Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!spool.mu.edu!agate!riacs!stanford.edu!B.GP.CS.CMU.EDU!mdl From: mdl@B.GP.CS.CMU.EDU (Mark Lillibridge) Newsgroups: comp.protocols.kerberos Subject: Onetime passwords Message-ID: <9105211435.AA12196@ATHENA.MIT.EDU> Date: 21 May 91 14:34:58 GMT Article-I.D.: ATHENA.9105211435.AA12196 References: <9105211238.aa10181@nss1.simpact.COM> Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Lines: 48 > From: Chris Riddick > Date: Tue, 21 May 91 8:38:27 EDT > > ... > > You made an assumption that the method used to generate the one-time > password depended upon a seed value chosen by the user. If the seed value is chosen by the user, you could have a problem with dictionary attacks. If the seed value is chosen randomly, obviously, you can't have a problem with a dictionary attack as there is no dictionary involved. The later case solves the problem but the use of one-time passwords is not why it does so. The randomly chosen key is the reason. >If the method > of generating the one-time password can be shown to protect the seed > value, then simply breaking the encryption to get into the TGT only gives the > onetime password. You cannot reuse the TGT and the password cannot be > reused. If you have no way of working back to the original seed value, > then you have rendered attack ineffective (other than deciphering the TGT, > which exposes the session key between the user and the Kerberos server). Let me give a concrete example. Suppose the user chose "Fred" as her password. Now, when it is time to log in, Kerberos picks a random key r. Kerberos then encrypts r with a key derived from "Fred" to get k. Kerberos then sends the normal TGT information encrypted with k together with r. The user is then challenged with r. She types r into her handheld which encrypts it with the key derived from "Fred", thus obtaining k which it then displays. She then types in k and authentication proceeds in the obvious manner. I would call this a "one-time password system". Let me know if you disagree. How can I check if her password is "Fred"? Well, I take a handheld, type in "Fred" as the key then r [from a previous TGT request]. If the handheld responds with k, her password is indeed "Fred", otherwise it is not. Thus, by this technique, given a r-k pair from a previous successful login, I can very quickly discover the user's password if it is in a small dictionary. This meets my definition of a successful dictionary attack. I note that by using randomness on both sides of the connection, it may be possible to foil dictionary attacks. I mentioned this in my first reply. However, the protection comes from the randomness, not the one-time password part. - Mark Lillibridge