Bugtraq mailing list archives

Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)

From: ark () ELTEX RU (-=ArkanoiD=-)
Date: Tue, 1 Feb 2000 02:17:42 +0300


nuqneH,

I've seen several s/key (opie, whatever you call it) implementations
and all of them used some combination of hostname and pseudo-random number
as authomatically generated seed. What systems have the problem you described?

I see no problem in elimination shared accounts.

BTW i've seen only one OTP thingie that was ~100% shoulder-surfing protected
without using hardware tokens that may be lost, stolen, or something..
But - it was only useful if your communication channel is protected and no one
can capture your screen image. It was based on selecting numbers from the
big numbers sheet (full screen) using positions known by user.
It was based on the assumtion that no one can memorize the whole screen of
numbers, though. (OS/360, russian version called OC EC, interactive subsystem
"Jessy").

I was thinking about improvement that could make such a thing usable even
if data can be sniffed, but haven't found a good solution yet.

Somebody (maybe you, Greg A. Woods) WROTE:

 In fact I've seen several sites where due to configuration (and
 implementation?) errors this algorithmic relationship resulted in the
 exact same sequence of challenge/response pairs being used on all hosts
 for any given account (because the same secret password was used on all
 hosts).  Simple network sniffing or shoulder-surfing would have enabled
 a watchful cracker to win in very short order by simply watching the
 N'th login on one host and then simply finding another host where the
 N'th login is next replaying the phrase.

 Auditing to ensure that all successfull logins are accounted for is of
 course critical with any "one-time password" scheme.  Unfortunately
 people will still use shared accounts (eg. root!) making such auditing
 very difficult and almost never done.

 I personally will never use s/key again.



--
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

Current thread:

Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) -=ArkanoiD=- (Jan 31)
- Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability) Greg A. Woods (Feb 01)
  - SARA Security Auditor -- a new tool Security (Feb 01)