[JDEV] digest and ldap and authentication
Konrad Podloucky
konrad at pelimbert.tssc.univie.ac.at
Sun Jul 30 11:39:53 CDT 2000
On 30-Jul-2000 Jerrad Pierce enlightened me with:
> In reply to your message from the not too distant future: next
> Sunday AD
> Reply-to: belg4mit at mit.edu
> Return-receipt-to: belg4mit at mit.edu
> Organization: a) Discordia b) none c) what's that?
> Content-Typo: gibberish, charset=ascii-art
> Date: Sun, 30 Jul 2000 12:16:33 EDT
> From: Jerrad Pierce <belg4mit>
>
> So what doesn't it just use OTP? (instead of whatever the
> current password
> scheme is)
>
OK, I didn't read the complete RFC, but basically the
OTP-authentication looks like the SKEY-mechanism described in
Bruce Schneier's "Applied Cryptography".
Actually it looks like this would work. When creating an account
the client sends the server x[n] (which is the hash function
applied n times to the client's secret passphrase) and n. When
asking for authentication the server sends n - 1 to the client
and the client computes x[n-1] and sends it back to the server.
When H(x[n-1]) == x[n] then the client has been succesfully
authenticated and the server stores x[n-1] and n.
After n-1 times, the client has to send a new x[n] to the
server. But the user won't have to change his passphrase because
of the seed mentioned in the RFC (The seed is a random string
sent to the client which is concatenated to the actual
passphrase).
Looks good!
Konrad
________________________________________________________________
.~. Konrad Podloucky <konrad at pelimbert.tssc.univie.ac.at>
/V\ Running GNU/Linux 2.2.17pre3 on an Alpha
// \\ GnuPG/PGP-key available by request
/( )\ "It's all fun and games until someone gets hurt...
^^-^^ then it's just fun."
More information about the JDev
mailing list