RE: Dynamic password authentication scheme

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 01/28/04

  • Next message: Patrick A. Middleton: "RE: UDP Port 137 Question"
    To: "'amandeep Singh'" <amandeep1@hotpop.com>
    Date: Tue, 27 Jan 2004 16:20:44 -0800
    
    

      Believe it or not, I think most of this ground has been covered
    over a decade ago. SecurID resolves most of the problems, and is
    well established in the marketplace.

    David Gillett

    > -----Original Message-----
    > From: Erich Buri [mailto:buri@z17.net]
    > Sent: January 26, 2004 15:41
    > To: amandeep Singh
    > Cc: security-basics@securityfocus.com
    > Subject: Re: Dynamic password authentication scheme
    >
    >
    >
    > I agree that it would be great to have somthing like dynamic
    > passwords.
    >
    > but i think that your solution does not change much.
    >
    > > in which the password is not stored in the hard disk or
    > any auxiliary
    > > memory and gets changed every time a user is going to be
    > > authenticated.
    >
    > but isn't there this values computed from the random input that gets
    > stored on the server? This is much like the password. Because
    > if i know
    > this value and the time I wan't to do the login, i can calculate the
    > password!
    >
    > Same thing if i steal the secret value from the customer
    > (sniffing/reading on the disk, since he may store it
    > there.../keyloggin
    > the value when it is typed into the algorithem to compute the
    > one-time-password. since this function must be one-way and is
    > thus very
    > likely complicated).
    >
    >
    > Did i miss the point?
    >
    > Apart from that there exists already a solution called SecureID.
    >
    > http://www.hpcmo.hpc.mil/Htdocs/SECURITY/securid_q.html
    >
    > which does basicly the same thing except that in this case the secret
    > value is stored inside the card and the one-time-password is
    > calculated
    > directly by the card.
    >
    > Tell me if i'm wrong but i think your solution is basicly
    > shifting the
    > problem from cracking the password to stealing a number.
    >
    > gruss
    > buri
    >
    > --------------------------------------------------------------
    > -------------
    > Ethical Hacking at InfoSec Institute. Mention this ad and get
    > $720 off any
    > course! All of our class sizes are guaranteed to be 10
    > students or less.
    > We provide Ethical Hacking, Advanced Ethical Hacking,
    > Intrusion Prevention,
    > and many other technical hands on courses.
    > Visit us at http://www.infosecinstitute.com/securityfocus to
    > get $720 off
    > any course!
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!
    ----------------------------------------------------------------------------


  • Next message: Patrick A. Middleton: "RE: UDP Port 137 Question"

    Relevant Pages

    • RE: Network Access Quarantine
      ... All of our class sizes are guaranteed to be 10 students or less. ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • RE: UDP Port 137 Question
      ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... >and many other technical hands on courses. ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • RE: *warning* student question
      ... Read up on what offsets of the packets represents what flags, ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... All of our class sizes are guaranteed to be 10 students or less. ...
      (Security-Basics)
    • Re: FTP Proxy
      ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... > and many other technical hands on courses. ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • RE: Worm.SCO.A
      ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ... and many other technical hands on courses. ...
      (Security-Basics)