Re: [Otpasswd-talk] GRC PPP newsgroup messages

[Tomasz bla Fortuna]

Dnia Wed, 9 Dec 2009 01:30:48 -0600
Hannes Beinert <address@hidden> napisał(a):

> Tomasz,
> 
> I spent some time tonight (too much time, actually :-) re-reading some
> of the old newsgroup messages on Gibson's newserver.  I remember that
> you wrote that you had some trouble with the GRC groups, so I've
> attached an archive containing a number of messages you might want to
> scan, just to get an idea of what was going on while PPP was evolving.
>  I only copied those messages which seemed slightly interesting, and
> started from late in the period where PPPv2 was being discussed.
> 
> One of the threads discusses the "best sequence key" search idea that
> Gibson employs, and the reasons he does this.  Frankly, I do think it
> is probably a good idea, although it's not critical.  Basically, he
> evaluates sequence keys for the number of repeated passcodes within a
> specified window.  He does this to reduce the likelihood that a replay
> attack will succeed, as well as eliminating the possibility of two
> identical passcodes appearing in close proximity on a (series of)
> passcards, thereby upsetting an end-user who doesn't comprehend the
> nature of "randomness" (:-).  The messages also show that Tom Fors was
> quite skeptical of this approach.
> 
> I also stumbled across a reference that Gibson had actually salted the
> counter initially, but had decided against it.  The reference is a bit
> oblique, but I believe that was the general import of his message.  To
> be clear, I don't think that what he writes invalidates our previous
> discussion, but I just wanted to cite the message.  The message is:
> 
>      From: Steve Gibson <address@hidden>
>      Subject: Re: OKAY -- PPPv2 stays EXACTLY as it is.
>      Date: Thu, 8 Nov 2007 12:18:24 -0800
>      Message-ID: <address@hidden>
> 
> Towards the end, there is also a quick exchange regarding the
> replacement of SHA256 with AES in PPP, and how it would have the
> advantage of increased entropy (more bits).
I'm not sure if he talked about this. They were saying about replacing
AES which results in 128 bits of 'random' material to plain SHA256
which gives twice as much bits and generally should be random as well.
However this would for sure solve my problem with PPP. ;)

So they are debating generally two separate issues:
1. Non-even bit distribution when alphabet length is not of length x,
so that 2^x.
2. Selecting good sequence key by checking it's first (say) 200'000
passcodes for duplications.

First thing is what I checked in testcase which is now commented because
it failed.  (I'll a bit redo this testcase not to check bit
distribution but character itself; this would get correct results if
they are random even for 88long alphabets.) Steve kind of explained why
it's not a big deal somewhere.

Second can be done it's really not a big deal to implement, but I'd save
it for later when all other things works. As you said even Steve
doesn't talk about it as an obligatory invention. Also I guess it has
sense mostly to ensure the user won't get surprised about him getting
two same passcodes in a row. If passcodes are totally random then it
does not lessen security anyhow.

I'll have some time this weekend. I've passed exam from yesterday so
I'm safe for now. ;)

-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature