Re: OPIE and S/Key authentication

To: debian-security@lists.debian.org
Subject: Re: OPIE and S/Key authentication
From: Russ Allbery <rra@debian.org>
Date: Sun, 19 Aug 2007 10:51:51 -0700
Message-id: <[🔎] 87ir7bfm4o.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20070819105910.GA29351@mail.post.ru> (Stanislav Maslovski's message of "Sun, 19 Aug 2007 14:59:10 +0400")
References: <[🔎] 20070819105910.GA29351@mail.post.ru>

Stanislav Maslovski <stanislav.maslovski@gmail.com> writes:

> What do you say, can MD5-based OPIE system be still considered secure?
> In the repository there are opie-server and opie-client.

> Do I understand right that the strength of this system is the strength of
> one step of MD5? Are there any alternatives where a different hashing
> function can be choosen (if that is advisable)?

The weakness in MD5 is not yet of the type that is likely to compromise
OPIE systems, IMO.  The attacker still has to have quite a lot of control
over what's being compared.  Of course, changing to a better hash
algorithm is still a good idea.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: OPIE and S/Key authentication
  - From: Stanislav Maslovski <stanislav.maslovski@gmail.com>

References:
- OPIE and S/Key authentication
  - From: Stanislav Maslovski <stanislav.maslovski@gmail.com>

Prev by Date: OPIE and S/Key authentication
Next by Date: Re: secure installation
Previous by thread: OPIE and S/Key authentication
Next by thread: Re: OPIE and S/Key authentication
Index(es):
- Date
- Thread