[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Otpasswd-talk] Using OTP to kind of fix MITM.
|
From: |
Tomasz bla Fortuna |
|
Subject: |
[Otpasswd-talk] Using OTP to kind of fix MITM. |
|
Date: |
Tue, 22 Dec 2009 10:42:36 +0100 |
Hi,
1) There's a tagged 0.5pre1 in repository which seems to more/less
work. It uses global config, but not yet a global database of keys.
2) OTP can be used at some cost to prevent man-in-the-middle attacks
also! I kind of like this idea. This would work like this:
Before logging user is presented with a brand new passcode and asked
for his new passcode.
User at first verifies that the passcode presented is correct and
matches the one on his passcard and only if it does he enters his next
passcode.
There're of course problems:
Passcodes are being used up twice as fast (unless we agree that this
passcode might be an already used one, but this is not perfect). And
how this can work with OOB-only authentication scheme...
This should be better than veryfying key fingerprint. Easier to
check, doesn't require to remember anything.
Can be set to always occur or to be used on request (like OOB).
Cheers!
--
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be
signature.asc
Description: PGP signature
- [Otpasswd-talk] Using OTP to kind of fix MITM.,
Tomasz bla Fortuna <=