| 1 |
On Wed, Jun 24, 2015 at 5:29 AM, Helmut Jarausch |
| 2 |
<jarausch@××××××××××××××××.de> wrote: |
| 3 |
> |
| 4 |
> I wouldn't like to use an OTP generator on my smartphone because Big Brother might |
| 5 |
> watching me when I use this. |
| 6 |
> I feel like the German parliament which has been hacked by a foreign secrete service. |
| 7 |
> Parliamentarians have to resort to "classic" types of communication now. |
| 8 |
> |
| 9 |
> I'd prefer a solution where I carry the OTPs with me in printed form. |
| 10 |
> Is this possble with the google-authenticator, as well? |
| 11 |
> |
| 12 |
|
| 13 |
Well, the protocol for generating the TOTPs is standard: |
| 14 |
https://tools.ietf.org/html/rfc6238 |
| 15 |
|
| 16 |
I don't have any recommendations, but it seems like there are various |
| 17 |
dongles out there which generate the codes. There might be others |
| 18 |
around here that have a bit more experience with this but you could |
| 19 |
probably get them working. |
| 20 |
|
| 21 |
Pre-printed OTPs are a different matter, but they suffer from the |
| 22 |
obvious vulnerability that they can be copied (which is definitely a |
| 23 |
big contrast from a hardware OTP generator which is typically hardened |
| 24 |
against such attacks - having a code is basically proof that you have |
| 25 |
the device in your possession RIGHT NOW vs having had it in your |
| 26 |
possession at some time in the past). I used to use skey (which is |
| 27 |
packaged on Gentoo) for this. Skey uses OTPs which are sequential |
| 28 |
instead of time-based. You can use it in a challenge/response mode |
| 29 |
which requires software (such as on your phone), but you can also |
| 30 |
pre-print a big list of keys and carry them with you. When ssh asks |
| 31 |
you for key# 100 you look for it on the list and type it in. You can |
| 32 |
print more keys at any time as they get used up. |
| 33 |
|
| 34 |
The Yubikey is getting a lot of attention right now with protocols |
| 35 |
like U2F (as well as OTP). It is cheap and capable. The downside of |
| 36 |
the Ubikey is that I believe you can only use it if it is plugged into |
| 37 |
a USB port, and protocols like U2F are designed more around browsers |
| 38 |
than various other bits of software that authenticate (like POP, ssh, |
| 39 |
etc). However, I believe you can plug it into a PC, hit the button, |
| 40 |
and have it act as a keyboard and type in a TOTP. So, if you're |
| 41 |
sshing from PCs with USB ports that accept external keyboards it might |
| 42 |
be an option for you. |
| 43 |
|
| 44 |
I've been assuming that you're talking about ssh all along. That |
| 45 |
tends to work well since ssh clients generally support an interactive |
| 46 |
login with some kind of challenge/response or such. It breaks down |
| 47 |
for other protocols that don't have allowance for that like |
| 48 |
IMAP/POP/etc, unless you ditch the regular password and just pass the |
| 49 |
OTP as your password (and honestly I'm not sure how great an idea that |
| 50 |
is). And, of course, unless your mail client keeps the connection |
| 51 |
open that could get really painful anytime it checks for new mail. |
| 52 |
|
| 53 |
All that said, on the list of things I worry about each day, the |
| 54 |
"Google is secretly uploading data from my phone to their servers |
| 55 |
without telling/asking" fear is pretty low on the list. Google |
| 56 |
authenticator does not sync to any kind of central server, and its |
| 57 |
source is published. Sure, the OS could be spying on you, but so |
| 58 |
could your ethernet card or any number of other things. But, if you |
| 59 |
really want strong security an un-networked hardware token whose seed |
| 60 |
can be set by the user is probably your best bet. |
| 61 |
|
| 62 |
-- |
| 63 |
Rich |
Archives