Cryptography Reference
In-Depth Information
Can CFS Be Recommended?
The defects mentioned above refer to the innards and probably don't decrease
the value of CFS. It is important
not
to call
cattach
with the
−
l
switch (see
previous section). The relatively poor portability is not nice but understandable
(CFS sits deep within the operation system) and acceptable, because CFS runs
locally. Users of other UNIX systems can look around for something else.
More critical is the loss in performance, in my opinion. While the fastness of
a file system doesn't play a role for a word processor, CFS can be extremely
disturbing when processing long records in a database. I don't consider it wise
to use DES of all things (or even Triple-DES, which is three times slower
in software), because this algorithm was primarily conceived for hardware.
SAFER-SK128 would be about five times faster, but utmost caution is advised,
according to Schneier [SchnCr, 14.4] — not least because the NSA could have
its hands in it. How about Blowfish, RC4/5/6, Twofish, or even AES?
However, cryptographic file systems are good concepts. They separate cryp-
tography from applications and make things easier to audit. Only the swap area
should be cleaned up by the system from time to time
...
7.5 OPIE, S/Key, and Logdaemon: Secure Login
Three free software packages, namely
S/Key
(which probably means 'Secure
Key'),
OPIE
(
One-time Passwords In Everything
), and
Logdaemon
, use
one-time passwords for authentication (or, more exactly, for login) in UNIX
systems. S/Key was developed by members of Bellcore in the early 1990s,
representing presumably the first of this type of program. OPIE came about
on the basis of S/Key in the US Naval Research Laboratories (NRL) and is
downwards compatible with S/Key. It was renamed because S/Key is a brand
name, whereas OPIE is the unprotected name of free software. Logdaemon
was developed by Wietse Venema, the author of the popular SATAN security
program; it can do a lot more. We are interested in the implementation of
one-time passwords in this package. The following section discusses OPIE
representatively for the other two programs.
How to Use OPIE
As long as you move about on known computers within the Internet or an
intranet, you should use SSH for the required protection. However, if you
work on a third-party system and want to log in to your computer at home,
