Re: [slug] [SLUG] one time password

From: R P Herrold (herrold@owlriver.com)
Date: Tue May 29 2001 - 21:10:02 EDT


oops -- sent too soon ... I was still composing, and my
fingers got ahead of my head.

Opie is a formal RFC track item, and that means two separate
interpoerating implementations exist. The library change in
Debian seems to be more due to the deliberate release pace of
that distribution's releases.

Looking at the fetchmail 'hooks' into opie, in that
distribution's /usr/src/redhat/BUILD/fetchmail-5.7.1/opie.c I
see:

/*
 * opie.c -- One-Time Password authentication.
 *
 * For license terms, see the file COPYING in this directory.
 */

#include "config.h"
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#if defined(STDC_HEADERS)
#include <stdlib.h>
#endif
#include "fetchmail.h"
#include "socket.h"

#include "i18n.h"
#include "md5.h"

#if OPIE_ENABL
#include <opie.h>
,,,<snip>

----------------------

A more dead plain set of includes one is unlikely to find --
the i18n is must likely driving the later library push -- this
is endemic in Linux as internationalization rolls in -- it
also carries in the later libraries. Autoconf should allow
omission of the i18n stuff.

The rest of the auth code is simple challenge-response,
UU-encoding, and moving the 'used password' pointer.

As I recall OPIE generates a list of one way hash results, and
prints them for use by the operator. The operator crosses off
each as used, and the server 'remembers' the last used. They
are essentially random numbers to the evil third party tapping
the circuit.

Example using small mutially prime numbers:

Secret transfom is: multiply prior value by 5 ; take result
mod 7

seed is 5

forward sequence is:

5 (seed), 4 (=5 * 5 % 7), 6 (=4 * 5 % 7), 2 (= 6 * 5 % 7),
   3 (= 2 * 5 % 7), 1 (= 3 * 5 % 7), 5, (series repeats)

[restated list]

5 4 6 2 3 1 5 ...

multi-digit passcodes are used, and the repeat interval is the
size of the mod rotor minus one, so lons as 'good' mutually
prime values are chosed. Some weak starting seeks and rotor
pairs exist.

The computer 'knows' the last used value, and the expected
next value -- customarily, 'lockout' logic to prevent guessing
attacks exists as well. A DoS attack exists, obviously.

Before SSH, some root authentication schemes required a second
'list' challenge, for admin access. As I recall there is a
further variant where the order of the list is reversed for
use by the operator, and a full list of the sequence expected
is maintained at the unit to be secured, and used in reverse
order, for greater randomnness.

-- Russ



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:25:25 EDT