1 |
On Wed, Jun 24, 2015 at 5:29 AM, Helmut Jarausch |
2 |
<jarausch@××××××××××××××××.de> wrote: |
3 |
> |
4 |
> I wouldn't like to use an OTP generator on my smartphone because Big Brother might |
5 |
> watching me when I use this. |
6 |
> I feel like the German parliament which has been hacked by a foreign secrete service. |
7 |
> Parliamentarians have to resort to "classic" types of communication now. |
8 |
> |
9 |
> I'd prefer a solution where I carry the OTPs with me in printed form. |
10 |
> Is this possble with the google-authenticator, as well? |
11 |
> |
12 |
|
13 |
Well, the protocol for generating the TOTPs is standard: |
14 |
https://tools.ietf.org/html/rfc6238 |
15 |
|
16 |
I don't have any recommendations, but it seems like there are various |
17 |
dongles out there which generate the codes. There might be others |
18 |
around here that have a bit more experience with this but you could |
19 |
probably get them working. |
20 |
|
21 |
Pre-printed OTPs are a different matter, but they suffer from the |
22 |
obvious vulnerability that they can be copied (which is definitely a |
23 |
big contrast from a hardware OTP generator which is typically hardened |
24 |
against such attacks - having a code is basically proof that you have |
25 |
the device in your possession RIGHT NOW vs having had it in your |
26 |
possession at some time in the past). I used to use skey (which is |
27 |
packaged on Gentoo) for this. Skey uses OTPs which are sequential |
28 |
instead of time-based. You can use it in a challenge/response mode |
29 |
which requires software (such as on your phone), but you can also |
30 |
pre-print a big list of keys and carry them with you. When ssh asks |
31 |
you for key# 100 you look for it on the list and type it in. You can |
32 |
print more keys at any time as they get used up. |
33 |
|
34 |
The Yubikey is getting a lot of attention right now with protocols |
35 |
like U2F (as well as OTP). It is cheap and capable. The downside of |
36 |
the Ubikey is that I believe you can only use it if it is plugged into |
37 |
a USB port, and protocols like U2F are designed more around browsers |
38 |
than various other bits of software that authenticate (like POP, ssh, |
39 |
etc). However, I believe you can plug it into a PC, hit the button, |
40 |
and have it act as a keyboard and type in a TOTP. So, if you're |
41 |
sshing from PCs with USB ports that accept external keyboards it might |
42 |
be an option for you. |
43 |
|
44 |
I've been assuming that you're talking about ssh all along. That |
45 |
tends to work well since ssh clients generally support an interactive |
46 |
login with some kind of challenge/response or such. It breaks down |
47 |
for other protocols that don't have allowance for that like |
48 |
IMAP/POP/etc, unless you ditch the regular password and just pass the |
49 |
OTP as your password (and honestly I'm not sure how great an idea that |
50 |
is). And, of course, unless your mail client keeps the connection |
51 |
open that could get really painful anytime it checks for new mail. |
52 |
|
53 |
All that said, on the list of things I worry about each day, the |
54 |
"Google is secretly uploading data from my phone to their servers |
55 |
without telling/asking" fear is pretty low on the list. Google |
56 |
authenticator does not sync to any kind of central server, and its |
57 |
source is published. Sure, the OS could be spying on you, but so |
58 |
could your ethernet card or any number of other things. But, if you |
59 |
really want strong security an un-networked hardware token whose seed |
60 |
can be set by the user is probably your best bet. |
61 |
|
62 |
-- |
63 |
Rich |