7529765 2001-11-16 11:31 +0100  /43 rader/ Robert Bihlmeyer <robbe@orcus.priv.at>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-19  17:24  av Brevbäraren
Extern mottagare: Alan J Rosenthal <flaps@dgp.toronto.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19793>
Kommentar till text 7507654 av Alan J Rosenthal <flaps@dgp.toronto.edu>
Ärende: Re: OpenSSH & S/Key information leakage
------------------------------------------------------------
flaps@dgp.toronto.edu (Alan J Rosenthal) writes:
[quote reordered & trimmed]

> A login prompt for a non-account looks like this:
> 
> 	login: flomp
> 	otp-md5 175 at2078 ext
> 	Response: 
> 
> So far, so good.  But press return once or twice to get "Login incorrect"
> (or make a new conection), and then do
> 
> 	login: flomp
> 	otp-md5 220 at0624 ext
> 	Response: 

Oops.

But if a system mandated a common seed for all accounts (one that
changes regularly) all login attempts will show that. For the
sequence number, the fake response could use a number that is
dependent on the login name and the seed, e.g. the lower bits of
MD5(login + seed + host-secret)

Would using the same seed for all (real) accounts lose us security? My
intuition is no, but this needs to be thought over more.

> If OPIE didn't tell you the password number, for example, it would be quite
> hard to use.

You can keep the last used number on a slip of paper in your wallet
(according to one's threat model and set-up keeping the OTPs there as
well may be appropriate).

Logged-in users can query their seq#, if they are in doubt. The login
process can also tell you the current number if you try to use an
older OTP. This does not affect security, because an attacker that
knows an older OTP obviously has snooped on a previous successful
login attempt and thus knows that this account exists.

-- 
Robbe
(7529765) /Robert Bihlmeyer <robbe@orcus.priv.at>/(Ombruten)
Bilaga (application/pgp-signature) i text 7529766
7529766 2001-11-16 11:31 +0100  /10 rader/ Robert Bihlmeyer <robbe@orcus.priv.at>
Bilagans filnamn: "signature.ng"
Importerad: 2001-11-19  17:24  av Brevbäraren
Extern mottagare: Alan J Rosenthal <flaps@dgp.toronto.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19794>
Bilaga (text/plain) till text 7529765
Ärende: Bilaga (signature.ng) till: Re: OpenSSH & S/Key information leakage
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE79Pbm8g21h7wYWrMRAvAgAKCSPEpmByc6zZmd4GzbbyX0+oO78wCg2Cyr
oKRvKvo9MKvNSA9dbXDafkA=
=61eM
-----END PGP SIGNATURE-----
(7529766) /Robert Bihlmeyer <robbe@orcus.priv.at>/--
7530614 2001-11-18 21:40 +0100  /30 rader/ Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-19  20:06  av Brevbäraren
Extern mottagare: Alan J Rosenthal <flaps@dgp.toronto.edu>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19801>
Kommentar till text 7507654 av Alan J Rosenthal <flaps@dgp.toronto.edu>
Ärende: Re: OpenSSH & S/Key information leakage
------------------------------------------------------------
From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
To: Alan J Rosenthal <flaps@dgp.toronto.edu>
Cc: bugtraq@securityfocus.com
Message-ID: <20011118213643.ED.0@bobanek.nowhere.cz>

On Thu, 15 Nov 2001, Alan J Rosenthal wrote:

> A login prompt for a non-account looks like this:
> 
> 	login: flomp
> 	otp-md5 175 at2078 ext
> 	Response: 
> 
> So far, so good.  But press return once or twice to get "Login incorrect"
> (or make a new conection), and then do
> 
> 	login: flomp
> 	otp-md5 220 at0624 ext
> 	Response: 
> 
> Either the user just set a new passphrase in this one-second interval, or
> "flomp" does not exist.

Seed the PRNG generating this fake challenge with the given username
and nothing but the username (and perhaps some *static* secret data).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
(7530614) /Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>/(Ombruten)