Re: Human-answerable challenge response login
From: chenshaw (MOVE)
Date: 09/27/03
- Next message: Mok-Kong Shen: "Re: [Diehard] Overlap sum test"
- Previous message: John M. Dlugosz: "Re: Book as the key"
- In reply to: Paul Rubin: "Re: Human-answerable challenge response login"
- Next in thread: Brian Harnish: "Re: Human-answerable challenge response login"
- Reply: Brian Harnish: "Re: Human-answerable challenge response login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Sep 2003 07:44:52 GMT
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote in
news:7xk77vm2k3.fsf@ruckus.brouhaha.com:
> Just intercepting one valid challenge/response pair gives the attacker
> the key immediately.
In hindsight that is abundantly clear, yes. FWIW, I'm not securing
anything of much importance. This is basically just a learning exercise.
In practice this does not seem a very likely attack given that the login
pages are sent via SSL and I'm the only one who knows both the address of
the server and the algorithm in use. Since screen capture paracites are
rather rare, an attacker would have to be physically present to read the
challenge off the screen. A simple key logger would not be sufficient to
gain enough knowledge to login.
> Why not use a one-time key system like S/Key?
After looking into it, implementing S/Key will be more trouble than is
necessary. A generic one-time password system, however, should be
sufficient.
-- Coridon Henshaw / http://www3.sympatico.ca/gcircle/csbh
- Next message: Mok-Kong Shen: "Re: [Diehard] Overlap sum test"
- Previous message: John M. Dlugosz: "Re: Book as the key"
- In reply to: Paul Rubin: "Re: Human-answerable challenge response login"
- Next in thread: Brian Harnish: "Re: Human-answerable challenge response login"
- Reply: Brian Harnish: "Re: Human-answerable challenge response login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
