It's not possible to allow non-OPIE logins only from trusted networks

Tue Mar 15 22:44:31 UTC 2011

On Tue, Mar 15, 2011 at 09:02:56PM +0000, Miguel Lopes Santos Ramos wrote:
> 
> Dom, 2011-03-13 às 22:05 +0000, RW escreveu:
> > On Sun, 13 Mar 2011 21:06:17 +0000
> > Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> wrote:
> > > Ok, admittedly, it took me a while to see in what way that could be a
> > > weekness. It's a bit like hoping for a little remaining security after
> > > the password list was compromised.
> > 
> > It means they can compute keys that they already have on the printout
> > plus obsolete keys. In what sense is that a weakness?
> 
> Yes, also in my opinion that is not a weakness.
> I was trying to see the thing through the perspective of those who call
> it a weakness (it was a reply).
> Let's call it a non-strongness.
> 
> The point that I took a while to see and which I think it's the reason
> why they say it's a weakness, is that if an attacker only came to
> possess a future password (one with a lower sequence number), then he
> can trivially compute all previous passwords.
> 
> This is a non-strongness in the sense that if it weren't so, he might
> never get a chance of using that password.
> Ter, 2011-03-15 às 11:43 +0100, Dag-Erling Smørgrav escreveu:
> Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> writes:
> > > Ok, admittedly, it took me a while to see in what way that could be
> a
> > > weekness. It's a bit like hoping for a little remaining security
> after
> > > the password list was compromised.
> > 
> > OPIE is not designed to protect against a stolen password list; it is
> > designed to protect against replay attacks.
> 
> So I understand. That's why my words were such a faible concession to
> that point of view.
> 
> The wikipedia page for OTPW actually states that as a disadvantage of
> OPIE, making several times the point that OTPW is resistent to the case
> of a stolen password list.
> They also make the questionable argument of a paper being more portable
> than a calculator, which I also understand but don't agree, because a
> calculator can be "transported" over the Internet easily.
> 
> I've been using OPIE for several years now, and I don't think OTPW would
> fit my usage patterns.

Agreed, I re-read the OTPW page in greater details, I didn't realize
in my first read that it generates its password list "at random" and
not using a master password. It does make calculators useless and is
not what I was looking for. Sorry for not understanding that earlier.

Still, some other features of OTPW could be integrated into OPIE's
existing S/KEY algorithm, mainly the password prefix (gives me some
time to revoke the master password if my cell phone gets stolen) and
the locking preventing replay attacks.

By reading more about the S/KEY algorithm I see why by design you can
compute "higher" responses from any password and why it's clever, so
it's probably a good idea not to mess with that; however 64 bits of
entropy by password feels a bit short by today's standards. Of course
increasing that might mean dropping the word list approach for a more
random stream of characters unless you want to type a 50+ char
passphrase to log in.

> Sorry for cross-thread posting.

-- 
Lionel Flandrin