[aerogear-dev] OTP
Erik Jan de Wit
edewit at redhat.com
Tue Mar 24 11:14:31 EDT 2015
How does TOTP stop the zombies from getting your token and using it?
On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> I think you missed the point here, it does not works around the problem.
> If you make use of linotp or whatever app with HOTP. You generate event
> based tokens and this is how the workflow works:
>
> 1. You generate the event based tokens
> 2. Send to the server
> 3. Server validates
>
> In a not so awesome world, this is what could happen
>
> 1. You generate the event based tokens
> 2. Send to the server
> 3. Zombies intercept and collect your token, sending the HTTP response
> "invalid token". Forcing you to provide more valid tokens.
> 4. Zombies make use of your tokens whenever they want.
>
> So unless we have a good use case scenario rather than just "we use it
> internally" and Android team also agreed on it. I don't see HOTP happening.
>
> On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <edewit at redhat.com>
> wrote:
>
>> Internally we make use of HOTP (via linotp) for our VPN and it works
>> around the problem of the long lived tokens by letting you use it only
>> once. The difference in implementation is not so great, it wouldn't take
>> long to build it in fact I've already created a PR for the java project.
>>
>> https://github.com/aerogear/aerogear-otp-java/pull/16
>>
>> On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> Good morning Erik, I'm not against the implementation, but I have some
>>> considerations.
>>>
>>> As you might know TOTP is short-lived, which means that they only apply
>>> for certain amount of time, while HOTP is long-lived, which means that
>>> someone eavesdropping the network could collect several HOTPs and reuse
>>> then later.
>>>
>>> Other thing to keep in mind is how to demo HOTP, at the moment we don't
>>> have a server neither bandwidth do implement one.
>>>
>>> Implement it or not it's up to you, but I would like to make sure that
>>> you're aware about the issues with HOTP.
>>>
>>> On 2015-03-23, Erik Jan de Wit wrote:
>>> > Hi,
>>> >
>>> > I was adding otp support for windows and that started to make me
>>> wonder if
>>> > it would be nice to add HOTP as well as TOTP for instance our linotp
>>> server
>>> > uses this. The only difference between the two is that HOTP uses a
>>> counter
>>> > that is incremented and TOTP is time based. So it would be fairly easy
>>> to
>>> > implement and for instance on windows there aren't any apps that
>>> support
>>> > both.
>>> >
>>> > Wdyt?
>>> >
>>> > --
>>> > Cheers,
>>> > Erik Jan
>>>
>>> > _______________________________________________
>>> > aerogear-dev mailing list
>>> > aerogear-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>> --
>>>
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>>
>> --
>> Cheers,
>> Erik Jan
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Cheers,
Erik Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20150324/0359706e/attachment.html
More information about the aerogear-dev
mailing list