Bugtraq mailing list archives
Re: otp - the next generation
From: Gregory Steuck <greg () NEST CX>
Date: Thu, 22 Mar 2001 15:46:44 -0800
"Lukasz" == Lukasz Luzar <lluzar () DEVELOPERS OF PL> writes:
Lukasz> The system is the most reliable way of Lukasz> secure authorization. It eliminates all disadvantages of a Lukasz> typical login/password and any other otp implementations. These claims are questionable. Lukasz> When you want to log into the server from an untrusted Lukasz> network, then you send a SMS message with your real login Lukasz> and password (e.g. "john 12blah45") in the body of message Lukasz> to the GSM phone connected to the server. When the server Lukasz> receive a message, the smsotpd daemon process the request in Lukasz> the following steps: 1.Checks if the user is permitted to Lukasz> authorize from the phone number (checks /etc/smsotp.access Lukasz> file), This is the part the whole authentication mechanism depends on. You made at least 2 assumptions here: 1) GSM phone network is secure between the endpoints (phones) and can not be sniffed. 2) SMS source address can not be forged. I am pretty sure that both assumptions are wrong. Phone company (or companies, I don't know how the messages are routed) will most certainly be able to sniff your messages and forge the source address. So, what you are proposing boils down to replacing an open network (the Internet) with some closed phone company network. I don't trust my phone company any more than my ISP. Do you? Thanks Greg
Current thread:
- otp - the next generation Lukasz Luzar (Mar 22)
- Re: otp - the next generation Szilveszter Adam (Mar 23)
- Re: otp - the next generation Casper Dik (Mar 23)
- Re: otp - the next generation Denis A. Doroshenko (Mar 23)
- Re: otp - the next generation Gregory Steuck (Mar 23)
- Re: otp - the next generation Tollef Fog Heen (Mar 23)
- Re: otp - the next generation Ben Laurie (Mar 23)
- Re: otp - the next generation Dag-Erling Smorgrav (Mar 23)
- Re: otp - the next generation Tristam Fenton-May (Mar 23)
- <Possible follow-ups>
- Re: otp - the next generation Elias Levy (Mar 23)
- Re: otp - the next generation Szilveszter Adam (Mar 23)