tech-security: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]

Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-security
Date: 01/31/2000 05:29:04

  by redmail.netbsd.org with SMTP; 30 Jan 2000 18:29:09 -0000
	by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.59) id SA12710;
	Mon, 31 Jan 2000 05:29:05 +1100 (from kre@munnari.OZ.AU)
From: Robert Elz <kre@munnari.OZ.AU>
To: tech-security@NetBSD.ORG (NetBSD Security Technical Discussion List)
Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability] 
In-Reply-To: Your message of "Sun, 30 Jan 2000 13:07:50 CDT."
             <m12EylK-000g6HC@most.weird.com> 
Date: Mon, 31 Jan 2000 05:29:04 +1100
Message-Id: <10352.949256944@munnari.OZ.AU>

    Date:        Sun, 30 Jan 2000 13:07:50 -0500 (EST)
    From:        woods@most.weird.com (Greg A. Woods)
    Message-ID:  <m12EylK-000g6HC@most.weird.com>

  | I'm also now confused as to how it's not possible for someone to
  | determine the next appropriate challenge (and thus calculate the
  | appropriate response) if the /etc/skeykeys file is publicly readable.
  | Obviously if this is true there must be some cryptographically secure
  | algorithm that can combine the seed and the secret to generate a new and
  | hopefully unique challenge.  Unfortunately the documentation is
  | completely silent about the algorithms involved.

Is it?   Maybe I read about it elsewhere.

Its a simple one time hash on the seed and the secret, performed
N times.   Each time it is used the result replaces the known hash
(in skeykeys) and N-1 is used next time.   This relies upon the
uninvertability (if there is such a work) of the hash.  MD5 (or sometimes
MD4) is used as the hash function - it is believed to be hard to invert.
That is, it is easy to go from secret to hash(secret)^N, but very
hard to get from hash(secret)^N to hash(secret)^(N-1).

  | I worry about this
  | because in other implementations of challenge/response systems, such as
  | "CryptoCard(tm)", it's possible to compute the challenge response if one
  | knows RNG seed (and the calculator PIN?).

As it is here - but the seed is the secret, only you know that (in theory).
The skeykeys file is just like the traditional unix passwd file, and only
stores the hashed value (the N times hasshed value, then after that is
used once, the N-1 times hashed value).

  | Thanks for verifying.  I thought it might be but I've been unable to
  | boot a newer sparc release on my spare ss1 and have no non-i386 -current
  | machines to test on.

It was fixed before 1.4.1, maybe even before 1.4 (might have been as
early as 1.3.2 - though I remember being annoyed it wasn't fixed in 1.3.1)

  | 'md5 -x' (a test I'd forgotten completely about) seems to match on all
  | the different machines I've got....

The problem was a mismatch in the theory as to who was supposed to byte
swap the md5 output - it some early version, the md5 results it that were
used produced an endian dependent result, so the skey mainline compensated.
Someone fixed md5 (or switched to a new version) but didn't undo the
skey hack around the bug.

kre