[3253] in cryptography@c2.net mail archive
RE: Time Based Token?
daemon@ATHENA.MIT.EDU (Jacob Langseth)
Tue Aug 25 19:53:02 1998
From: Jacob Langseth <jlangseth@esisys.com>
To: "'tzeruch@ceddec.com'" <tzeruch@ceddec.com>
Cc: "'cryptography@c2.net'" <cryptography@c2.net>
Date: Tue, 25 Aug 1998 19:34:37 -0400
> > The client sends the hash over the wire, the server generates
> > its own copy of the credentials, verifies that it matches the
> > client's, and authenticates accordingly.
>
> No, the setup would start with a shared secret being programmed in to
> both the client and server. This would never be sent over the wire. The
> timestamp would simply alter the hash to provide unique passwords every
> minute.
That's the assumption I'm working with (note 'hash' above)...
> I could prevent the reuse of credentials, but it still leaves a
> man-in-the-middle attack.
...and connection hijacking, and bob only knows how
many other active network attacks; but then this is an
authentication system, not an end-to-end cryptosystem.
> I already thought of that (and have a DES version) - but these don't use
> the time. Some variant of S/Key might also work. Since I have a clock
> in the Palm III, I was wondering if there was a way to use it for
> authentication.
As long as credential reuse is blocked, your original
design should work fine.
...on a completely unrelated note, do any web browsers
support secure cleartext authentication? If not, the
server:prn -> client;
client:sha1(auth_token,prn)->server;
server:sha1(auth_token,prn) == client_response?
song and dance might make for a nice apache/mozilla
enhancement.... (does this protocol bear a name?)
Setting the initial password would still be vulnerable (need
to be handled via ssl or a trusted network), but the ability
to securely authenticate afterwards w/o the ssl overhead
(or where ssl isn't available) would seemingly be a rather
attractive addition.
Just a thought to add flavor to an otherwise mildly tofuesque reply,
Jacob
--
Jacob Langseth <jlangseth@esisys.com>
Enhanced Systems, Inc.
