Date: Tue, 8 Dec 2009 17:01:11 -0500 From: Mark Fullmer <maf@eng.oar.net> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-security@freebsd.org, Tomasz bla Fortuna <bla@thera.be> Subject: Re: One-time password implementation. Message-ID: <CD8B9224-165D-45C8-863A-3DCDE74D9C2A@eng.oar.net> In-Reply-To: <20091208095410.68368l6s44h5u9f4@webmail.leidinger.net> References: <20091207201924.5d6ef1bf@thera.be> <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net> <20091208095410.68368l6s44h5u9f4@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
HOTP is defined in rfc4226, it's not my own. There is variant called TOTP which ties the count to a clock. The Spyrus reader has an RTCC which could be used to drive the count. What scenario do you see a time based token having advantage over a loosely synchronized count? otp-control can be used to generate soft tokens for testing, although in its current form this wouldn't work easily for an end user. Adding a HOTP soft token generator with the same functionality as the smart card wouldn't be much work. Keeping to this mailing list, is a HOTP implementation to replace/ augment the existing OPIE package something the FreeBSD security team is interested in? The problems with OPIE brought up in the Feb 2009 thread "OPIE considered insecure" are not present in HOTP. TOTP: http://tools.ietf.org/html/draft-mraihi-totp-timebased-03 HOTP: http://tools.ietf.org/html/rfc4226 -- mark On Dec 8, 2009, at 3:54 AM, Alexander Leidinger wrote: > Quoting Mark Fullmer <maf@eng.oar.net> (from Mon, 7 Dec 2009 > 19:11:23 -0500): > >> I recently released a BSD licensed smart card based OTP system >> we've used over the past few years. It uses the OATH HOTP >> algorithm and includes an OTP library, PAM module, smart card >> firmware, pin pad reader firmware, associated management utilities >> and man page documentation. The smart card and reader(s) hardware >> can be purchased in single quantities and it all works natively >> with FreeBSD. The HOTP algorithm has gained some momentum with a >> few vendors now selling hardware tokens which should work with this >> software. >> >> http://www.splintered.net/sw/otp >> >> It might be easier to add GRC PPP to this than to start from scratch. > > After reading your presentation it seems that your algorithm does > not limit the time the user is able to use a specific generated > password. Are you interested in an algorithm which does this > (requires a more or less synchronisated clock on client and > destination sides, some seconds difference does not matter, but some > minutes difference does). Yes, this would require a smart card which > is able to produce the current time, and I do not know if there is > such a card and how much it costs, but there are scenarios where you > do not need the additional security of a tamper-resistant smart card > and a mobile with a java app would be enough (and this would then > allow to have a more or less unlimited amount of different > destinations with different passwords on one device). > > Bye, > Alexander. > > -- > What makes us so bitter against people who outwit us > is that they think themselves cleverer than we are. > > http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = > B0063FE7 > http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = > 72077137 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CD8B9224-165D-45C8-863A-3DCDE74D9C2A>