Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

[Tomasz bla Fortuna]

Dnia Tue, 22 Dec 2009 17:33:10 -0500
Luke Faraone <address@hidden> napisał(a):

> On Tue, Dec 22, 2009 at 17:21, Hannes Beinert <address@hidden>
> wrote:
> 
> >  In the second case, however, the sysadmin wants to enhance
> > system security by requiring PPP usage.  If the user completely
> > breaks PPP for him/herself, then it's true that system security
> > will be enhanced because logins for that user would be disabled.
> > OTOH, if the user modifies the state files to use poor sequence
> > keys (by whatever definition you choose to apply), or rolls back
> > the counter for the "current passcode" which would enable a replay
> > attack, the user has actually lessened system security.  By keeping
> > the files in a global system-controlled database this latter
> > vulnerability could be mitigated.
> >
> 
> That makes sense. OTOH, if a user wants to intentionally compromise
> the security of his login, he can anyway by a number of easier means.
> I'm not opposed to a central database, I just think that ad-hoc
> should be the default.
Well. This can be limited. We can deny ability to print passcards and
only send him data via OOB (mobile phone). He would have to loose
mobile to impair security then.


> Apologies for currently being unable to contribute any code. I'm in
> the process of learning C and do not yet feel that I'd be able to
> contribute anything robust or useful at this time.
I guess I can handle most until some stable 1.0 is produced.
Development slowed down but I'm still making changes and currently I'm
doing this global db (and place for ldap/mysql).

-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature