|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Beyond Passwords: Implementing The Vision — continued
VP Core Competence, Inc. [April 5, 2005] |
 |
2. One-Time Passwords
Let's jump to the opposite end of the complexity (and security) spectrum to
consider One Time Passwords (OTPs). Password crackers rely upon reuse of the
same password. Cracking a password that is only good for a single use is of
little practical value. OTPs capitalize on this creating an authentication system
whereby each password can be presented for authentication just once. After an
OTP is used, it can never by used again (or at least not very soon).
OTP authentication systems rely upon a pre-defined relationship and synchronization between the user and authentication server. A well-known, freely-available OTP system is S/KEY, developed by Bellcore in the '90s as the basis for RFC 2289, the IETF OTP standard. To initialize S/KEY, the user provides a secret (S) and a number of passwords to generate (N). A password generator hashes S for N iterations, generating an ordered list of passwords. When the user tries to authenticate, the server requests the next password by sending the index (N) of that password. The user either enters the Nth value from a saved OTP list, or enters his original secret into an S/KEY program that re-generates the Nth hash value. The hash value (OTP) is sent to the server, who uses the same process to validate the password. If authentic, the server decrements the user's password counter so that, next time, he'll be prompted for hash value (N-1) and so on.
S/KEY utilities are freely available for virtually every operating system, including:
S/KEY's
successor, OPIE (One-time Passwords In Everything) is also available from many
sources; many links are given in this NASA
website list. Some remote access products include S/KEY authentication as an
option. For example, Citrix OnLine's GoToMyPC Corporate OTP generator is shown
here (right).
Like "regular" passwords, OTP security depends on the strength (length and randomness) of the original secret (also called a pass-phrase). RFC 2289 advises starting with pass-phrases that are at least 10 characters, and as many as 63. While OTPs are not vulnerable to passive eavesdropping, they can be compromised by active race attacks, where someone listens to a series of OTPs and guesses the remainder, racing the user to complete subsequent authentications. The attacker must have the opportunity to watch the same user log in several times in row to perform this attack, and the system must rely upon OTP as a solo authentication factor.
S/KEY and OPIE can be a rather inexpensive way to improve the security of password-based authentication. Client and server software may be free, and there's no client-side hardware to buy. However, one reason that S/KEY and OPIE are not used more often is that they are unwieldy for end users. Finding OTP #35 on a list and typing in a long string of odd characters correctly is harder than typing in a plain old password. Running an OTP utility to re-generate #35, then using cut/paste to copy that hash into a login prompt may reduce typos, but is still awkward.
|
2.
One-Time Passwords
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers