OPIE Challenge sequence
Ivan Grover
ivangrvr299 at gmail.com
Tue Jul 8 13:41:37 UTC 2008
Thank you so much for your responses. By "predetermined ", i meant the
challenges appear sequentially in decremented fashion, so are we aware of
any security hole with this. I ask this because usually the
challenge/response implementations consider generating random challenges( i
think here they have a weakness where the passphrase need to be in clear
text).
My problem is to determine the best challenge/response implementation for
authenticating the clients.
Please correct me if i missed something.
Thanks and Regards,
Ivan
On Tue, Jul 8, 2008 at 5:00 PM, Peter Jeremy <peterjeremy at optushome.com.au>
wrote:
> On 2008-Jul-08 15:46:37 +0530, Ivan Grover <ivangrvr299 at gmail.com> wrote:
> >Iam trying to choose OPIE as my OTP implementation for authenticating the
> >clients. I have the following queries, could anyone please let me know
> these
> >-- why does the challenge in OPIE are in predetermined form..
> >is it for determining the decryption key for the encrypted
> passphrase(stored
> >in opiekeys).
>
> The passphrase is not encrypted - it is hashed and cannot be "decrypted".
> Basically, the passphrase and seed are concatenated and the result is
> hashed (using MD5) the number of times specified by the iteration count
> and the seed, count and final hash are stored in /etc/opiekeys.
>
> The supplied response is easily verified because when you run it thru
> MD5, you should get the hash in /etc/opiekeys. You then replace that
> hash with the one the user supplied.
>
> >-- is it possible to generate random challenges using opiechallenge
>
> No. The seed has to match the seed that was used to generate the
> hash with opiepasswd.
>
> --
> Peter Jeremy
> Please excuse any delays as the result of my ISP's inability to implement
> an MTA that is either RFC2821-compliant or matches their claimed behaviour.
>
More information about the freebsd-security
mailing list