1997-01-27 - S/KEY (was: 2 Questions)

Header Data

From: peter.allan@aeat.co.uk (Peter M Allan)
To: cypherpunks@toad.com
Message Hash: c4515bbc4b6d12aaa61b6cc0b38dac17f044b0ff4494fdb53aa48082eba33d33
Message ID: <9701271820.AA17135@clare.risley.aeat.co.uk>
Reply To: N/A
UTC Datetime: 1997-01-27 18:19:46 UTC
Raw Date: Mon, 27 Jan 1997 10:19:46 -0800 (PST)

Raw message

From: peter.allan@aeat.co.uk (Peter M Allan)
Date: Mon, 27 Jan 1997 10:19:46 -0800 (PST)
To: cypherpunks@toad.com
Subject: S/KEY (was: 2 Questions)
Message-ID: <9701271820.AA17135@clare.risley.aeat.co.uk>
MIME-Version: 1.0
Content-Type: text/plain



Steven M Orrin <privsoft@ix.netcom.com> wrote:
> Hey guys,
> 2 quick questions:

> Are there any known hacks or weaknesses in S/Key?


S/Key has a rather limited scope, in aiming to prevent replay attacks.
These are where somebody snoops on your network to obtain passwords,
an uses them in later login attempts.  This is undoubtedly a major
weakness in most current networks.  S/Key addresses this replay of data
obtained in passive eavesdropping, but that is all it does.

Several attacks against S/Key have been discussed [1], including:

   race attacks:  eavesdropping most of the hash, and racing the user
                  to provide the rest of it

   active attacks:  impersonating the server to learn future hashes
                    or simply hijacking an established session.

Strengthening S/Key really means expanding the scope to get an
authenticated and encrypted 2-way connection.  [John Gilmore's S/WAN may
end up achieving this.  I'm not familiar with it (yet?).]

Ideas for improving S/Key that involve secret data stored on the server
tend to get frowned on, as the original aim was to avoid that.  In any case
you cannot get the full encrypted 2-way connection without getting a whole
lot more complicated.

Recent discussions [2] have centred on ways to rekey the list of hashes remotely when
the count runs down.  These changes, and S/Key itself, are better than nothing
but where's the ham sandwich ? [3]

Beside the protocol weakness there is potential for finding collisions in the hash
function (MD4 originally).  A choice of hash functions can be provided. See RFC-1938.
  

1) See also SecureID, which is more complicated and still subject
   to similar attacks.

2) Not here.

3) Old joke.  A ham sandwich is better than nothing, and nothing is better than
   a life of complete happiness, so ......




 -- Peter Allan    peter.allan@aeat.co.uk







Thread