oath-toolkit-help
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOT

From: Ilkka Virta
Subject: Re: [OATH-Toolkit-help] [sr #108937] Improve security by disallowing TOTP code reuse
Date: Fri, 11 Dec 2015 01:11:37 +0200
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 
Are you sure it doesn't check that already?

I get the following on a second try with the same OTP:
 [pam_oath.c:pam_sm_authenticate(238)] conv returned: 252269
 [pam_oath.c:pam_sm_authenticate(302)] OTP: 252269
[pam_oath.c:pam_sm_authenticate(312)] authenticate rc -7 (OATH_REPLAYED_OTP: The OTP has been replayed) last otp Fri Dec 11 00:56:18 2015 


On 10.12. 20:39, anonymous wrote:

URL:
   <http://savannah.nongnu.org/support/?108937>

                  Summary: Improve security by disallowing TOTP code reuse
                  Project: OATH Toolkit
             Submitted by: None
             Submitted on: jeu. 10 déc. 2015 18:39:38 UTC
                 Category: None
                 Priority: 5 - Normal
                 Severity: 3 - Normal
                   Status: None
                  Privacy: Public
              Assigned to: None
         Originator Email: address@hidden
              Open/Closed: Open
          Discussion Lock: Any
         Operating System: None

     _______________________________________________________

Details:

There is nothing in the HOTP standard that prevents TOTP codes to be reused.
This allows attackers to perform synchronous attack when able to read the code
(think MitM, keylogger...) and, simply, to log in the same time as the user
do. This is blocked by counter-based HOTP but these have other issues.

An interesting security feature of the google-authenticator PAM module is to
prevent a code from being used more than once. See
https://github.com/google/google-authenticator/blob/master/libpam/pam_google_authenticator.c#L1008
for implementation. This significantly increase security in the specific
attack scenario described above.




     _______________________________________________________

Reply to this item at:

   <http://savannah.nongnu.org/support/?108937>

_______________________________________________
   Message posté via/par Savannah
   http://savannah.nongnu.org/




--
Ilkka Virta <address@hidden>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]