Re: OPIE and S/Key authentication
On Mon, Aug 20, 2007 at 09:57:38AM +0400, Stanislav Maslovski wrote:
> On Sun, Aug 19, 2007 at 10:51:51AM -0700, Russ Allbery wrote:
> > Stanislav Maslovski <email@example.com> writes:
> > > What do you say, can MD5-based OPIE system be still considered secure?
> > > In the repository there are opie-server and opie-client.
> > > Do I understand right that the strength of this system is the strength of
> > > one step of MD5? Are there any alternatives where a different hashing
> > > function can be choosen (if that is advisable)?
> > The weakness in MD5 is not yet of the type that is likely to compromise
> > OPIE systems, IMO. The attacker still has to have quite a lot of control
> > over what's being compared. Of course, changing to a better hash
> > algorithm is still a good idea.
> Another thing that bothers me is that OPIE's hash is 64 bits. If the
> infamous birthday attack applies here than only about 2^32 tries are needed
No, I am probably wrong. It does not apply when one sequence (the last
password) from a pair of sequences is fixed, right? So, it is full 2^64 space.