opie or s/key with gpg? (fwd)

Atom 'Smasher' atom-gpg at suspicious.org
Wed Oct 8 21:11:01 CEST 2003

forgive me for thinking out loud, but this might do the trick....

like opie and s/key, we have a secret password, a seed, and a count, which
are used to generate a one time password.

unlike opie and s/key, the secret password must be known to both the
calculator and the machine receiving the OTP (the remote machine keeps
it's copy encrypted).

using password="p", seed="s"  and count="c", we use f(p,s,c). instead of
just performing "c" number of iterations on "p,s" (like opie & s/key),
let's also throw "c" into the mixer, so we're performing "c" number of
iterations on "p,s,c". (this is probably much more work than necessary,
but is that really a problem?)

we can use the final result of that function (or a function of it) as a
password in a symmetric algorithm to decrypt a file, and if the secret
password is contained in that [encrypted] file, then the file can be
re-encrypted using that password and the next sequence number (and the
seed) to determine the next symmetric password in the sequence.

such an algorithm would render it infeasible to use a sniffed OTP to
determine any previously used OTP. a sniffed password can still be used to
decrypt a stolen keyring, but there is a narrow window in which the
keyring must be stolen and the password sniffed.... if Mallory steals
Bob's keyring just after Bob accesses it with count=123, then a sniffed
password will only be useful to Mallory if it's sniffed while count=122.
not perfect, but better than reusable passwords.

i guess that any encrypted file can be had by an attacker if it's stolen
immediately before the password is sniffed.... i really doubt if there's a
way around that. i'm sure there are other ways to accomplish this type of
an OTP system, but i think they'd all be vulnerable to that type attack.

of course, to create an OTP keyring like this, the OTP secret password
must be supplied to both the calculator and the machine creating the file
(so the secret password can be stored in the encrypted file). one of the
neat things about opie is that the password never has to leave the
calculator... oh-well.. if anyone thinks of a way to do it, so the secret
password is only known to the calculator, i'd be curious...


PGP key - http://smasher.suspicious.org/pgp.txt
3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3

	"You have just dined, and however scrupulously
	 the slaughterhouse is concealed in the graceful
	 distance of miles, there is complicity."
		-- Ralph Waldo Emerson, 1870

More information about the Gnupg-users mailing list