On Fri, Oct 8, 2010 at 08:48, Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > On Fri, 8 Oct 2010, Dennis Gilmore wrote: > >> It sounds like you do not fully understand how the yubikeys work. either that >> or i dont understand the attack you are describing? > > It all comes down to this being based on symmetric crypto, not on public key > systems. The secret lives at two places, which is unlike modern crypto systems > we've become used to, such as SSL/SSH, RSA/DSA or OTR. Correct. It is a problem with several OTP implementations I have dealt with in the past. Thankfully it is better than one where we figured out you knew one password you could figure out the next because it was next = previous * 3 +1 mod 7 (or something close). My hat was off to the fellow who looking at the 12 character hex code figured out the pattern in a couple of minutes. So from this analysis, we should a) look at making sure where the keys are stored meet a high expectation of security and privacy. and b) that we should make sure that if a problem occurs that we can rekey things quickly, and c) audit the system regularly. I don't know if regularized rekeying of yubi's would buy or help us any. -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. "We have a strategic plan. It's called doing things."" — Herb Kelleher, founder Southwest Airlines -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
