Re: Searching for a special challenge&response algorithm

"Jan Peter Stotz" <jp_news@gmx.de> wrote in message
news:6cba4fld2e5q$.c28i8n1yqrzo$.dlg@40tude.net...
> Does anybody know such an algorithm?

As has already been pointed out, just shift things in your favor. If you
need to send a challenge, does each challenge have to be unique? Just
associate a random (or pseudo-random) number with a timeframe, any queries
in that time frame get that number, one such example would be AES encrypting
the current time, to prevent MITM you could then sign the challenge (1 a
second is a trivial amount of work). Once you've vastly reduced the number
of possible challenges (DoS point 1), now you have to create an environment
where you have a staged relationship between server work and authentication,
this way the server can do 1% of the work to filter 99% of the fake logins,
iterate this process and very quickly the odds are staggering (100
iterations would give you 100% of the work, but would give you a probability
of failure of ~1/2^665).

As for the other aspects you have brought up Unruh is correct, just slow
things down. If you're worried about mass-brute force being applied to your
system, lock an account for 30 minutes when login fails 3 times, and block
IPs for 30 minutes as well. This would mean that to guess a passphrase (on a
single account) with 2^40 entropy would take on the order of 128 hours if
the attacker has every IP address on the internet, and by blocking IPs for
30 minutes that cause the account to block you remove the ability of the
attacker to simply retarget to another account. For legitimate users the
blocked IP penalty will be small (since their account is blocked anyway),
but for an attacker it destroys an additional option.
                        Joe
Received on Mon May 1 02:06:14 2006