Re: OPIE and S/Key authentication
On Sun, Aug 19, 2007 at 10:51:51AM -0700, Russ Allbery wrote:
> Stanislav Maslovski <email@example.com> writes:
> > What do you say, can MD5-based OPIE system be still considered secure?
> > In the repository there are opie-server and opie-client.
> > Do I understand right that the strength of this system is the strength of
> > one step of MD5? Are there any alternatives where a different hashing
> > function can be choosen (if that is advisable)?
> The weakness in MD5 is not yet of the type that is likely to compromise
> OPIE systems, IMO. The attacker still has to have quite a lot of control
> over what's being compared. Of course, changing to a better hash
> algorithm is still a good idea.
Another thing that bothers me is that OPIE's hash is 64 bits. If the
infamous birthday attack applies here than only about 2^32 tries are needed
to find a 64 bit sequence with a hash that will collide with the last OPIE
password (which is assumed to be seen by an intruder).