[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secprog
Subject:    One-time-passwords (was; Re: Preventing Dictionary Attacks)
From:       Seth Arnold <sarnold () WILLAMETTE ! EDU>
Date:       2001-04-12 9:27:26
[Download RAW message or body]

* Roger Burton West <roger@firedrake.org> [010412 02:13]:
> That isn't a one-time password, then. It isn't being used only once.

Sure it is -- each password is being sent over the wire once. The
progression of passwords used is in reverse order of what would be
useful for an attacker to have (if sniffing the wire were the only
option available to the attacker). However, what is stored on disk
by the server may or may not be susceptible to a dictionary attack.
This argument is orthogonal to the definition of one-time password
schemes.

I'll even supply a Proof By Reference To Authority :) : Schneier v2
page 53; Menezes, van Oorschot, Vanstone page 396.

--
Earthlink: The #1 provider of unsolicited bulk email to the Internet.

[prev in list] [next in list] [prev in thread] [next in thread]