[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOTP co
|
From: |
anonymous |
|
Subject: |
[OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOTP code reuse |
|
Date: |
Thu, 10 Dec 2015 18:39:39 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 |
URL:
<http://savannah.nongnu.org/support/?108937>
Summary: Improve security by disallowing TOTP code reuse
Project: OATH Toolkit
Submitted by: None
Submitted on: jeu. 10 déc. 2015 18:39:38 UTC
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email: address@hidden
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
There is nothing in the HOTP standard that prevents TOTP codes to be reused.
This allows attackers to perform synchronous attack when able to read the code
(think MitM, keylogger...) and, simply, to log in the same time as the user
do. This is blocked by counter-based HOTP but these have other issues.
An interesting security feature of the google-authenticator PAM module is to
prevent a code from being used more than once. See
https://github.com/google/google-authenticator/blob/master/libpam/pam_google_authenticator.c#L1008
for implementation. This significantly increase security in the specific
attack scenario described above.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/support/?108937>
_______________________________________________
Message posté via/par Savannah
http://savannah.nongnu.org/
- [OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOTP code reuse,
anonymous <=