Re: One-Time passwords for regular user accounts?

---

• From: Carlos Moreno <moreno_at_mochima_dot_com@xxxxxxxxxxxxxx>
• Date: Sat, 29 Apr 2006 19:48:51 -0400

---

Unruh wrote:

Hmmm... The information seems a bit scarce. But still, from one of
the descriptions I read, it seems to be resistant to sniffing attacks,
and not to key loggers. But using SSH -- which I do -- makes me
already impervious to sniffing.

No, it is also resistant to key loggers. The key is never reused, so who cares if they got the current key. It will
never again work.

But the description I read (the way I understood it, at least)
talks about using a program on your machine (the machine from
where you're connecting to the server) that will generate the
response to the given challenge.

But generating the response to the challenge requires typing
in the "master pass phrase" -- someone logging the keystrokes
has now the "magic recipe" to know how to respond to future
challenges.

So, again -- what am I missing or getting wrong?


In my mind, the "ideal" strategy is simply: run a program on
the server, from a trusted box, using a sniff-proof channel
(e.g., via web browser using SSL, from my machine at home);
that program simply draws 50 instances of 128 random bits
(truly random -- e.g., read 16 bytes from /dev/random);
store those on a server-side database, and give them to you
(again, must be over a secure channel to a trusted machine).
Then you print them, and use them. But just that: *use them*
directly. When I'm close to using up the 50 passwords, I
run the program again to generate another 50.

Thanks,

Carlos
--
.

---

• Follow-Ups:
  • Re: One-Time passwords for regular user accounts?
    • From: Unruh

• References:
  • One-Time passwords for regular user accounts?
    • From: Carlos Moreno
  • Re: One-Time passwords for regular user accounts?
    • From: John Thompson
  • Re: One-Time passwords for regular user accounts?
    • From: Carlos Moreno
  • Re: One-Time passwords for regular user accounts?
    • From: Unruh

• Prev by Date: FC5 & Photo Import Wizard
• Next by Date: Re: One-Time passwords for regular user accounts?
• Previous by thread: Re: One-Time passwords for regular user accounts?
• Next by thread: Re: One-Time passwords for regular user accounts?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: One-Time passwords for regular user accounts? ... the descriptions I read, it seems to be resistant to sniffing attacks, ... it is also resistant to key loggers. ... where you're connecting to the server) that will generate the ... the server, from a trusted box, using a sniff-proof channel ... (comp.os.linux.setup) Re: One-Time passwords for regular user accounts? ... the descriptions I read, it seems to be resistant to sniffing attacks, ... it is also resistant to key loggers. ... where you're connecting to the server) that will generate the ... the server, from a trusted box, using a sniff-proof channel ... (comp.os.linux.setup)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Newsgroups  > comp.os.linux.setup  > 2006-04