Page 3 of 6 12 3 45 Last »
Reply
Thread Tools
ndi's Avatar
ndi is offline ndi
2010-06-25 , 22:36
Posts: 2,050 | Thanked: 1,425 times | Joined on Dec 2009 @ Bucharest
#21
Originally Posted by gerbick View Post
This thread has made me rotate my passwords on all of my online accounts.
And that's why I always have tier passwords. Depending on how sensitive accounts are, I have about 5 passwords I use downwards from oh-God-if-they-get-in-I'm-ruined to meh-so-what-you-can-have-it. Reusing balanced with security.

Which reminds me, if you see me suddenly posting odd stuff, please reset my password to "blubbers". :D

Finally, I like/hate the idea of OpenID. If anyone can get into the loop at some point I'm doomed. Only thing I got through OpenID is very low level stuff, tier 4 and 5. At tier 3, only one person knows my password, and it's dictionary-proof. At 2, I have a single password nobody knows. At tier one, I use a long password combined with special chars when limited, and hardware-assisted login when not (I carry a card and a digital token at all times).
__________________
N900 dead and Nokia no longer replaces them. Thanks for all the fish.

Keep the forums clean: use "Thanks" button instead of the thank you post.
 
juise-'s Avatar
juise- is offline juise-
2010-06-25 , 22:50
Posts: 186 | Thanked: 192 times | Joined on Jan 2010 @ Finland
#22
Originally Posted by ndi View Post
Finally, I like/hate the idea of OpenID. If anyone can get into the loop at some point I'm doomed.
You could still use multiple OpenIDs.

Also, you could use more advanced authentication methods with OpenID, e.g. some multi-factor authentication like those Verisign pseudo-RNG-dongles.

I've been toying with the idea of writing my own OpenID provider that would require me to approve account access from my N900.
__________________
Trout have underwater weapons.
 
CrashandDie is offline CrashandDie
2010-06-25 , 23:49
Posts: 336 | Thanked: 610 times | Joined on Apr 2008 @ France
#23
Originally Posted by juise- View Post
like those Verisign pseudo-RNG-dongles.
They have nothing to do with Random Numbers.

Rather, the value is specifically computed every time you actually ask it to do so (VeriSign doesn't implement Time counters, but others do, which is far more secure).

Try to imagine that you have a 3DES key, and every time you press the generation button, the Event Counter is incremented, and you generate a new 3DES key from the Event Counter and the previous 3DES key. With this key, you can generate an OTP, which is then sent to the server for authentication.

They are really, far, far more than simple RNG's; so no need to try and simplify them in that way.

Source: I work in the industry.
 
fw190's Avatar
fw190 is offline fw190
2010-06-26 , 07:53
Posts: 584 | Thanked: 700 times | Joined on Jan 2010
#24
Recently I've tried multi calendar widget just to try what it is. Because i didn't like it. after a few minutes of testing I've decided to uninstall it. The process was going ok but suddenly I saw that it is downloading and installing something. Later I saw in the app manager an other widget- eve on-line. I don't like the de that something is installing to my phone without my permission. I'm starting to lose faith in those community applications. How can I know that it is not recording somewhere my bank account password?
Last edited by fw190; 2010-06-26 at 09:14.
 
Tomaszd's Avatar
Tomaszd is offline Tomaszd
2010-06-26 , 09:27
Posts: 284 | Thanked: 498 times | Joined on Jun 2009 @ Poland
#25
Originally Posted by fw190 View Post
Recently I've tried multi calendar widget just to try what it is. Because i didn't like it. after a few minutes of testing I've decided to uninstall it. The process was going ok but suddenly I saw that it is downloading and installing something. Later I saw in the app manager an other widget- eve on-line. I don't like the de that something is installing to my phone without my permission. I'm starting to lose faith in those community applications. How can I know that it is not recording somewhere my bank account password?
Thank you, it means I'm not crazy! Please comment here and paste anything you have in the Application Manager log.
__________________
Do you like Extra Decoders Support? Consider donating to support the project.
 
juise-'s Avatar
juise- is offline juise-
2010-06-26 , 10:07
Posts: 186 | Thanked: 192 times | Joined on Jan 2010 @ Finland
#26
Originally Posted by CrashandDie View Post
They are really, far, far more than simple RNG's; so no need to try and simplify them in that way.
Sorry, I didn't intend to offend anyone, I just couldn't remember any product names at the time of writing. Simply attempting to communicate my point.

But, let me try to justify my choice of words:
(a) To external observer, those numbers should look random, if it's being done properly.
(b) But it's obvious that they cannot be real random, otherwise they couldn't contain information.Thus, pseudo-random.
__________________
Trout have underwater weapons.
 
CrashandDie is offline CrashandDie
2010-06-26 , 10:32
Posts: 336 | Thanked: 610 times | Joined on Apr 2008 @ France
#27
@Tomaszd and fw190:

Could you please clarify something for us. Which repository are these applications coming from? Can you specify versions?

Thanks.
 
ndi's Avatar
ndi is offline ndi
2010-06-27 , 18:23
Posts: 2,050 | Thanked: 1,425 times | Joined on Dec 2009 @ Bucharest
#28
Originally Posted by CrashandDie View Post
Rather, the value is specifically computed every time you actually ask it to do so (VeriSign doesn't implement Time counters, but others do, which is far more secure).
I have one of those, it computes a reply from the challenge request from the server and internal clock (and PIN), meaning that the password is only valid that minute (among other things). They do have the drawback of time desync. If I don't use it often enough, clocks desync and I have to call them.

Originally Posted by juise- View Post
I've been toying with the idea of writing my own OpenID provider that would require me to approve account access from my N900.
Heh, me too, but while it does provide nice security, it has the disadvantage of having no more protection from spoofing the OID provider, plus, if N900 dies no more login. More break points.

Ideally, I shouldn't keep my passwords online. But there's so many of them! Right now, I have 84 stored user/password combos, and those don't even include VPN, VNC, FTP and Tier 1 and 2.

When forums will support OpenID across the board, we'll have a lot less of these. Most don't.
__________________
N900 dead and Nokia no longer replaces them. Thanks for all the fish.

Keep the forums clean: use "Thanks" button instead of the thank you post.
 
CrashandDie is offline CrashandDie
2010-06-27 , 20:29
Posts: 336 | Thanked: 610 times | Joined on Apr 2008 @ France
#29
Originally Posted by ndi View Post
I have one of those, it computes a reply from the challenge request from the server and internal clock (and PIN), meaning that the password is only valid that minute (among other things). They do have the drawback of time desync. If I don't use it often enough, clocks desync and I have to call them.
No. When you use it in async mode (challenge/response), then there is absolutely no use of the internal clock. It can be that the authentication server only allows a specific challenge for a specific length of time.

The whole point of challenge/response is that you can use any challenge. Obviously, competitors to the company I used to work for may have implemented new algorithms, but there is no security value in having time-bound Challenge/Responses.

One way of testing this is to use your token, and hence get a challenge. Then wait 10 minutes, and replay the challenge again. It should output the same[1] response.

[1]: CR also suffers from key decay. What I mean by this is that because it is impossible to know what challenges have been provided to the device, it is also impossible to compute further values of the response (hence the futility of time-based CR).

If you want, I can go into much further detail of the algorithms. Three months have passed, so I'm legally allowed to disclose stuff now.
 
ndi's Avatar
ndi is offline ndi
2010-06-27 , 20:38
Posts: 2,050 | Thanked: 1,425 times | Joined on Dec 2009 @ Bucharest
#30
Originally Posted by CrashandDie View Post
No. When you use it in async mode (challenge/response), then there is absolutely no use of the internal clock. It can be that the authentication server only allows a specific challenge for a specific length of time.
Could be. It has 2 modes:

* Login: I input user name (set) and a password. The password is given by a token, after entering PIN. However, if I generate a password, wait for 60 seconds, then enter the password, it will not work. If I don't use it enough, it desyncs, and I need to call them to allow me one time-ignorant login. Once that happens, it works again. I have no other explanation than the fact that the token has an internal clock it uses.

* Transaction: Site gives me a random number (challenge). I press the signature button on the device, input the number, then it gives me a similar number. I enter that into the site and the transaction goes through. If I delay, it does not go through, and it re-issues me a different challenge. It could be timed, it could be clock based, I can't tell because in order to sign you have to log in, so time is sync.


Originally Posted by CrashandDie View Post
If you want, I can go into much further detail of the algorithms. Three months have passed, so I'm legally allowed to disclose stuff now.
I don't need the info, but as a programmer not only by job but by sheer passion, I'd love the insight.
__________________
N900 dead and Nokia no longer replaces them. Thanks for all the fish.

Keep the forums clean: use "Thanks" button instead of the thank you post.
 
Reply
Page 3 of 6 12 3 45 Last »

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 02:55.

Contact Us - Home - Archive - Top