Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

[Tomasz bla Fortuna]

Dnia Tue, 22 Dec 2009 09:39:24 -0500
Luke Faraone <address@hidden> napisał(a):

> On Dec 22, 2009, at 4:42, Tomasz bla Fortuna <address@hidden> wrote:
> > This should be better than veryfying key fingerprint. Easier to
> > check, doesn't require to remember anything.
> If you're going to be printing out your PPP passkeys anyway,
> wouldn't it make sense to just include the ssh server fingerprint or
> randomart design on the sheet?
> 
> Thanks,
> Luke Faraone
Sure. There's even an entry in ChangeLog:
* [?] Incorporate SSH key fingerprints on passcards?

Problem is with size. Passcards would have to be reorganized somehow.
Label can be currently only 29 character long, which is not enough to
fit fingerprint:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  <- 29
66:78:1d:57:83:e0:35:d7:1d:ab:d3:9b:3c:a5:ee:df.
66781d5783e035d71dabd39b3ca5eedf - without : won't fit too
I wonder if using something like 66:78:1d:...:a5:ee:df is enough. Is
it hard to create a key with same 6 fields of fingerprint? Also we
can place randomart on the back of passcard. It might be a bit tricky to
print still. Can PuTTY display randomart?

We can put whole fingerprint at the end of each passcard; still I've
got no idea how to retrieve it from ssh in a program. This fingerprint
can also be send via OOB.

OTP can be used for sure to authenticate server the way I described it,
but I currently doubt it would be of much help. MITM danger won't be
mitigated at all. It's theoretically easier to trick somebody into
logging into a dumb server (some dns poisoning?) in order to get next
passcode than to perform whole MITM, but... how much more difficult?




-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature