tech-security: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]

Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]
To: None <tech-security@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-security
Date: 01/30/2000 23:06:00

  by redmail.netbsd.org with SMTP; 31 Jan 2000 04:06:06 -0000
	by Twig.Rodents.Montreal.QC.CA (8.8.8/8.8.8) id XAA07653;
	Sun, 30 Jan 2000 23:06:00 -0500 (EST)
Date: Sun, 30 Jan 2000 23:06:00 -0500 (EST)
From: der Mouse  <mouse@Rodents.Montreal.QC.CA>
Message-Id: <200001310406.XAA07653@Twig.Rodents.Montreal.QC.CA>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
To: tech-security@netbsd.org
Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database Vulnerability]

> The documentation only says [from skey(1)]:

>      S/Key uses 64 bits of information, transformed by the MD4 algorithm into
>      6 English words.

That documentation, then, is so loosely written I would hesitate to
trust it for *anything*, on the "what other mistakes am I *not*
competent to notice" principle.  (MD4's output is not English words!)

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B