[3069] in WWW Security List Archive
Re: S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (Jim Bandy)
Wed Sep 25 14:23:51 1996
Date: Wed, 25 Sep 1996 11:21:20 -0500
From: Jim Bandy <jbandy@uswest.net>
To: Evil Pete <shipley@dis.org>
CC: LAI CHACK AN ITSC NCS <calai@ncspo3.ncs.com.sg>,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Of course the number of s-keys generated at once is arbitrary. By using
keyinit -s (the non-secure channel method) you can set the # of keys to
gen. Neverless, having a hard limit of available keys is a problem.
Jim Bandy
jbandy@uswest.net
Evil Pete wrote:
>
> >
> > The basic authentication mechanism of HTTP protocol is fine except that
> >it sends the password over the wire in the clear and would make it
> >vulnerable for sniffers. Hence I was just wondering if you know of any
> >initiatives/product that allows s/key authentication access for web
> >pages.. I've seen implementations of JAVA S/key calculators around the
> >web and was just curious to find out if anyone has integrated it into a
> >S/KEY authentication mechanism for web pages?
> >
> >Charles Lai
> >
>
> sounds intrested but there are some implention details that have to
> be worked out such as since the WWW client sends the password over the wire
> for each page (because this is a stateless system) you can burn through
> your list of 100 skeys in a day easy...
