Re: Chalace - Challenge/Responce password authentification (fwd)

[PAUL () tdr com (Paul Robinson)]

---------- Forwarded message ----------
Date: Fri, 27 May 94 10:56:30 -0400
From:bukys () cs rochester edu
To: PAUL () TDR COM
Subject: Re: Chalace - Challenge/Responce password authentification 

Chalace depends on an unhashed shared secret, which if accidentally
disclosed, leaves you hosed.  This means you need to assure yourself
that the "password file" REALLY can't be read by anyone unauthorized.
To me that means a separate physically-secure machine with no network
telnet access.

In principle it's not any different from ANSI X9.9 (DES-based), which
has the advantage that you can already buy pocket-sized or credit-card-sized
calculators for it.


S/KEY hashes the secret information, so even if it's accidentally disclosed
you're OK.  This forces the necessity of "charging up" your authentication
server.  But it's safer to run on a machine that your semi-trusted users
have normal access to.


That's my analysis.  Feel free to forward to bugtraq if you think it
adds information.

Liudvikas Bukys
University of Rochester
Computer Science Department
734 Computer Studies Building
Rochester, NY 14627-0226

tel# 716-275-7747
fax# 716-461-2018

<bukys () cs rochester edu>