Re: Dynamic password authentication scheme

From: Erich Buri (buri_at_z17.net)
Date: 01/27/04

  • Next message: Erich Buri: "Re: XMAS Scanning"
    Date: Tue, 27 Jan 2004 00:40:31 +0100
    To: amandeep Singh <amandeep1@hotpop.com>
    
    

    I agree that it would be great to have somthing like dynamic passwords.

    but i think that your solution does not change much.

    > in which the password is not stored in the hard disk or any auxiliary
    > memory and gets changed every time a user is going to be
    > authenticated.

    but isn't there this values computed from the random input that gets
    stored on the server? This is much like the password. Because if i know
    this value and the time I wan't to do the login, i can calculate the
    password!

    Same thing if i steal the secret value from the customer
    (sniffing/reading on the disk, since he may store it there.../keyloggin
    the value when it is typed into the algorithem to compute the
    one-time-password. since this function must be one-way and is thus very
    likely complicated).

    Did i miss the point?

    Apart from that there exists already a solution called SecureID.

    http://www.hpcmo.hpc.mil/Htdocs/SECURITY/securid_q.html

    which does basicly the same thing except that in this case the secret
    value is stored inside the card and the one-time-password is calculated
    directly by the card.

    Tell me if i'm wrong but i think your solution is basicly shifting the
    problem from cracking the password to stealing a number.

    gruss
    buri

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------


  • Next message: Erich Buri: "Re: XMAS Scanning"