Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
Is Faith in Innovation Wearing Thin?
 
Repairing Aberrant Behavior: But Is That the Threa...
 
Standards as Arbitrary Solutions to Recurring Prob...
 
Easy trouble-free use of IT tops the list
 
Maturing UML and Increasing Expressiveness
 
More Open Than Open
 
Removing Complexity Makes Less Better
 
Your Computer Is Insecure. Bad planning, eh?
 
Certification of Network-Attached Components?
 
Reputation and Community Trust of Download Files

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12
2004-12-26
2005-01-30
2005-02-06
2005-03-06
2005-03-13
2005-03-20
2005-04-03
2005-04-10
2005-04-17
2005-04-24
2005-05-01
2005-05-08
2005-05-15
2005-05-29
2005-06-05
2005-06-12
2005-06-19
2005-06-26
2005-07-10
2005-07-17
2005-07-31
2005-08-28
2005-10-09
2005-10-16
2005-10-23
2005-11-13
2005-11-27
2005-12-04
2005-12-18
2006-01-08
2006-02-05
2006-02-12
2006-02-19
2006-03-05
2006-03-12
2006-03-26
2006-04-23
2006-04-30
2006-07-16
2006-07-30
2006-08-06
2006-09-03
2006-10-08
2006-10-22
2006-10-29
2006-11-26
2006-12-10
2007-01-28
2007-02-04
2007-02-11

Open Authentication: One-Time Passwords and Crypto-Hashing

ACM News Service: SHA-1 Flaw Seen as No Risk to One-Time Password Proposal.  I've seen several links to Mark Willoughby's 2005-03-22 Computerworld article and I passed over each one, thinking the title was self-explanatory and that I understood why SHA-1 is still usable based on Bruce Schneier's reporting on the topic.  Fortunately, I did glance over this TechNews summary in my regular scanning of that source.

Here's interesting material that you might have overlooked too, and that I want to examine as part of TROSTing development. The Initiative for Open Authentication (Oath!) has the vision of developing strong universal authentication: among all users, all devices, and all networks.  The consortium is out to produce a reference architecture based on existing "open standards."  (The term "leveraging" is used, so your credibility may vary.)

Vision is vision, and some of this may end up being a solution looking to reword the problem, but the effort is interesting to me, especially because the authentication part is based on Hashed Message Authentication Codes (HMACs) and what are called one-time passwords.  The scheme is based on SHA-1.  There is a very weird statement that this use is less vulnerable to connived collisions because only a small selection of the 60-bit hash are used, and that claim left my jaw hanging open.  There is more to the protocol than that, unless information theory has failed.

And I remain interested because I want to know how this might work with persistent entities (some of the everythings that the vision is intended to embrace).  The one-time password scheme is being proposed to the IETF and their is expected to be a standards-track adoption real-soon-now.

The question will be, as always, how trust is established and recognized with all of these wondrous technical mechanisms in place, and how symmetrical can that trust arrangement be? We seem to forget that one can also connive an unreliable application atop a reliable protocol, and this may matter more.

posted by orcmid at 3/26/2005 10:28:00 AM, rating data by NewsGator Online