[JDEV] What is: 'zero-knowledge authentication support'?
Jerrad Pierce
belg4mit at CALLOWAY.MIT.EDU
Wed Nov 1 19:13:19 CST 2000
This is a generalization of S/Key
It is covered in RFC 2289 (http://www.faqs.org/rfcs/rfc2289.html)
As for what to do when it reaches zero. The easiest thing to do
is change the server's seed and resetting the count. The user can then
continue with their own password. Other users will receive the new seed upon
next authentication and all is fine and dandy. The only potential issue is if
user x logs in often he could force a frequent changing of the server seed.
You could theoretically go through all seeds (or more likely have a band
seed generator and get a previously used seed (you could track this...)).
A replay attack would be possible if someone had previously logged all
authentication attempts by a user, and submitted the correct hash
based on the current server key and user count. Of course this relies upon
the user having not changed their password... To make this likely you
could alot the user a higher iteration count (this makes it slower to hash
to login though).... Or force the user to change their password more often ;-)
The other problem with S/Key though is you have to lock access to the account
to prevent simultaneous authentication attempts...
--
#!/usr/bin/perl -nl
BEGIN{($,,$0)=("\040",21);@F=(sub{tr[a-zA-Z][n-za-mN-ZA-M];print;});
$_="Gnxr 1-3 ng n gvzr, gur ynfg bar vf cbvfba.";&{$F[0]};sub t{*t=sub{};
return if rand()<.5;$_="Vg'f abg lbhe ghea lrg, abj tb.";&{$F[0]};$_=0;}
sub v{print map sprintf('%c', 2**7-2**2),(1 .. $0);}&v;}{$_++;$_--;$_||=4;
if($_>>2||($_<<2>12)){$_="Vainyvq ragel";&{$F[0]};last;}&t;$0-=$_;$_="Lbh jva";
die(&{$F[0]}) if !($0-1);$0-=$0%2?$0>2?2:1:$0<=5?$0>2?3:1:rand>.5?1:3;
)$_="V jva";die(&{$F[0]}) if !($0-1>1);}&v __END__ http://pthbb.org/
MOTD on Setting Orange, the 13rd of The Aftermath, in the YOLD 3166:
Move on a stone dark night we take a flight snowfall turns to rust --Stiltskin
More information about the JDev
mailing list