Re: XOR passphrase with a constant

"Andrew" <anelless@gmail.com> writes:
> If I have a list of 10,000 good passphrases (whatever you consider
> 'good' to be) and XOR all of them with a constant of equal or differing
> length, before passing them through a hash function, for example MD5 or
> SHA, is the task of producing a collision, assuming an attacker has
> gained access to the entire list, made any less computationally
> challenging?

one-time-password .... was suppose to allow a person to carry round
knowledge of a single passphrase ... and use it in multiple
environments w/o the end-user needing any additional baggage.

the basic idea was repeated hashing of the passphrase ... ... server
would record N and the Nth passphrase. when the user connected,
the server would send back N-1. the user would have the passphrase
repeatedly hashed N-1 and send it to the server. The server would
hash it one more time and compare it with the previously recorded
hash. If it compared, there was authentication ... the number would
be decremented by 1 and the most recent hash recorded.

this was improved by having the server provide a salt & the number for
the initialization ... and all subsequent iterations. the idea is that
different servers would provide different salts ... so that the end
users would be able to use the same passprhase for all environments.

supposedly this is resistant to MITM attacks w/o the end user having
to carry anything (other than the memory of the passphrase ... which
hopefully won't be entered on a compromised device).

the attack is for the MITM to intercept the salt and number and
substitute a one (or other sufficiently small value). The MITM gets
back the hash for the first round ... and then can iterate the hash
for the additional rounds for the correct number. MITM now has
informatio to generate correct authentication values for potentially
several hundred rounds (for a specific server).

a possible countermeasure is for the end-user to carry some baggage to
track what is going on ... like recording the most recent N that they
had seen ... to recognize unauthorized uses (N having been decremented
by more than it should have been). however, this violates the original
design point justifying the implementation. if the end-user is going
to be carrying some baggage to track things like previous hash
interations ... then they might as well go with something like digital
signature and have the public key recorded (at the server) rather than
the Nth hash iteration of a passphrase.

couple past posts:
http://www.garlic.com/~lynn/2003m.html#50 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003n.html#0 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003o.html#46 What 'NSA'?

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/