* 2.4.22-pre7: are security issues solved?
@ 2003-07-21 20:40 Aschwin Marsman
2003-07-22 7:04 ` Marc-Christian Petersen
2003-07-23 9:56 ` Herbert Xu
0 siblings, 2 replies; 22+ messages in thread
From: Aschwin Marsman @ 2003-07-21 20:40 UTC (permalink / raw)
To: linux-kernel
Hi,
Red Hat has released a new kernel today, that fixes several security issues.
I currently use 2.4.22-pre7, are those security issues solved in this kernel
too? Below are the descriptions from the errata:
> CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts
> for serial links. This could be used by a local attacker to infer password
> lengths and inter-keystroke timings during password entry.
> CAN-2003-0462: Paul Starzetz discovered a file read race condition existing
> in the execve() system call, which could cause a local crash.
> CAN-2003-0464: A recent change in the RPC code set the reuse flag on
> newly-created sockets. Olaf Kirch noticed that his could allow normal
> users to bind to UDP ports used for services such as nfsd.
> CAN-2003-0476: The execve system call in Linux 2.4.x records the file
> descriptor of the executable process in the file table of the calling
> process, allowing local users to gain read access to restricted file
> descriptors.
> CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain
> sensitive information by opening various entries in /proc/self before
> executing a setuid program. This causes the program to fail to change the
> ownership and permissions of already opened entries.
> CAN-2003-0550: The STP protocol is known to have no security, which could
> allow attackers to alter the bridge topology. STP is now turned off by
> default.
> CAN-2003-0551: STP input processing was lax in its length checking, which
> could lead to a denial of service.
> CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could
> be spoofed by sending forged packets with bogus source addresses the same
> as the local host.
Have fun,
Aschwin Marsman
--
aYniK Software Solutions all You need is Knowledge
P.O. box 134 NL-7600 AC Almelo - the Netherlands
a.marsman@aYniK.com http://www.aYniK.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-21 20:40 2.4.22-pre7: are security issues solved? Aschwin Marsman
@ 2003-07-22 7:04 ` Marc-Christian Petersen
2003-07-22 15:02 ` Aschwin Marsman
2003-07-23 9:56 ` Herbert Xu
1 sibling, 1 reply; 22+ messages in thread
From: Marc-Christian Petersen @ 2003-07-22 7:04 UTC (permalink / raw)
To: Aschwin Marsman, linux-kernel
On Monday 21 July 2003 22:40, Aschwin Marsman wrote:
Hi Aschwin,
> Red Hat has released a new kernel today, that fixes several security
> issues. I currently use 2.4.22-pre7, are those security issues solved in
> this kernel too?
no.
ciao, Marc
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-22 7:04 ` Marc-Christian Petersen
@ 2003-07-22 15:02 ` Aschwin Marsman
2003-07-22 15:07 ` Marc-Christian Petersen
0 siblings, 1 reply; 22+ messages in thread
From: Aschwin Marsman @ 2003-07-22 15:02 UTC (permalink / raw)
To: Marc-Christian Petersen; +Cc: linux-kernel
On Tue, 22 Jul 2003, Marc-Christian Petersen wrote:
> On Monday 21 July 2003 22:40, Aschwin Marsman wrote:
>
> Hi Aschwin,
Hi Marc,
> > Red Hat has released a new kernel today, that fixes several security
> > issues. I currently use 2.4.22-pre7, are those security issues solved in
> > this kernel too?
> no.
Thanks for your reply, I only hoped for another answer. I hope that these
security issues will be solved in 2.4.22-pre8.
> ciao, Marc
Have fun,
Aschwin Marsman
--
aYniK Software Solutions all You need is Knowledge
P.O. box 134 NL-7600 AC Almelo - the Netherlands
a.marsman@aYniK.com http://www.aYniK.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-22 15:02 ` Aschwin Marsman
@ 2003-07-22 15:07 ` Marc-Christian Petersen
2003-07-22 17:01 ` Marcelo Tosatti
0 siblings, 1 reply; 22+ messages in thread
From: Marc-Christian Petersen @ 2003-07-22 15:07 UTC (permalink / raw)
To: Aschwin Marsman; +Cc: linux-kernel, Marcelo Tosatti
On Tuesday 22 July 2003 17:02, Aschwin Marsman wrote:
Hi Aschwin,
> > > Red Hat has released a new kernel today, that fixes several security
> > > issues. I currently use 2.4.22-pre7, are those security issues solved
> > > in this kernel too?
> > no.
> Thanks for your reply, I only hoped for another answer. I hope that these
> security issues will be solved in 2.4.22-pre8.
well, I hope that too ;)
I can send these patches for inclusion. Marcelo? Would you consider including
them?
ciao, Marc
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-22 15:07 ` Marc-Christian Petersen
@ 2003-07-22 17:01 ` Marcelo Tosatti
0 siblings, 0 replies; 22+ messages in thread
From: Marcelo Tosatti @ 2003-07-22 17:01 UTC (permalink / raw)
To: Marc-Christian Petersen; +Cc: Aschwin Marsman, linux-kernel
On Tue, 22 Jul 2003, Marc-Christian Petersen wrote:
> On Tuesday 22 July 2003 17:02, Aschwin Marsman wrote:
>
> Hi Aschwin,
>
> > > > Red Hat has released a new kernel today, that fixes several security
> > > > issues. I currently use 2.4.22-pre7, are those security issues solved
> > > > in this kernel too?
> > > no.
> > Thanks for your reply, I only hoped for another answer. I hope that these
> > security issues will be solved in 2.4.22-pre8.
> well, I hope that too ;)
>
> I can send these patches for inclusion. Marcelo? Would you consider including
> them?
Yes, of course.
Please send them for _consideration_. ;)
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-21 20:40 2.4.22-pre7: are security issues solved? Aschwin Marsman
2003-07-22 7:04 ` Marc-Christian Petersen
@ 2003-07-23 9:56 ` Herbert Xu
2003-07-23 10:35 ` David S. Miller
1 sibling, 1 reply; 22+ messages in thread
From: Herbert Xu @ 2003-07-23 9:56 UTC (permalink / raw)
To: Aschwin Marsman, alan, linux-kernel
Aschwin Marsman <a.marsman@aynik.com> wrote:
>
>> CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts
>> for serial links. This could be used by a local attacker to infer password
>> lengths and inter-keystroke timings during password entry.
What's the problem with exposing those counters? Are we going to restrict
access to /proc/interrupts and network interface counters too?
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 9:56 ` Herbert Xu
@ 2003-07-23 10:35 ` David S. Miller
2003-07-23 10:39 ` Herbert Xu
` (3 more replies)
0 siblings, 4 replies; 22+ messages in thread
From: David S. Miller @ 2003-07-23 10:35 UTC (permalink / raw)
To: Herbert Xu; +Cc: a.marsman, alan, linux-kernel
On Wed, 23 Jul 2003 19:56:47 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> Aschwin Marsman <a.marsman@aynik.com> wrote:
> >
> >> CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts
> >> for serial links. This could be used by a local attacker to infer password
> >> lengths and inter-keystroke timings during password entry.
>
> What's the problem with exposing those counters?
If I know your password is 7 characters I have a smaller
space of passwords to search to just brute-force it.
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:35 ` David S. Miller
@ 2003-07-23 10:39 ` Herbert Xu
2003-07-23 10:48 ` David S. Miller
2003-07-23 10:47 ` Herbert Xu
` (2 subsequent siblings)
3 siblings, 1 reply; 22+ messages in thread
From: Herbert Xu @ 2003-07-23 10:39 UTC (permalink / raw)
To: David S. Miller; +Cc: a.marsman, alan, linux-kernel
On Wed, Jul 23, 2003 at 03:35:05AM -0700, David S. Miller wrote:
> On Wed, 23 Jul 2003 19:56:47 +1000
> Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> > Aschwin Marsman <a.marsman@aynik.com> wrote:
> > >
> > >> CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts
> > >> for serial links. This could be used by a local attacker to infer password
> > >> lengths and inter-keystroke timings during password entry.
> >
> > What's the problem with exposing those counters?
>
> If I know your password is 7 characters I have a smaller
> space of passwords to search to just brute-force it.
Yes but can't you do the same thing with /proc/interrupts or
/proc/net/dev? Why are we singling out the serial driver?
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:39 ` Herbert Xu
@ 2003-07-23 10:48 ` David S. Miller
0 siblings, 0 replies; 22+ messages in thread
From: David S. Miller @ 2003-07-23 10:48 UTC (permalink / raw)
To: Herbert Xu; +Cc: a.marsman, alan, linux-kernel
On Wed, 23 Jul 2003 20:39:01 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Wed, Jul 23, 2003 at 03:35:05AM -0700, David S. Miller wrote:
> > On Wed, 23 Jul 2003 19:56:47 +1000
> > Herbert Xu <herbert@gondor.apana.org.au> wrote:
> > If I know your password is 7 characters I have a smaller
> > space of passwords to search to just brute-force it.
>
> Yes but can't you do the same thing with /proc/interrupts or
> /proc/net/dev? Why are we singling out the serial driver?
With the serial procfs thing, we know exactly that it is
characters.
With interrupts and network device statistics, we cannot make
such assumptions making attacks using these facilities much
less likely to be feasible.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:35 ` David S. Miller
2003-07-23 10:39 ` Herbert Xu
@ 2003-07-23 10:47 ` Herbert Xu
2003-07-23 10:50 ` David S. Miller
2003-07-23 17:47 ` David Wagner
2003-07-23 11:57 ` Ville Herva
2003-07-24 9:11 ` Florian Weimer
3 siblings, 2 replies; 22+ messages in thread
From: Herbert Xu @ 2003-07-23 10:47 UTC (permalink / raw)
To: David S. Miller; +Cc: a.marsman, alan, linux-kernel
On Wed, Jul 23, 2003 at 03:35:05AM -0700, David S. Miller wrote:
>
> If I know your password is 7 characters I have a smaller
> space of passwords to search to just brute-force it.
It's much smaller if you didn't know that it was at most 7 characters
long. However, if you did know the upper bound, or you were just
brute forcing all passwords starting from 1 character, then the
difference is relatively minor. This is because
n + n^2 + n^3 + n^4 + n^5 + n^6
is much smaller than n^7 where n is something like 62 for a reasonable
password.
So if your password was broken using this method, then it's probably
too short anyway.
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:47 ` Herbert Xu
@ 2003-07-23 10:50 ` David S. Miller
2003-07-23 10:59 ` Herbert Xu
2003-07-23 17:47 ` David Wagner
1 sibling, 1 reply; 22+ messages in thread
From: David S. Miller @ 2003-07-23 10:50 UTC (permalink / raw)
To: Herbert Xu; +Cc: a.marsman, alan, linux-kernel
On Wed, 23 Jul 2003 20:47:53 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Wed, Jul 23, 2003 at 03:35:05AM -0700, David S. Miller wrote:
> > If I know your password is 7 characters I have a smaller
> > space of passwords to search to just brute-force it.
>
> It's much smaller if you didn't know that it was at most 7 characters
> long. However, if you did know the upper bound, or you were just
> brute forcing all passwords starting from 1 character, then the
> difference is relatively minor. This is because
>
> n + n^2 + n^3 + n^4 + n^5 + n^6
>
> is much smaller than n^7 where n is something like 62 for a reasonable
> password.
"7" in my example is an arbitrary number, increase it to any larger
number you like.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:50 ` David S. Miller
@ 2003-07-23 10:59 ` Herbert Xu
2003-07-23 20:16 ` Aurelien Jarno
0 siblings, 1 reply; 22+ messages in thread
From: Herbert Xu @ 2003-07-23 10:59 UTC (permalink / raw)
To: David S. Miller; +Cc: a.marsman, alan, linux-kernel
On Wed, Jul 23, 2003 at 03:50:22AM -0700, David S. Miller wrote:
>
> > It's much smaller if you didn't know that it was at most 7 characters
> > long. However, if you did know the upper bound, or you were just
> > brute forcing all passwords starting from 1 character, then the
> > difference is relatively minor. This is because
> >
> > n + n^2 + n^3 + n^4 + n^5 + n^6
> >
> > is much smaller than n^7 where n is something like 62 for a reasonable
> > password.
>
> "7" in my example is an arbitrary number, increase it to any larger
> number you like.
Well, as m gets larger, the number
(n + n^2 + ... + n^(m-1)) / n^m
tends to 1 / (n - 1).
In other words, if you can break n^m, then you can probably break
n + n^2 + ... + n^m
Anyway, I'm not that bothered with making /proc/tty/driver root-only,
even if it is only for what seems to me to be dubious reasons.
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:59 ` Herbert Xu
@ 2003-07-23 20:16 ` Aurelien Jarno
2003-07-23 20:23 ` Alan Cox
0 siblings, 1 reply; 22+ messages in thread
From: Aurelien Jarno @ 2003-07-23 20:16 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-kernel
On Wed, Jul 23, 2003 at 08:59:03PM +1000, Herbert Xu wrote:
> Anyway, I'm not that bothered with making /proc/tty/driver root-only,
> even if it is only for what seems to me to be dubious reasons.
Or maybe it is possible to update this information with a longer period.
Let's say for example 5 seconds. So it is almost impossible to determine
the length of a password.
It is a little more complicated, but it has the advantage that the
statistics about the serial ports are still available for normal users.
Aurelien
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 20:16 ` Aurelien Jarno
@ 2003-07-23 20:23 ` Alan Cox
0 siblings, 0 replies; 22+ messages in thread
From: Alan Cox @ 2003-07-23 20:23 UTC (permalink / raw)
To: Aurelien Jarno; +Cc: Herbert Xu, Linux Kernel Mailing List
On Mer, 2003-07-23 at 21:16, Aurelien Jarno wrote:
> Or maybe it is possible to update this information with a longer period.
> Let's say for example 5 seconds. So it is almost impossible to determine
> the length of a password.
In some cases that is still useful information. People brought up the
IRQ data and to be honest that also is something I'd prefer wasn't non
root viewable.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:47 ` Herbert Xu
2003-07-23 10:50 ` David S. Miller
@ 2003-07-23 17:47 ` David Wagner
1 sibling, 0 replies; 22+ messages in thread
From: David Wagner @ 2003-07-23 17:47 UTC (permalink / raw)
To: linux-kernel
Herbert Xu wrote:
>On Wed, Jul 23, 2003 at 03:35:05AM -0700, David S. Miller wrote:
>> If I know your password is 7 characters I have a smaller
>> space of passwords to search to just brute-force it.
>
>It's much smaller if you didn't know that it was at most 7 characters
>long.
Yes, if I know I want to attack David Miller's password,
and I'm going to keep trying until I succeed, then knowing
the length of his password doesn't help much. However, if
I'm on a multi-user system and I just want to crack any
password for any one of the users on that system, then
knowing the lengths of passwords does help, because I can
focus my effort on those users with the shortest passwords.
Thus, revealing password lengths might heighten the risk of
password guessing (even if only by a small factor).
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:35 ` David S. Miller
2003-07-23 10:39 ` Herbert Xu
2003-07-23 10:47 ` Herbert Xu
@ 2003-07-23 11:57 ` Ville Herva
2003-07-23 17:50 ` David Wagner
2003-07-24 9:11 ` Florian Weimer
3 siblings, 1 reply; 22+ messages in thread
From: Ville Herva @ 2003-07-23 11:57 UTC (permalink / raw)
To: David S. Miller; +Cc: Herbert Xu, a.marsman, alan, linux-kernel
On Wed, Jul 23, 2003 at 03:35:05AM -0700, you [David S. Miller] wrote:
> On Wed, 23 Jul 2003 19:56:47 +1000
> Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> > Aschwin Marsman <a.marsman@aynik.com> wrote:
> > >
> > >> CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts
> > >> for serial links. This could be used by a local attacker to infer password
> > >> lengths and inter-keystroke timings during password entry.
> >
> > What's the problem with exposing those counters?
>
> If I know your password is 7 characters I have a smaller
> space of passwords to search to just brute-force it.
Further, if you monitor the /proc/tty/driver/serial character counts with
small enough resolution, I guess you could learn the delays between
individual key presses when the user enters his password. This can be used
to further aid the brute force attack (delays between different key pairs
have different average delays statistically, just as different characters
have different frequencies in a given language. I think there is a paper on
this, and someone suggested an attack like this for snooping ssh
passwords.)
-- v --
v@iki.fi
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 11:57 ` Ville Herva
@ 2003-07-23 17:50 ` David Wagner
0 siblings, 0 replies; 22+ messages in thread
From: David Wagner @ 2003-07-23 17:50 UTC (permalink / raw)
To: linux-kernel
Ville Herva wrote:
>Further, if you monitor the /proc/tty/driver/serial character counts with
>small enough resolution, I guess you could learn the delays between
>individual key presses when the user enters his password. This can be used
>to further aid the brute force attack (delays between different key pairs
>have different average delays statistically, just as different characters
>have different frequencies in a given language. I think there is a paper on
>this, and someone suggested an attack like this for snooping ssh
>passwords.)
Yes. The paper describing the attack on SSH is here:
http://www.cs.berkeley.edu/~daw/papers/ssh-use01.ps
http://www.cs.berkeley.edu/~daw/papers/ssh-use01.pdf
Dawn Xiaodong Song, David Wagner, and Xuqing Tian,
"Timing Analysis of Keystrokes and Timing Attacks on SSH",
10th USENIX Security Symposium, 2001.
A nice summary can be found here:
http://linux.oreillynet.com/lpt/a/linux/2001/11/08/ssh_keystroke.html
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 10:35 ` David S. Miller
` (2 preceding siblings ...)
2003-07-23 11:57 ` Ville Herva
@ 2003-07-24 9:11 ` Florian Weimer
3 siblings, 0 replies; 22+ messages in thread
From: Florian Weimer @ 2003-07-24 9:11 UTC (permalink / raw)
To: linux-kernel
"David S. Miller" <davem@redhat.com> writes:
> If I know your password is 7 characters I have a smaller
> space of passwords to search to just brute-force it.
This is not the real problem, IMHO.
If the counter is public, you can read it repeatedly to measure the
intervals between keypresses. If you take pair-wise timing into
account, you can narrow the search space considerably.
There's a detailed paper about the issue:
<http://www.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf>
(Even if the title says SSH, it applies to the public counter scenario
as well.)
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
@ 2003-07-23 12:56 John Bradford
2003-07-23 13:10 ` root
0 siblings, 1 reply; 22+ messages in thread
From: John Bradford @ 2003-07-23 12:56 UTC (permalink / raw)
To: davem, herbert; +Cc: a.marsman, alan, linux-kernel
> > If I know your password is 7 characters I have a smaller
> > space of passwords to search to just brute-force it.
>
> It's much smaller if you didn't know that it was at most 7 characters
> long. However, if you did know the upper bound, or you were just
> brute forcing all passwords starting from 1 character, then the
> difference is relatively minor. This is because
>
> n + n^2 + n^3 + n^4 + n^5 + n^6
>
> is much smaller than n^7 where n is something like 62 for a reasonable
> password.
>
> So if your password was broken using this method, then it's probably
> too short anyway.
One time passwords are much more secure.
John.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 12:56 John Bradford
@ 2003-07-23 13:10 ` root
0 siblings, 0 replies; 22+ messages in thread
From: root @ 2003-07-23 13:10 UTC (permalink / raw)
To: John Bradford; +Cc: davem, herbert, a.marsman, alan, linux-kernel
>
> > > If I know your password is 7 characters I have a smaller
> > > space of passwords to search to just brute-force it.
> >
> > It's much smaller if you didn't know that it was at most 7 characters
> > long. However, if you did know the upper bound, or you were just
> > brute forcing all passwords starting from 1 character, then the
> > difference is relatively minor. This is because
<snip>
> One time passwords are much more secure.
Nope.
Changing password to a password of similar complexity every 10 seconds
doesn't make it much less likely to be guessed than a static password.
It may mean you can't guess it again, but you generally don't want
an attacker to even log in once.
One-time passwords, using a key generator may be better for other
reasons for example, more entropy than "31137" or other passwords that
users might pick, or be able to remember.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
@ 2003-07-23 14:08 John Bradford
2003-07-23 15:46 ` Aschwin Marsman
0 siblings, 1 reply; 22+ messages in thread
From: John Bradford @ 2003-07-23 14:08 UTC (permalink / raw)
To: john, root; +Cc: a.marsman, alan, davem, herbert, linux-kernel
> > > > If I know your password is 7 characters I have a smaller
> > > > space of passwords to search to just brute-force it.
> > >
> > > It's much smaller if you didn't know that it was at most 7 characters
> > > long. However, if you did know the upper bound, or you were just
> > > brute forcing all passwords starting from 1 character, then the
> > > difference is relatively minor. This is because
> <snip>
> > One time passwords are much more secure.
>
> Nope.
> Changing password to a password of similar complexity every 10 seconds
> doesn't make it much less likely to be guessed than a static password.
For the attack in question, it does, as long as no two consecutive
passwords have the same number of characters.
For example, if the list of OTPs is:
alpha
beta
epsilon
The user logs in using the first password, and somebody logs that it
has five characters. The next valid password, (the only valid one),
has four.
John.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: 2.4.22-pre7: are security issues solved?
2003-07-23 14:08 John Bradford
@ 2003-07-23 15:46 ` Aschwin Marsman
0 siblings, 0 replies; 22+ messages in thread
From: Aschwin Marsman @ 2003-07-23 15:46 UTC (permalink / raw)
To: John Bradford; +Cc: root, alan, davem, herbert, linux-kernel
On Wed, 23 Jul 2003, John Bradford wrote:
> > > > > If I know your password is 7 characters I have a smaller
> > > > > space of passwords to search to just brute-force it.
> > > >
> > > > It's much smaller if you didn't know that it was at most 7 characters
> > > > long. However, if you did know the upper bound, or you were just
> > > > brute forcing all passwords starting from 1 character, then the
> > > > difference is relatively minor. This is because
> > <snip>
> > > One time passwords are much more secure.
> >
> > Nope.
> > Changing password to a password of similar complexity every 10 seconds
> > doesn't make it much less likely to be guessed than a static password.
>
> For the attack in question, it does, as long as no two consecutive
> passwords have the same number of characters.
>
> For example, if the list of OTPs is:
>
> alpha
> beta
> epsilon
>
> The user logs in using the first password, and somebody logs that it
> has five characters. The next valid password, (the only valid one),
> has four.
And what if we forget using passwords and use a physical device, a smart
card e.g. like SUN is using to get acces to your desktop all over the
world? Is there support for Linux for an application like that?
> John.
Have fun,
Aschwin Marsman
--
aYniK Software Solutions all You need is Knowledge
P.O. box 134 NL-7600 AC Almelo - the Netherlands
a.marsman@aYniK.com http://www.aYniK.com
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2003-07-24 8:56 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-21 20:40 2.4.22-pre7: are security issues solved? Aschwin Marsman
2003-07-22 7:04 ` Marc-Christian Petersen
2003-07-22 15:02 ` Aschwin Marsman
2003-07-22 15:07 ` Marc-Christian Petersen
2003-07-22 17:01 ` Marcelo Tosatti
2003-07-23 9:56 ` Herbert Xu
2003-07-23 10:35 ` David S. Miller
2003-07-23 10:39 ` Herbert Xu
2003-07-23 10:48 ` David S. Miller
2003-07-23 10:47 ` Herbert Xu
2003-07-23 10:50 ` David S. Miller
2003-07-23 10:59 ` Herbert Xu
2003-07-23 20:16 ` Aurelien Jarno
2003-07-23 20:23 ` Alan Cox
2003-07-23 17:47 ` David Wagner
2003-07-23 11:57 ` Ville Herva
2003-07-23 17:50 ` David Wagner
2003-07-24 9:11 ` Florian Weimer
2003-07-23 12:56 John Bradford
2003-07-23 13:10 ` root
2003-07-23 14:08 John Bradford
2003-07-23 15:46 ` Aschwin Marsman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).