From owner-freebsd-security@FreeBSD.ORG Tue Jul 8 13:41:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8BAF1065675 for ; Tue, 8 Jul 2008 13:41:37 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188]) by mx1.freebsd.org (Postfix) with ESMTP id 600078FC2E for ; Tue, 8 Jul 2008 13:41:37 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so327796gve.39 for ; Tue, 08 Jul 2008 06:41:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=nkNRLY58qVZ1Y6L5bT5SgR1pfzPIRSLvNW1ay9zDgHs=; b=f5TOobbtQJFvBofkGHDj53iPdZcD8phv72tQ7SM8WAZf0puPBLhphiFoh2TI6mvQ1f 6aLc0eWI3h87YY2GARxdYsk/KNvF6c02yUEmkUHXH3APhkZAmHXLF+s/Jy+ccii0gdqg lMkdkjnPIvCtTcJcYrk3GuZxLViTlX8+UITt8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=qF0CY9YeN1lAhvB0avJ/D48C49pFgQ0dHsjt2nXv9YVW3dcWv/WVNikhtzDswBBFJW tK0Nnd7Lcxc/xAwKXXQ8bT7RxmeaRTDaN6pxrTOoMNs0Bhzu44Da0P8TCtN2vu7pZu9a EyjEuopXoFa4D29vnrAo+49+KEV4Him82MCes= Received: by 10.125.122.19 with SMTP id z19mr1338454mkm.93.1215524495944; Tue, 08 Jul 2008 06:41:35 -0700 (PDT) Received: by 10.125.110.8 with HTTP; Tue, 8 Jul 2008 06:41:35 -0700 (PDT) Message-ID: <670f29e20807080641wb6f76cctfacfbb2af2f4f7e9@mail.gmail.com> Date: Tue, 8 Jul 2008 19:11:35 +0530 From: "Ivan Grover" To: "Peter Jeremy" In-Reply-To: <20080708113030.GN62764@server.vk2pj.dyndns.org> MIME-Version: 1.0 References: <670f29e20807080316s6cf57612jf5135bfd340e3328@mail.gmail.com> <20080708113030.GN62764@server.vk2pj.dyndns.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: OPIE Challenge sequence X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 13:41:37 -0000 Thank you so much for your responses. By "predetermined ", i meant the challenges appear sequentially in decremented fashion, so are we aware of any security hole with this. I ask this because usually the challenge/response implementations consider generating random challenges( i think here they have a weakness where the passphrase need to be in clear text). My problem is to determine the best challenge/response implementation for authenticating the clients. Please correct me if i missed something. Thanks and Regards, Ivan On Tue, Jul 8, 2008 at 5:00 PM, Peter Jeremy wrote: > On 2008-Jul-08 15:46:37 +0530, Ivan Grover wrote: > >Iam trying to choose OPIE as my OTP implementation for authenticating the > >clients. I have the following queries, could anyone please let me know > these > >-- why does the challenge in OPIE are in predetermined form.. > >is it for determining the decryption key for the encrypted > passphrase(stored > >in opiekeys). > > The passphrase is not encrypted - it is hashed and cannot be "decrypted". > Basically, the passphrase and seed are concatenated and the result is > hashed (using MD5) the number of times specified by the iteration count > and the seed, count and final hash are stored in /etc/opiekeys. > > The supplied response is easily verified because when you run it thru > MD5, you should get the hash in /etc/opiekeys. You then replace that > hash with the one the user supplied. > > >-- is it possible to generate random challenges using opiechallenge > > No. The seed has to match the seed that was used to generate the > hash with opiepasswd. > > -- > Peter Jeremy > Please excuse any delays as the result of my ISP's inability to implement > an MTA that is either RFC2821-compliant or matches their claimed behaviour. >