Bugtraq mailing list archives
Re: Chalace - Challenge/Responce password authentification (fwd)
From: PAUL () tdr com (Paul Robinson)
Date: Sun, 29 May 1994 02:15:27 -0400 (EDT)
---------- Forwarded message ---------- Date: Fri, 27 May 94 10:56:30 -0400 From:bukys () cs rochester edu To: PAUL () TDR COM Subject: Re: Chalace - Challenge/Responce password authentification Chalace depends on an unhashed shared secret, which if accidentally disclosed, leaves you hosed. This means you need to assure yourself that the "password file" REALLY can't be read by anyone unauthorized. To me that means a separate physically-secure machine with no network telnet access. In principle it's not any different from ANSI X9.9 (DES-based), which has the advantage that you can already buy pocket-sized or credit-card-sized calculators for it. S/KEY hashes the secret information, so even if it's accidentally disclosed you're OK. This forces the necessity of "charging up" your authentication server. But it's safer to run on a machine that your semi-trusted users have normal access to. That's my analysis. Feel free to forward to bugtraq if you think it adds information. Liudvikas Bukys University of Rochester Computer Science Department 734 Computer Studies Building Rochester, NY 14627-0226 tel# 716-275-7747 fax# 716-461-2018 <bukys () cs rochester edu>
Current thread:
- Re: Chalace - Challenge/Responce password authentification (fwd) Paul Robinson (May 28)