On Fri, Aug 29, 2008 at 01:51:45AM -0700, SJS wrote:
begin quoting David Brown as of Thu, Aug 28, 2008 at 11:59:54PM -0700:
On Thu, Aug 28, 2008 at 11:51:33PM -0700, James G. Sack (jim) wrote:
>And then there's the disturbing bottom-line that the factor is
>[human-entry] limited to a short string of characters, so one has to
>wonder about the overall strength of the system anyway!
I'll answer it here instead of the other message it was brought up in.
The short subset of the factor is actually not a significant weakness.
It is if you're not storing a secret on the server.
If you can store a secret on the server, then you're only looking for a
match between the fob and the server.
But a given match tells you nothing about the secret. It doesn't
matter how the secret is stored. The only weakness to the short
user-string would be a guess, which is restricted by allowing only a
small number of tries.
The lockout policies of the RSA key are indeed quite annoying. A
slight misconfiguration of vpnc has the nice "feature" of retrying an
incorrectly typed password for you, so that even one error locks you
out.
David
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
