. > > There is no way to deduce the next challenge from the current one. This > is documented in the opie(4) man page. Just to clarify, I think you are trying to say the next response from the current one, since the challenges are generated somehting like otp-md5 60 lo0245 ext, otp-md5 59 lo0245 ext, otp-md5 58 lo0245 ext,... so on. > > Here's the only advisory I could find for OPIE: > > http://security.freebsd.org/advisories/FreeBSD-SA-06:12.opie.asc > > > I ask this because usually the challenge/response implementations > > consider generating random challenges( i think here they have a > > weakness where the passphrase need to be in clear text). > > OPIE cannot use random challenges, because one of the requirements is > that it should be possible to print a list of pre-generated responses. > > The advantage of OPIE over traditional passwords is that OPIE is not > vulnerable to replay attacks, but this is not as relevant these days as > it was back when S/Key (on which OPIE is based) was designed. Replay > attacks aren't very effective against encrypted protocols such as SSH. > > > My problem is to determine the best challenge/response implementation > > for authenticating the clients. > > Systems like OPIE, where the challenge is actually issued to the user > and not just to the user's software, require the user to have access to > a response calculator, or to carry a sheet of precalculated responses. > The former is difficult unless the users always log in from their own > desktop or laptop computer, and the latter is usually a bad idea since > someone might steel the sheet. On the bright side, it should be fairly > easy to write an OTP calculator that run on a cell phone, such as an > S60-based Nokia phones or an iPhone. > > I'd say that the only advantage of OPIE today is that it's free. > > DES > -- > Dag-Erling Smørgrav - [EMAIL PROTECTED] > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
