Bill Husler <Bill @
>One thing that has been discussed recently, while not a "hole" in S/key,
>is the possibility of using a "Race" attack. . .
This attack is defeated in the latest OPIE setup. Details in the RFC,
coming soon to a NIC near you. Basicly you use line-at-a-time telnet,
which ensures by the time they see the carriage return, it's too late.
S/Key (and OPIE) are vulnerable to `man in the middle' attacks. This
requires the attacker to sit between the user and the host and intercept
all communication from user to host. But most things are susceptible
to man in the middle attacks. One of the wins with OPIE vs man in the
middle is that you lose only one session -- the password has not been
So I stand corrected on weaknesses in OPIE.
"Yea, the heavens shall open and the NP-complete solution given forth.
ATT executives shall give birth to two-headed operating systems, and
copyrights shall be expunged. The voice of the GNU shall be heard, but
the faithless will be without transceivers." -- me