Newsgroups: comp.protocols.kerberos Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!snorkelwacker.mit.edu!stanford.edu!SIMPACT.COM!cjr From: cjr@SIMPACT.COM (Chris Riddick) Subject: Re: Onetime passwords Message-ID: <9105221224.aa06944@nss1.simpact.COM> Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Date: Wed, 22 May 1991 12:24:39 GMT Lines: 56 You are correct in your description of a one-time password system. The attack you described does take advantage of the vulnerability created by using a user-selected password and a handheld that transforms the password into a key. However, there other forms of one-time password systems that DO NOT derive the one-time key from a user-entered value, but rather are synchronized from time zero between the host (kerberos) and the user (handheld). The paper analog to this is the classic one-time pad used by the cloak and dagger people in the government. In this system, there are two sets of pads, one for the encryptor and one for the decryptor. They both start at the same place on the pad using the same sequence of random bits to begin the encryption. As the bits are used, they are thrown away. If you ever get out of sequence, your're in trouble. But it is very effective and very secure. The ONLY way for someone to break the encryption is to steal one of the two pads. Now, if we were to simplify this paper technique into something that generated a one-time password while synchronized between the encryptor and decryptor, then we would be able to avoid any sort of dictionary attack because the key is not generated from a password entered by a user, but from a seed embedded in a handheld AND synchronized with the seed and key generator at the host (Kerberos). Even if you knew the seed and the algorithm, you would still have the problem of synchronization to contend with. If the recomputing of the key is performed often enough (say, every 30-60 seconds), it doesn't leave much opportunity to for an attacker to generate the key and beat you to the login. Realize that once used, the key is not reused. The next valid key will be the next i in sequence generated by the handheld. There is still a vulnerability here, but it IS NOT due to a dictionary attack. It is that the attacker COULD acquire the handheld, acquire the user's PIN (used just like the PIN for an ATM at a bank), and then log in as that user. The attacker could also perform cryptanalysis on the TGT that is returned encrypted in the special one-time password. If successful, he would be able to decrypt the TGT. However, he would NOT have the user's password. Everytime he wanted to do this he would have to perform the cryptanalysis on the TGT to get the one-time password. This limits the vulnerability to the lifetime of the TGT rather than to the lifetime of the password. As Jon so aptly noted, security is a matter of degree. You implement only as much as you feel your threats and assets require. Any more is a waste of resources. I believe that for many environments, what we have been discussing over the past couple of days is NOT a threat that would be assigned a high risk value. That does not allow us to ignore the fact that there is a threat, so we need to carry on these types of analyses to find out if there are holes in any of the mechanisms. It is obvious that there are serveral types of one-time systems. It is also apparent that we have been discussing more than one threat. I am in agreement with you about the attacks on the password system you described, but I believe I was thinking about a different problem, and that was of the elimination of the user-defined password altogether. -- Chris