Newsgroups: comp.protocols.kerberos
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!snorkelwacker.mit.edu!stanford.edu!SIMPACT.COM!cjr
From: cjr@SIMPACT.COM (Chris Riddick)
Subject: Re: Onetime passwords
Message-ID: <9105221224.aa06944@nss1.simpact.COM>
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Date: Wed, 22 May 1991 12:24:39 GMT
Lines: 56

You are correct in your description of a one-time password system. The 
attack you described does take advantage of the vulnerability created by
using a user-selected password and a handheld that transforms the
password into a key.

However, there other forms of one-time password systems that DO NOT
derive the one-time key from a user-entered value, but rather are
synchronized from time zero between the host (kerberos) and the user
(handheld).  The paper analog to this is the classic one-time pad used
by the cloak and dagger people in the government.  In this system,
there are two sets of pads, one for the encryptor and one for the
decryptor.  They both start at the same place on the pad using the
same sequence of random bits to begin the encryption.  As the bits are
used, they are thrown away.  If you ever get out of sequence, your're
in trouble.  But it is very effective and very secure.  The ONLY way
for someone to break the encryption is to steal one of the two pads.

Now, if we were to simplify this paper technique into something that
generated a one-time password while synchronized between the encryptor
and decryptor, then we would be able to avoid any sort of dictionary
attack because the key is not generated from a password entered by a
user, but from a seed embedded in a handheld AND synchronized with the
seed and key generator at the host (Kerberos).  Even if you knew the
seed and the algorithm, you would still have the problem of synchronization
to contend with.  If the recomputing of the key is performed often enough
(say, every 30-60 seconds), it doesn't leave much opportunity to for an
attacker to generate the key and beat you to the login.  Realize that once
used, the key is not reused.  The next valid key will be the next i
in sequence generated by the handheld.

There is still a vulnerability here, but it IS NOT due to a dictionary
attack.  It is that the attacker COULD acquire the handheld, acquire the
user's PIN (used just like the PIN for an ATM at a bank), and then 
log in as that user.  The attacker could also perform cryptanalysis on
the TGT that is returned encrypted in the special one-time password.  If
successful, he would be able to decrypt the TGT.  However, he would NOT
have the user's password.  Everytime he wanted to do this he would have
to perform the cryptanalysis on the TGT to get the one-time password.
This limits the vulnerability to the lifetime of the TGT rather than to
the lifetime of the password.

As Jon so aptly noted, security is a matter of degree.  You implement
only as much as you feel your threats and assets require.  Any more is
a waste of resources.  I believe that for many environments, what we
have been discussing over the past couple of days is NOT a threat that
would be assigned a high risk value.  That does not allow us to ignore
the fact that there is a threat, so we need to carry on these types
of analyses to find out if there are holes in any of the mechanisms.
It is obvious that there are serveral types of one-time systems.  It is
also apparent that we have been discussing more than one threat.  I am
in agreement with you about the attacks on the password system you
described, but I believe I was thinking about a different problem, and that
was of the elimination of the user-defined password altogether.

-- Chris

