[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOT
From: |
Ilkka Virta |
Subject: |
Re: [OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOTP code reuse |
Date: |
Fri, 11 Dec 2015 01:11:37 +0200 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
Are you sure it doesn't check that already?
I get the following on a second try with the same OTP:
[pam_oath.c:pam_sm_authenticate(238)] conv returned: 252269
[pam_oath.c:pam_sm_authenticate(302)] OTP: 252269
[pam_oath.c:pam_sm_authenticate(312)] authenticate rc -7
(OATH_REPLAYED_OTP: The OTP has been replayed) last otp Fri Dec 11
00:56:18 2015
On 10.12. 20:39, anonymous wrote:
URL:
<http://savannah.nongnu.org/support/?108937>
Summary: Improve security by disallowing TOTP code reuse
Project: OATH Toolkit
Submitted by: None
Submitted on: jeu. 10 déc. 2015 18:39:38 UTC
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email: address@hidden
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
There is nothing in the HOTP standard that prevents TOTP codes to be reused.
This allows attackers to perform synchronous attack when able to read the code
(think MitM, keylogger...) and, simply, to log in the same time as the user
do. This is blocked by counter-based HOTP but these have other issues.
An interesting security feature of the google-authenticator PAM module is to
prevent a code from being used more than once. See
https://github.com/google/google-authenticator/blob/master/libpam/pam_google_authenticator.c#L1008
for implementation. This significantly increase security in the specific
attack scenario described above.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/support/?108937>
_______________________________________________
Message posté via/par Savannah
http://savannah.nongnu.org/
--
Ilkka Virta <address@hidden>