Re: Chalace - Challenge/Responce password authentification

[PAUL () tdr com (Paul Robinson)]

From: Paul Robinson <PAUL () TDR COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
-----
Julian Assange <proff () suburbia apana org au>, wrote to bugtraq list 
<bugtraq () crimelab com> as follows:

> Forwarded message:
>
> > Or you could just use encrypted telnet or my challenge responce 
> > system "Chalace". 

> Below is the only, documentation available:

> Chalace is a challenge - responce system based on shared non-disclosed
> secrets. Chalace key authentification and exchange is not vulnerable
> to eaves-dropping, tapping, packet-sniffing and the like, as the 
> secret is never sent as plain text though any communications channel.
> The chalace secret exchange for bob and alice would look something 
> like this:

>       <-number send to bob<-
>
>       ->Secure hash-> 
>
> Example: (clients perspective)
>
>    Enter challenge: visit defile Suelette
>    Responce = urban curve angel
>
> Implimentation:
>
>       A 32bit random number is generated by doing an interative
>       md5 secure hash of a large number of time and system
>       stats.
>
>       All information is represented by three words from a table of
>       2048. For non-automated key exchange this makes the information
>       considerably easier to remember than other comercial systems
>       that use an 8-digit number.
>
>       The 128bit secure hash of secret and random number is broken
>       down into 32bits then wordified for the responce.

> Vulnerabilites:
>
>       Though secret space is very large, effective keyspace is only
>       2^32. Assuming that n of bobs logins were intercepted, a
>       challenge/responce relational pair table could be constructed
>       so that at each challenge, an attacker would have a 2^32/n
>       chance of being able to find the correct responce. e.g if
>       n=1000, the chance per chalange that the attacker can beat
>       the system is 1/4,294,967. This could be considered a
>       problem if the implimentation allows many invalid responces,
>       and can process them quickly. If paranoia level security
>       is desired, then just preform a double challenge, which
>       beings the keyspace upto 2^64.

>       Regards,
>               proff () suburbia apana org au.

Gee, this sounds like Phil Karn's S/Key system only without changing the 
keys.  If it is really something different, a combination of both would 
be very interesting.

S/Key seems to be almost identical with this system, including the list 
of words, the use of a nondisclosed shared secret, and so on.  The only 
difference being that S/Key generates the challenge on a "one time pad" 
e.g. the next time you log in it's a different computation because the 
count isn't the same.  

Perhaps someone here could let me know if I'm correct in my analysis.
I don't see any significant advantage to his method except not having 
to regenerate the password every 100 logins or whatever number you set
the S/Key count to be.  You still have to look up the code in a table or 
use a program to do so.

---
Paul Robinson - Paul () TDR COM
Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy () psg com>
-----
The following Automatic Fortune Cookie was selected only for this message:

An American's a person who isn't afraid to criticize the President but
is always polite to traffic cops.