[Tech] Proposal: one-time passwords
Florent Daignière (NextGen$)
nextgens at freenetproject.org
Tue Mar 6 15:00:55 UTC 2007
* Michael Rogers <m.rogers at cs.ucl.ac.uk> [2007-03-06 14:46:36]:
> Matthew Toseland wrote:
> > You give a friend your IP address, port number, and a one-time password.
> > This can be used precisely once. It can however be used by a newbie.
>
> Sounds reasonable, but a public key fingerprint - even a short one -
> would be more secure against eavesdroppers than a password. Regardless
> of whether passwords or fingerprints are used, we have to exchange
> references in both directions if we want mutual authentication.
>
> How short can we make the references? Ideally they should be short
> enough to read out over the phone or paste into IRC without getting
> kicked off the server. The IP address and port are 48 bits, and the
> fingerprint should be at least 32 bits (128 if we want decent security,
> but that would make the reference quite long).
>
> The whole reference could be encoded in base32, which is nearly as
> compact as base64 and easier to read out over the phone. That means a
> reference with a 32 bit fingerprint would be 16 characters including
> address and port - "ghw5 q63y aklt 24t3". A more secure reference with a
> 128 bit fingerprint would be 36 characters - "ghw5 q63y aklt 24t3 67ip
> 32yt sgqi 24od 5fan". That seems a bit unwieldy to me - what does
> everyone else think? Where should we draw the line between brevity and
> security?
>
> Cheers,
> Michael
As far as I know, many people are using the phone as a mean to exchange
serial keys of software ... Some are over 30 characters long !
And anyway, the size doesn't matter that much, does it ? ;)
NextGen$
PS: and yes I'm proud of my gibe :p
More information about the Tech
mailing list