Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!spool.mu.edu!agate!stanford.edu!SIMPACT.COM!cjr From: cjr@SIMPACT.COM (Chris Riddick) Newsgroups: comp.protocols.kerberos Subject: Onetime passwords Message-ID: <9105211238.aa10181@nss1.simpact.COM> Date: 21 May 91 12:38:27 GMT Article-I.D.: nss1.9105211238.aa10181 Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Lines: 47 My note: >> From: Chris Riddick >> >> There is a way to render the dictionary attack ineffective. That is the use >> of one-time passwords. With a onetime password, even a TGT that was stolen >> simply by eavesdropping during login would not be useful. The password that >> was extracted via the dictionary attack (other other cryptanalysis) was only >> good for that login (i.e., TGT). The next time the user logs in, a >> different password will be required. You responded with: > No. "One-time passwords" (this is really the wrong term for >this, but I know what you mean from the previous time you explained >yourself), do NOT by themselves render the dictionary attack >ineffective. If the user chooses his/her own master password, the fact >that one-time passwords are generated from it will not make the attack >impossible. [The details of how to alter the attack to deal with this >are left to the reader.] > > However, forcing the user to use a randomly generated password >will render the dictionary attack useless. Granted, this is >particularly easy to do when the user already has to carry a one-time >password generator device around with him/her. You made an assumption that the method used to generate the one-time password depended upon a seed value chosen by the user. If the method of generating the one-time password can be shown to protect the seed value, then simply breaking the encryption to get into the TGT only gives the onetime password. You cannot reuse the TGT and the password cannot be reused. If you have no way of working back to the original seed value, then you have rendered attack ineffective (other than deciphering the TGT, which exposes the session key between the user and the Kerberos server). There are two threats to protect against here. The first is the protection of the password for kerberos login. The second is the privacy of the communications between the user and the kerberos server. A properly generated one-time password will protect the kerberos login. However, any successful cryptographic attack against the TGT will expose the session key. Obviously, a proper solution has to address both of these vulnerabilities. The key aspect of the onetime password is that we can ensure that the attacker does not gain access to the kerberos server to get another TGT (an auditable event). The user is vulnerable during the period before the TGT expires/revoked if the encryption is broken. Chris Riddick