begin quoting David Brown as of Thu, Aug 28, 2008 at 11:59:54PM -0700: > On Thu, Aug 28, 2008 at 11:51:33PM -0700, James G. Sack (jim) wrote: > > >And then there's the disturbing bottom-line that the factor is > >[human-entry] limited to a short string of characters, so one has to > >wonder about the overall strength of the system anyway! > > I'll answer it here instead of the other message it was brought up in. > > The short subset of the factor is actually not a significant weakness.
It is if you're not storing a secret on the server. If you can store a secret on the server, then you're only looking for a match between the fob and the server. > The general configuration is that each number is only valid once, and > a very small number of incorrect tries (typically three) locks the > given fob out. Oh, that just screams DOS. I *routinely* lock myself out of such systems (mostly due to annoying numlock resets or accidental caps-lock use), and it's a huge PITA. If you just limit it to one attempt per minute, you could probably slow down an attacker sufficiently to kill any likelihood of a guessing attack to work. > If you're hash based, the number will usually be derived from the > hash. RSA's key is a 6-digit decimal number which is just about 20 > bits of material. A guesser gets three attempts, which gives an > attacker a 3:1,000,000 chance of just guessing the password without > locking the fob out. > > The other attack is if someone borrows the fob and wants to learn the > secret. In this case, displaying less information is actually > increasing security, since the attacker has less information to go on. But a good hash function distributes the input bits across all of the output bits, so in theory all of the secret information can be recovered. (One could presumably work out the math to determine how many samples would be needed to convey all of the information, in theory.) With a mere 20 bits of secret data, one ought to be able to borrow a fob, note the numbers and time, and then brute-force the secret key, checking against the sequences from the fob. The brute-force attack can be offline, and the numbers/timestamps don't really need to be consecutive. It's sad, but 2^20 guesses no longer seems like that much. > Also remember that the fob is always supposed to be a second factor. > Having the fob isn't sufficient to connect without also knowing a > password. It gives the advantage that the password doesn't need to be > nearly as strong to achieve a given level of security. I wonder how many people write the stem (password) on the fob... -- It doesn't have to be unbreakable, just good enough for now. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
