OPIE considered insecure
mail at maxlor.com
Wed Feb 11 09:22:02 PST 2009
I've been thinking about what to do about OPIE, and I see the following
possibilities. (Note: this is mainly just a braindump to collect my
thoughts; many details that seem obvious to me are omitted. I'm making it
public because others might be interested in it too.)
- Enhance OPIE to use larger internal hashes. Because of the way OPIE works,
the user needs to input at least as many bits as OPIE uses internally,
therefore increasing the hash length increases the inconvenience. If
5-letter words were added, this would give us 18, maybe 24 additional bits
for a total of 82-88 bits; if two numeric digits (2-9, because 0 and 1
might be confused with O and l) are added to every word (JOHN43 BOAT59),
this would give us 36 additional bits for a total of 100 bits.
- Implement another algorithm: PPP. (https://www.grc.com/ppp.htm, no source
available but algorithm is documented.)
This system appears to have one weakness compared to OPIE: the secure
256-bit key needs to be stored on the host and is accessed frequently.
There are several advantages though: the algorithm won't be brute-forced
any time soon, and since the passwords have no dependencies to each other,
they can each be very short (GRC suggests 4 characters). Also, the number
of one time passwords that can be generated is unlimited (*).
PPP Variant 1: The problem of the secure key being compromised could be
solved by extending the algorithm as follows: the list of one time
passwords is precalculated on the host, each password is hashed and only
the hash is stored. This would remove the advantage (*) and also prevent
recreation of a password list (but that's good, right?)
PPP Variant 2: derive the secure 256-bit key from some user passphrase. This
would allow password calculators.
- Implement another algorithm: OTPW
(http://www.cl.cam.ac.uk/~mgk25/otpw.html, implementation is GPL, algorithm
This system precalculates random independent passwords and stores their
hashes. This then works the same as the PPP variant 1 described above.
Password calculators are not possible.
- Use pam_sotp (http://www.cavecanen.org/cs/projects/pam_sotp/, GPL,
algorithm not documented). Seems be quite similar to OTPW.
Some general thoughts:
- The one time passwords should definitively be independent from each other;
this allows very short passwords, which is much more convenient than OPIE
- I wonder if it makes sense to worry about races? (Attacker logs your key
presses, then automatically logs in after you've entered the last character
but before you've pressed enter.) Probably not, when there is the danger of
the ssh binary being compromised?
- OPIE prevents concurrent logins. Is it possible to allow them securely,
without making DOS-by-password-exhaustion possible?
More information about the freebsd-security