Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

[Tomasz bla Fortuna]

Dnia Tue, 22 Dec 2009 11:19:52 -0500
Luke Faraone <address@hidden> napisał(a):

> On Tue, Dec 22, 2009 at 10:52, Tomasz bla Fortuna <address@hidden>
> wrote:
> 
> > Problem is with size. Passcards would have to be reorganized
> > somehow. Label can be currently only 29 character long, which is
> > not enough to fit fingerprint [...]
> > Is it hard to create a key with same 6 fields of fingerprint?
> >
> 
> It is computationally feasible with today's technology.
> 
> Would it be acceptable to split the key along multiple lines?

I guess.

But it won't fit all:
0f:8a:4e:23:89:74:92:6c:1a:d1:7b:2f:0b:f0:d1:cf
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16

Let's see. It generally won't fit simply horizontally nor vertically:

Reactor                            [1] 01
    A    B    C    D    E    F    G    02
 1: wU7L Gpo5 #JW6 taB: huCz 8KE+ XuHm 03 
 2: %gHt WAgM !z8j gf=C fecp iqNa sxLV 04
 3: zY2P CbHj T%LF k8dm f#qr qDSe 8JBe 05
 4: tKg? tf8D 9t8E gLWG zruA 6jCx aoqi 06
 5: ?kKD MyUP xyB+ aL%H 7AAY 8CNY jXBs 07
 6: z4iJ RKtT VTks eyjt ecgY !Ap8 syYg 08
 7: rhXP dwxk SBzb Vs6H opCN =J9J p%39 09
 8: gYNB mW+S SJDS Xhx8 RLqe VncW MMs2 10
 9: NsFT 4s!@ ntJA didp u#Wu 2UBB %o#P 11
10: vLnn f!Kt xuT8 FhH: bZA= hRhK MChS 12 <- 4 blocks omitted
01:02:03:04:05:06:07:08:09:10:11:12:13:14:15:16 <- won't fit
0102:0304:0506:0708:0910:1112:1314:1516  <- some : removed
0102:0304:0506:07080910:1112:1314:1516 <- this fits

Removing some : and putting horizontally might be easiest way to fit
whole key while retaining some readability.

LaTeX output would have to have to pages. Second with random art +
finger print.

Back page could look like this:

      xxxxxxxxpasscard width marker xxxxxxxx 
01:   Hostname
02:   01:02:03:04:05:06:07:08
03:     |   o.  .=..      |
04:     |   .+ o= o       |
05:     |  .. o..+ =      |
06:     | .  .  o B o     |
07:     |. o     S +      |
08:     |.o .     .       |
09:     |o E              |
10:     | .               |
11:     |                 |
12:   09:10:11:12:13:14:15:16

Or:
      xxxxxxxxpasscard width marker xxxxxxxx 
01:   Hostname
02:   +--[ RSA 2048]----+  
03:   |   o.  .=..      |    Fingerprint:
04:   |   .+ o= o       |    01:02:03:04
05:   |  .. o..+ =      |    05:06:07:08
06:   | .  .  o B o     |    09:10:11:12
07:   |. o     S +      |    13:14:15:16
08:   |.o .     .       |
09:   |o E              |
10:   | .               |
11:   |                 |
12:   +-----------------+

Printing would have to be fairly accurate as the vertical space is
a little.

> 
> Also we can place randomart on the back of passcard. It might be a bit
> > tricky to
> > print still. Can PuTTY display randomart?
> >
> 
> Not currently. I'll send in a feature request, and will see if the
> algorithm can be extracted from OpenSSH.
> 
> 
> >  We can put whole fingerprint at the end of each passcard; still
> > I've got no idea how to retrieve it from ssh in a program.
> >
> 
> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
> 2048 0f:8a:4e:23:89:74:92:6c:1a:d1:7b:2f:0b:f0:d1:cf
> /etc/ssh/ssh_host_rsa_key.pub (RSA)
> 
This is not perfect as location of keyfile depends on sshd_config
entries which would have to be parsed... But I guess there's no other
way as to call something in terminal and harvest the result.

I thought about simply using API from OpenSSL somehow. 

-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature