| The issue of using clear text userids and password across the Internet
| has been discussed:(. Could someone give me an explanation of s/key and
| what the advantages are over userids and passwords.
S/Key does not replace userids; it only replaces reusable
passwords; either with a login (and ftp) replacement, or with a
special login shell that runs to get the users S/key password.
S/Key gets its security from the difficulty of going backwards
through MD4, a hash algorithim from RSA. The server (host to be
logged into) stores the Nth md4 of some secret passphrase. To
demonstrate to the server that I know this secret, I tell my local
software to give me the N-1th md4 hash of that secret. The server
receives it, runs it once through md4, and compares that to the stored
Nth hash. If they are the same, I get it, and the server stores the
password I just sent.
The advantage here is that I demonstrate my knowledge of a
secret without divulging that secret. By using fairly high values of
N (100-1000), I get many logins without demonstrating much new
information about the secret. Since the stored password can't be
used, no one can log in after listening to my login session. Becuase
the password is 64 bits, its fairly resistant to dictionary attacks.
(Although single word passwords might be vulnerable, a three or four
word gibberish phrase is probably fine. Assess your threats, and
decide for yourself what is needed.)
Adam Shostack adam @
Politics. From the greek "poly," meaning many, and ticks, a small,