On Fri, Aug 29, 2008 at 05:41:33PM -0700, SJS wrote:
Forget all that crap about having a filesystem and cutting-and-pasting.
You could have this emit, without error, a sizable chunk of data
encrypted with a private key. A large nonce, source IP address,
etc. etc., plus a counter and/or timestamp...
I never even thought about having the device pretend it's a computer.
(Probably because I have some machines that Will Not Work With Multiple
Mice Or Keyboards.)
I wonder how likely kiosks and library-type machines would be to
allowing something plugged in that acted like a USB keyboard, and upon
pressing a button would send some kind of authentication data.
I'm a bit leery about their "one time passcode" phrasing. Still... cool.
In its simplest sense, it could just mean that each password is only
valid once.
I'm familiar with the S/Key system. One disadvantage to it is that
for a given authentication, you have to give it a specific password
off of the list. The passwords are each password on the list is
basically the hash result of all of the following passwords. So,
until you enter the next password, the host doesn't actually know what
the next password is.
I'm actualy not real sure why more people don't use S/Key as a second
factor. As a single authentication, it has problems, but when
combined with a real secret, it at least seems to have similar
security to a fob. An obvious weakness is that the list can be copied
and returned to the user. There are implementations for cellphones
and such.
David
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
