Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!bellcore!epic!karn
From: karn@epic..bellcore.com (Phil R. Karn)
Newsgroups: comp.org.eff.talk
Subject: Re: stealing passwords is easy!
Message-ID: <1991Jun2.215059.22125@bellcore.bellcore.com>
Date: 2 Jun 91 21:50:59 GMT
References: <14715.2845348B@fidogate.FIDONET.ORG>
Sender: usenet@bellcore.bellcore.com (Poster of News)
Organization: Bell Communications Research, Inc
Lines: 37


I have been working on a scheme that would thwart the attack just
mentioned here. It's called "MINK".

MINK is a one-time-password scheme that uses an iterated one-way
function. (We're currently using the MD-4 cryptographic hash function
as the basis of the one-way function.)

Each time you log in, the password you send over the wire is
different.  You precompute the series of passwords by running your
"real" (secret) password through the one way function using local,
trusted computer hardware. Then you use the sequence you just created
in REVERSE ORDER.  E.g., if you start by generating a list of 100
iterated passwords, you first use password #100, then password #99 the
next time you log in, and so on.  The system you're logging onto
verifies your identity by running your new password through the one
way function once and comparing the result to the password you sent
the last time you logged in. If they match, the password you just sent
replaces the entry in the password file for next time.

When the iteration count goes to zero, you reinitialize the system after
you log in by picking a new password, running it through the one-way
function 100 times, and sending that to the system.

If the one-way function is fast enough, you don't have to actually
precompute the list of one-time passwords; you can run the proper
number of iterations "on the fly" each time you log in. Our MD-4 based
function is fast enough on the PC to allow this.

All this makes it impossible for someone eavesdropping on you as you
log in to determine the next password to use, since that would require
inverting the one-way function. If your passwords are well chosen (i.e.,
if they're not found by the usual dictionary searches) then even the
password file on the host system would be useless to an attacker.
This would have helped considerably in the case of the "evil BBS sysop".

Phil