Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

[Tomasz bla Fortuna]

Dnia Tue, 22 Dec 2009 10:42:36 +0100
Tomasz bla Fortuna <address@hidden> napisał(a):

> Hi,
> 
> 1) There's a tagged 0.5pre1 in repository which seems to more/less
> work. It uses global config, but not yet a global database of keys.
> 
> 2) OTP can be used at some cost to prevent man-in-the-middle attacks
> also! I kind of like this idea. This would work like this:
> Before logging user is presented with a brand new passcode and asked
> for his new passcode.
> 
> User at first verifies that the passcode presented is correct and
> matches the one on his passcard and only if it does he enters his next
> passcode.
> 
> There're of course problems:
> Passcodes are being used up twice as fast (unless we agree that this
> passcode might be an already used one, but this is not perfect). And
> how this can work with OOB-only authentication scheme...
> 
> This should be better than veryfying key fingerprint. Easier to
> check, doesn't require to remember anything.
> 
> Can be set to always occur or to be used on request (like OOB).
> 
> 
> Cheers!

Heh. Reconsidering it's kind of not well-thought idea. :P This can
help some attacks but certainly not MITM. 

If the attacker would completely overtake the connection without
connecting further to our server then we can ensure we're talking to the
right server and prevent ourselves from sending it a next valid
passcode (Which would still be valid to use for authentication). But
that's all. And I wonder if such attacker would have to do much more to
perform a correct MITM. I'll give it a thought still. Maybe it's worth
doing, and maybe it can be changed somehow to perform better with the
use of OOB.


-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature