[PATCH] Virtual Token (VToken) challenge authentication method
paul
pgsery at swcp.com
Fri Feb 8 17:25:41 EST 2008
The Virtual Token (VToken) patch
(https://bugzilla.mindrot.org/show_bug.cgi?id=1439) creates a kbdint
device that provides a new challenge-based authentication mechanism. The
server calculates a challenge from two secrets and a counter. You
authenticate by proving by correctly answering the challenge, proving
you know the secrets. This creates a software-based token, similar in
function to commercial ones, that can be run from your workstation or
better yet, ubiquitous devices such as PDAs, cell phones, calculators,
and even pen/paper.
VToken has the advantage of not only using cheap, generic devices but
also not requiring a dedicated network. Commercial system can only be
used with networks configured for their use. VToken can be used on any
machine running OpenSSH and a properly configured sshd_config file.
Thus, a single virtual token can authenticate to an unlimited number of
servers.
The current challenge is a place-holder for a more rigorous one. It uses
the simple equation: Challenge=Secret*Counter Mod(PIN). The secret is
designed to be embedded in the virtual token, while you must keep the
PIN secret; the counter protects against replay attacks. Taking the
modulus of the product maps the answer into a number set (or something
like that;). Ultimately, the calculation should probably be done by
taking the hash of the combined terms (anyone who captures the current
challenge will be able to calculate the secrets using brute force).
vtoken.c is an example virtual token app. It prompts you for your PIN
and calculates the challenge response from the secret, which is embedded
in it's source.
VToken in it's present form should be used in conjunction with the
"Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435),
which allows you to use multiple authentication methods tolog into a
machine. You'll want to use Pubkey together with VToken.
In the future, VToken will by itself will provide two-factor
authentication. The secret will be embedded in the app and effectively
be embedded in your PDA, cell phone, etc. You'll keep your PIN separate,
of course, and use the two just like on commercial tokens.
This patch might indeed be better suited for PAM or other platform.
However, I'm submitting here because I use OpenSSH every day and would
like the ability to natively use stronger authentication. It's also been
fun learning and hacking the code.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-kbdint-hack.patch
Type: text/x-patch
Size: 24583 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080207/7658f397/attachment-0001.bin
More information about the openssh-unix-dev
mailing list