[18041] in cryptography@c2.net mail archive
Re: Ostiary
daemon@ATHENA.MIT.EDU (Karl Chen)
Tue Aug 2 17:23:17 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Karl Chen <quarl@cs.berkeley.edu>
To: Udhay Shankar N <udhay@pobox.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <6.1.2.0.2.20050802175404.02e84628@pop.mail.yahoo.com>
Date: Tue, 02 Aug 2005 09:24:16 -0700
As an authentication protocol, it looks vulnerable to a time
synchronization attack: an attacker that can desynchronize the server
and client's clocks predictably can block the client's authentication
and use it as his own. (Assuming the server's clock is monotonically
increasing, the command can only be used once.) If the command utilizes
the IP address (e.g. as a port knock), this is a security hole.
Karl
On Tue, 2005-08-02 at 17:56 +0530, Udhay Shankar N wrote:
> Sounds interesting. Has anybody used this, and are there any comments?
>
> Udhay
>
> http://ingles.homeunix.org/software/ost/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
