OPIE Challenge sequence
Jason Stone
freebsd-security at dfmm.org
Tue Jul 8 19:54:02 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On the bright side, it should be fairly easy to write an OTP calculator
> that run on a cell phone
These already exist for J2ME-enabled mobiles (which is most of them?):
http://tanso.net/j2me-otp/
http://otp-j2me.sourceforge.net/
> Systems like OPIE, where the challenge is actually issued to the user
> and not just to the user's software, require the user to have access to
> a response calculator, or to carry a sheet of precalculated responses.
There exist apps (i.e., browsers, FTP clients, mailers, etc) that
integrate OPIE and can transparently respond to challenges. The user just
puts in his password, and he doesn't worry about plaintext or OPIE or
whatever; the app just does the right thing. Fetch, an FTP client for the
Mac, is one such app.
One could argue that this encourages users to just punch in their password
and not understand if it's going to go over the wire in the clear or be
used to answer a challenge, but it's very useful when you have users who
are incapable of making such distinction in the first place and you just
need to make sure their password is secure for _your_ service.
-Jason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQFIc7+YswXMWWtptckRAoaAAJkBnis9pNHnwuXCc6zjqESrDh8zGwCfTYWC
41JZRoD12LhIpG3QK7cfhMU=
=w11K
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list