One Time Passwords
Some remote logins send passwords
over networks as clear text. An eavesdropper could capture these passwords and
use them to gain unauthorized access to systems. One way to create passwords
that can be safely sent over remote connections is to use a one-way hashing
algorithm to create a one-time password scheme. This is what S/Key does.
S/Key uses either MD4 or MD5, one-way hashing algorithms developed by Ron
Rivest, to create a one-time password system. In this system, passwords are
sent in clear text over the network. However, after a password has been used,
it is no longer useful to the eavesdropper. The biggest advantage of S/Key is
that it protects against eavesdroppers without modification of client software
and imposes only marginal inconvenience to the users.
The S/Key system
involves three main components:
- The client
- The host
- A password calculator
The client is responsible for providing the login shell to the user. It
does not contain any persistent storage for password information. The host is
responsible for processing the user login request. It stores the current
one-time password as well as the login sequence number in a file. The host is
also responsible for providing the client with a seed value. The password
calculator is a one-way hashing function, which is defined as a function that
loses information each time it is applied. The network protocol between the
client and the host is completely independent of the scheme.
Token
Cards
Another one-time password authentication method that adds a new
layer of security uses a token card or smart card, and a token server. Each
token card, about the size of a credit card, is programmed to a specific user
and each user has a unique PIN that can generate a password keyed strictly to
the corresponding card. Token cards and servers generally work as demonstrated
in the following steps
:
- The user generates a one-time password with the token card using a security
algorithm.
- The user enters the one-time password into the authentication screen
generated by the remote client, the Windows Dial-Up Networking screen in Figure
.
- The remote client sends the one-time password to the token server via the
network and a NAS.
- The token server uses the same algorithm to verify the password is correct
and authenticates the remote user.
Token Card and Server Methods
Two token card and server
methods are used
:
- Time-based
- Challenge-response