Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: one-time password (OTP) authentication

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: one-time password (OTP) authentication
Date: Sun, 19 Jun 2005 19:05:38 +1000 
Here's another scenario.
Hacker installs trojan on client, and intercepts network connections from
that client.
When a OTP value is entered, hacker a) intercepts the OTP value and
immediately returns a 'sorry, try again' message to user  and b) uses the
OTP value to authenticate themselves. 
As Bruce Schneier says, OTP merely induces tactical change by attackers -
the foregoing is a well discussed scenario against OTP solutions, and lots
of variants for all the OTP variants - images, etc.

In the meantime, this code may provide a short term benefit - I haven't
looked at it.

Lyal

-----Original Message-----
From: james [mailto:james@tlhenterprises.net] 
Sent: Sunday, 19 June 2005 2:16 PM
To: webappsec@securityfocus.com
Subject: one-time password (OTP) authentication


Two-factor authentication (authenticating user with something they know AND
something they possess) is becoming more and more popular due to increasing
security requirements and the prevalence of spyware software.  However, in
open source projects, solutions such as RSA securID, smartcards, etc. are
not always feasible because of funding, licensing, or other constraints.
Here is a complete, standards-based, open source, no-hardware solution.
Here is a PHP implementation for generating, challenging, and authenticating
one-time passwords according to RFC 2289.  (go to
http://www.dcphp.com/Developers/files/otp_pub.zip 
to download)  Below are two scenarious for OTP use. 

Scenario A: 
Users across an organization need access to corporate resources at home, on
the road, in airplanes, etc.  Users are many (>1000) and geographically
distributed.  A user applies for access and is approved.  The administrator
prints off a list of one-time passwords and delivers a hard-copy via
physical medium (fax, phone, snail-mail, person-to-person handoff). 

Scenario B: 
Users self-register for a commercial (or other) website.  Once successfully
registered, the user is given the option to generate a list of one-time
passwords and use them for authentication in addition to their
username/password (of course, user can ignore OTP from certain trusted
computers, such as the one they registered from, if they trust it).  The
user can generate new OTP's at any time once authenticated. 



When the user logs in, they use their username,password, and a
one-time-password (which one depends on which one they are prompted for by
the server).  The OTP expires immediately upon authentication.  Now, if a
hacker intercepts all three tokens, they are still unable to perform a
replay attack because the third token is already invalidated.  Their is a
race condition if they are watching real-time, but this can be accounted for
via transaction locking in the session handling code. 


--
the brown cow
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  one-time password (OTP) authentication, james
Next by Date:  Re: one-time password (OTP) authentication, Andrew van der Stock
Previous by Thread:  one-time password (OTP) authentication, james
Next by Thread:  Re: one-time password (OTP) authentication, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]