Re: One-Time passwords for regular user accounts?

Carlos Moreno <moreno_at_mochima_dot_com@xxxxxxxxxxxxxx> writes:

Unruh wrote:

Hmmm... The information seems a bit scarce. But still, from one of
the descriptions I read, it seems to be resistant to sniffing attacks,
and not to key loggers. But using SSH -- which I do -- makes me
already impervious to sniffing.

No, it is also resistant to key loggers.
The key is never reused, so who cares if they got the current key. It will
never again work.

But the description I read (the way I understood it, at least)
talks about using a program on your machine (the machine from
where you're connecting to the server) that will generate the
response to the given challenge.

No, there is an alternative-- you type out a list of responses with their
number which you can enter.

But generating the response to the challenge requires typing
in the "master pass phrase" -- someone logging the keystrokes
has now the "magic recipe" to know how to respond to future
challenges.

If you do it that way. You do not need to.


So, again -- what am I missing or getting wrong?

Reading futher.



In my mind, the "ideal" strategy is simply: run a program on
the server, from a trusted box, using a sniff-proof channel
(e.g., via web browser using SSL, from my machine at home);
that program simply draws 50 instances of 128 random bits
(truly random -- e.g., read 16 bytes from /dev/random);

Very difficult to enter. You will be spending all your time entering them
and reentering them.

store those on a server-side database, and give them to you
(again, must be over a secure channel to a trusted machine).

sensitive to server comprimise.

Then you print them, and use them. But just that: *use them*
directly. When I'm close to using up the 50 passwords, I
run the program again to generate another 50.

In many ways that is exactly what opie does.

.

Relevant Pages

  • Re: One-Time passwords for regular user accounts?
    ... the descriptions I read, it seems to be resistant to sniffing attacks, ... it is also resistant to key loggers. ... where you're connecting to the server) that will generate the ... the server, from a trusted box, using a sniff-proof channel ...
    (comp.os.linux.setup)
  • Re: One-Time passwords for regular user accounts?
    ... the descriptions I read, it seems to be resistant to sniffing attacks, ... it is also resistant to key loggers. ... where you're connecting to the server) that will generate the ... the server, from a trusted box, using a sniff-proof channel ...
    (comp.os.linux.setup)