[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Security tokens

To: Steve Willoughby <steve@ichips.intel.com>
Subject: Re: [SAGE] Security tokens
From: Hal Pomeranz <hal@deer-run.com>
Date: Mon, 20 Jan 2003 12:02:36 -0800
Cc: Jim <jimd@starshine.org>, Jim Hickstein <jxh@jxh.com>, sage-members@sage.org, star@starshine.org
In-Reply-To: <200301201949.LAA07068@plxw0026.pdx.intel.com>
References: <20030120192052.GJ1395@mars.starshine.org> <200301201949.LAA07068@plxw0026.pdx.intel.com>
Sender: owner-sage-members@usenix.org
User-Agent: Mutt/1.4i

> Actually, a quasi-trivial attack can be made against OTP such as S/Key
> without even requiring any kind of MITM arrangement.  Just the ability
> to snoop the challenge and response on a cleartext channel like telnet.
> 
> So personally, I wouldn't trust OTP in the long term, and if you do use 
> it, (1) use it and then run, don't walk, to (2) change your OTP keys once 
> you do have a secure channel again.  Between (1) and (2) you're vulnerable.
> Better than typing your password in the clear, but not much.

I believe you're referring to a brute force attack where the attacker
attempts to guess the secret used to produce the response by doing
a dictionary or exhaustive guessing style attack similar to a standard
password cracking utility.  While this sort of attack is possible,
consider:

1) OTP users can (and should) choose long secrets (and not limit
themselves to the old 8 character DES maximum)

2) the hashing algorithms used by standard OTP systems are reasonably
computationally intensive (limited benchmarking on my desktop shows
it can do only about 1500 MD5 encryptions per second)

3) OTP systems do restrict the number of logins before changing
secrets is required (hopefully this occurs before the attacker's
brute force attack is able to succeed)

Frankly, I'd be more worried about session hijacking using OTP over
a clear text link than I would be a brute force attack on my OTP secret.

Now repeat after me, "SSH is friend to all computer users..."

-- 
Hal Pomeranz, Founder/CEO       Deer Run Associates       hal@deer-run.com
     Network Connectivity and Security, Systems Management, Training

References:
- Re: [SAGE] Security tokens
  - From: Jim <jimd@starshine.org>
- Re: [SAGE] Security tokens
  - From: Steve Willoughby <steve@ichips.intel.com>

Prev by Date: Re: [SAGE] Security tokens
Next by Date: Re: [SAGE] Security tokens
Prev by thread: Re: [SAGE] Security tokens
Next by thread: Re: [SAGE] Security tokens
Index(es):
- Date
- Thread