[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: creative ssh-agent uses

On Mon, Dec 04, 2006 at 09:25:38PM +0200, Ratiu Petru wrote:
> What I'm thinking is to provide a static string as a challenge and use the
> response as the cryptodevice password, but I can't find a program that
> allows me to manipulate the socket this way. This mechanism might also be
> used for other purposes, stacking public key authentication in a "normal"
> password-based login.

I do not think this is a good idea. If the challenge is static, the
response will be, too. Then you might be vulnerable to replay-Attacks. 

> I guess I am either missing an obvious security flaw to this, 

I am no expert on SSH, but I know some cryptography protocols where a
challenge must not be used more than once. Otherwise the protocol
becomes insecure. 


31.69 nHz = once a year.

Attachment: signature.asc
Description: Digital signature

Reply to: