Cryptography Reference
In-Depth Information
the computer. And cryptanalysts have a hard time: they have to invert the hash
function, in addition to computing a collision.
One-time passwords also protect you against
replay attacks
. Up to 1994,
this had been a weakness of Novell NetWare, which transmitted passwords in
encrypted form, but used a cipher without an initialization vector. This allowed
Mallory to pretend to be Alice and to replay Alice's password. This sort of
flaw (including copying of encrypted passwords) must have been exploited in
masses in the hard real world.
Security Problems
In practice, however, one-time passwords have a few inherent problems. First,
these passwords are random, i.e., they are hard to remember. So every user of
this system has to constantly watch their walking sticks in the knob of which
is hidden the password list. Second, the average user is
always
careless and
forgetful (if you want to believe system administrators). They forget to bring
their lists along or to print the new one. The system administrator has only
'additional trouble with this'. Third, Mallory only needs to take
S
0
from a list
lying around openly for unauthorized login, theoretically as often as he wants.
But don't panic just yet — these drawbacks can be widely excluded in many
situations. All it takes is to memorize only
S
0
and have a locally used program
compute
S
49
out of it (which is done, for example, in the OPIE program; see
Section 7.5). But as things are in the real world, most users will write down
their
S
0
anyway. So this risk remains.
Mallory can theoretically exploit this until he is filthy rich; plus he has an
almost perfect alibi: suppose Alice has to pay a rather large bill to him. Late
payment would entail a hefty collection fee. Meanwhile, Mallory has spied out
Alice's key
S
0
and knows that Alice's 47th password has just been polled. He
computes
S
46
, logs himself on as Alice several times, but every time just very
briefly. Alice's next connection to the computer fails. It doesn't occur to her
that somebody might know her password. She reacts like a typical user: 'The
computer is down.' It's a weekend and new password lists won't be issued
before Monday — and Alice has to pay the collection fee.
Hardly anybody will be able to prove that Mallory disturbed the synchroniza-
tion. If he has a clever system for spying out the passwords of his customers,
then he can do such maneuvers as often as he wants and continually pocket
collection fees. Nevertheless, his work is absolutely legal toward the outside,
as opposed to illegally fabricated money transfers: up to the day when the bank
