SEMiSLUG 8 August 1996

Question and Answer Sessions

Where should I look for distributed passwords?

NIS.

Favorite sysadmin tools for Linux?

fsck. halt. vi and perl.

Good reference for server side includes (i.e. web) and security?

http://www.apache.org is a good start. NCSA, also. Tim Endres has HTPL out there somewhere (http://www.ice.com, normally).

Has any one get a Bebox?

No.

KAL53B?

Huh? Cliff Stoll was showing off a big kids cipher ring. No one knows what it's for.

Visa vs. PGP?

Who knows?

Interlace display with X and mouse failing.

Neat, but no solutions. Try messing with different modes.

Someone wants to start their own crawler. How?

Why? There are utils out there. Check in with Yahoo and Alta Vista.

Wanna do a web site for ...?

Talk to Iain for more info. Also drop a line to jeanie@makeitso.com.

How is ADP as a boss?

You get paid on time. Others have no complaints.

Anyone installed HURD 0.0?

Nope.

Anyone want to work at Storagetek?

Contact Joe McConnell.

Anyone else attending Wolfstone concert?

Yes.

What was the name the only difference in the two announcements.

Don't worry about it.

HTTP proxy that does variable routing based on the domain asked for. (Domain prejudicial proxy)

check out http://arvis.cs.colorado.edu/ . Apache may also have something.

Sun OS Motif vs. CDE (Solaris 2.5)?

No suggestions other than "get the SDK". go check out http://smc.vnet.net.

iostat and friends for Linux.

Many smart-ass remarks. (i.e. "Use fsck.")

Will the Sun ever rise (and visit one of our meetings)?

Some day. (That some day is today, at Honeywell.)

Does anyone know how to control how multiple URLs for Alta Vista works?

No definite answer. Tag stuff, document examination. Check the Alta Vista documentation.

Take multiple component docs that are not web-aware and deal with them on the web?

No general solutions offered.

P35 or X.435 headers? Anyone?

Oh my ghod. (No one seems to know. Them have their own MIME type, but that's it.)

How big is a full feed.

Big. Really big. UUNET insists it's a full T1 and then some. Others are skeptical, but SCS says that one host to one host could take that much. MJO says with streaming mods, no way.

Any standard for maintaining RCPT headers?

It depends on the MTA. sendmail can be set up to record it in the logs.

Anyone using Verset v-calendar?

Drag and drop scheduling. Kinda neat.

SSL proxies that just do SSL proxy. Anyone know of any?

None mentioned.

Newsreader that doesn't grab the whole active file first.

Latest version of trn.

Netscape plug-ins for unix -- seen any?

Haven't seen any. There for a couple betas (cooltalk), but not there now.

Presentation

One-Time Passwords - Steve Simmons

Just what it sounds like -- a password that is only good once. OPIE: One-time Passwords In Everything.

OPIE uses cryptographic checksums to make this feasible. Rather than have to memorize hundreds of single-use passwords, the OPIE standard describe a method to generate them on the fly.

There are other methods besides OPIE, including SNK, s/key, and many others. OPIE is going to dominate because it is an entirely software-driven solution, because it's going to become the Internet standard, because it's vendor-independent, and because it's freely redistributable.

Why Use Them?

Using passwords as a method of identification is extremely susceptible to replay attacks. Someone need merely monitor the line and log the initiation of all telnet sessions. The first few segments will contain the login-password prompt and response. The attacker then gathers the logs and comes back at some future time and uses the passwords. If passwords cannot be reused, this attack is defeated.

OPIE, if used correctly, defeats passive monitoring and replay. OPIE is not perfectly secured, but it does require much more sophisticated attacks. We will discuss some of these attacks and how the OPIE protocols defend against them.

In practice, it looks like this:

   login:  scs
   otp-md5 279 sa5099
   Response or Password: RODE RAW ROWE COLA MAE VET

Following a normal login prompt, we get a challenge. The challenge describes method, cycles, and seed.

The challenging computer indicated a method it would use to compute a cryptographic checksum. The user had to use a key generator given the inputs to generate a response:

    : scs@lokkur 0 %;  opikey 279 sa5099
    Using the MD5 algorithm to compute response.
    Enter secret pass phrase:  [phrase]
    RODE RAW ROWE COLA MAE VET

The response generated is what the user had to type to the login prompt in the previous example.

Cryptographic Checksums

Ordinary checksums are fine for simple reliability, but are weak if someone is deliberately trying to fake it -- given a checksum, it's easy to create an input that will have that checksum. They're sometimes called digests.

Cryptographic checksums have two differences from standard checksums:

Much longer (128 bits or more)
From the result, the only known method to generated an input is by brute force. (It takes an average of 2**keysize/2 tries.)

SNEFRU, MD4, and MD5 are all popular digest algorithms.

An OPIE response is generated from the challenge, the cycle, and your secret password. The challenge is appended to the password and run thru MD5:

    echo challenge-password | md5

gives

    398dfdfdba3dc3f205d18fcf3f36a485

This is one cycle. To generate the actual password, the process is repeated:

    echo 398dfdfdba3dc3f205d18fcf3f36a485 | md5

giving

    0f78c36f5c90a15573be00c0fddf66fb

This is repeated cycle times. The resulting string is then converted to the more typeable ASCII:

    RODE RAW ROWE COLA MAE VET

Actually the above is a bit of a handwave, but it's close enough for govt. work.

More Detail

Calculating digests is slow, and storing passwords on the target system is dangerous. OPIE avoids both of these problems.

Each time you use an OPIE one-time password, it is discarded. The next time you access the same system, you will receive the same challenge prompt except the cycle will be one count lower.

The system does not have your password. It only has the last cycle count used, the challenge, and the last successful response given. When it prompts you, it subtracts one from the cycle count and supplies the challenge. It takes your response, runs it through MD5 once, and compares it to your previous response. If it matches, you're in. The system then stores this response and the decremented cycle count.

Local Key Generation

One problem with OPIE is that the user must generate keys "on the fly." If the user types his password across an insecure network or on an insecure host, the password can be captured.

The OPIE software attempts to fix this problem in the key generator. The key generation program seen earlier will refuse to generate a key (and will not prompt you for your password) if it does not think you are secure. Thus it does not run unless it believes you are on the console or an equivelently secure session. The NRL implementation actually allows the administrator to degrade that security by use of a configuration file, but it's not recommended.

Static Key Generation

Often a user will go to a location where a key generator is not available. OPIE deals with this by letting the user generate a set of keys in advance and printing them out:

    : scs@lokkur 0 %;  opikey -n 276 sa5099
    Using the MD5 algorithm to compute response.
    Enter secret pass phrase:  [phrase]
    274: DUNK BEE LASS NEW FACE TEN
    275: GLUT TIED WEK ARL WHAT TURF
    276: RODE RAW ROWE COLA MAE VET

The user prints this out, and now has the next three responses.

Local Key Initialization

To use OPIE, the system administrator must install an OPIE-aware version of all common programs used to access a system interactively -- telnetd, rlogind, login, su, etc. Once this is done, the system administrator assigns an initial OPIE pass phrase.

[Aside: pass phrase, rather than password, to indicate it's longer. Length of phrase helps defeat dictionary attacks]

[Aside: using OPIE does not prevent use of normal UNIX logins and passwords. However, mixing the two can get .. interesting.]

Once a user is set up, the opiepasswd command works just like passwd. Like the key generator, it will only work from secure locations.

A currently-debated change to OPIE is for changing passwords remotely. Since this seems to be in flux, suffice it so say it looks possible.

Line Mode Telnet

One potential weakness to OPIE is active disruption of the session to obtain a valid pass phrase. The general method is:

Attacker watches in real time for login session
User sends response
Attacker corrupts response in transit, but remembers valid response
Before user can try again, attacker comes in using learned response

Defenses: line at a time telnet, failure increments cycle count.

Dictionary Attacks

Once an attacker has a valid cycle count and challenge, he can attempt to figure out the password via dictionary attacks (i.e. intelligent guessing and brute-force attempts).

OPIE differs from S/Key in that it mandates the use of a pass phrase rather than a password. The critical difference is that the phrase must be at least 10 characters, and can be much longer.

Status

RFC-1983 should be approved as a Draft Standard at the next IETF meeting, DEC. 1996. As a gating step, interoperability demonstrations are being prepared and will be presented to the IETF. No problems are expected.

The only potential gotcha is remote initialization of passwords. This is the newest part of the standard. While not likely to change, stranger things have happened.

Where to get source

What may become the reference implementation, including complete OPIE source and source for many unix login-related utilities:

    ftp://ftp.nrl.navy.mil/pub/security/nrl-opie/

An OPIE toolkit for UNIX is available from Phil Servita. It supports MD4, MD5, SHA1, and has alternate dictionary support. It does not yet do extended responses. A re-init scheme which is NOT compliant with the current extended response draft is included, but should not be used.

    ftp://ftp.ftp.com/pub/meister/otp/unix/otp.tar

OPT generators for DOS, Windows, Win95, and NT (with Borland C++ source) are available at:

    ftp://ftp.ftp.com/pub/meister/otp/dosotp/
    ftp://ftp.ftp.com/pub/meister/otp/winotp/

Mailing Lists

General interest: ietf-otp@bellcore.com
[Un]subscribe: ietf-otp-request@bellcore.com
Archive: ftp://ftp.bellcore.com/pub/ietf-otp/archive

Rumor and Innuendo (no names, please)

The bar will only hold the full menu until 22:00, or so they claim.