How does TOTP stop the zombies from getting your token and using it?
On Tue, Mar 24, 2015 at 4:09 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
I think you missed the point here, it does not works around the
problem.
If you make use of linotp or whatever app with HOTP. You generate event
based tokens and this is how the workflow works:
1. You generate the event based tokens
2. Send to the server
3. Server validates
In a not so awesome world, this is what could happen
1. You generate the event based tokens
2. Send to the server
3. Zombies intercept and collect your token, sending the HTTP response
"invalid token". Forcing you to provide more valid tokens.
4. Zombies make use of your tokens whenever they want.
So unless we have a good use case scenario rather than just "we use it
internally" and Android team also agreed on it. I don't see HOTP happening.
On Tue, Mar 24, 2015 at 11:27 AM, Erik Jan de Wit <edewit(a)redhat.com>
wrote:
> Internally we make use of HOTP (via linotp) for our VPN and it works
> around the problem of the long lived tokens by letting you use it only
> once. The difference in implementation is not so great, it wouldn't take
> long to build it in fact I've already created a PR for the java project.
>
>
https://github.com/aerogear/aerogear-otp-java/pull/16
>
> On Tue, Mar 24, 2015 at 2:28 PM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
>> Good morning Erik, I'm not against the implementation, but I have some
>> considerations.
>>
>> As you might know TOTP is short-lived, which means that they only apply
>> for certain amount of time, while HOTP is long-lived, which means that
>> someone eavesdropping the network could collect several HOTPs and reuse
>> then later.
>>
>> Other thing to keep in mind is how to demo HOTP, at the moment we don't
>> have a server neither bandwidth do implement one.
>>
>> Implement it or not it's up to you, but I would like to make sure that
>> you're aware about the issues with HOTP.
>>
>> On 2015-03-23, Erik Jan de Wit wrote:
>> > Hi,
>> >
>> > I was adding otp support for windows and that started to make me
>> wonder if
>> > it would be nice to add HOTP as well as TOTP for instance our linotp
>> server
>> > uses this. The only difference between the two is that HOTP uses a
>> counter
>> > that is incremented and TOTP is time based. So it would be fairly easy
>> to
>> > implement and for instance on windows there aren't any apps that
>> support
>> > both.
>> >
>> > Wdyt?
>> >
>> > --
>> > Cheers,
>> > Erik Jan
>>
>> > _______________________________________________
>> > aerogear-dev mailing list
>> > aerogear-dev(a)lists.jboss.org
>> >
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
>
> --
> Cheers,
> Erik Jan
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev