Authentication Technologies
One-time passwords and token cards

One Time Passwords
Some remote logins send passwords over networks as clear text. An eavesdropper could capture these passwords and use them to gain unauthorized access to systems. One way to create passwords that can be safely sent over remote connections is to use a one-way hashing algorithm to create a one-time password scheme. This is what S/Key does.

S/Key uses either MD4 or MD5, one-way hashing algorithms developed by Ron Rivest, to create a one-time password system. In this system, passwords are sent in clear text over the network. However, after a password has been used, it is no longer useful to the eavesdropper. The biggest advantage of S/Key is that it protects against eavesdroppers without modification of client software and imposes only marginal inconvenience to the users.

The S/Key system involves three main components:

  • The client
  • The host
  • A password calculator

The client is responsible for providing the login shell to the user. It does not contain any persistent storage for password information. The host is responsible for processing the user login request. It stores the current one-time password as well as the login sequence number in a file. The host is also responsible for providing the client with a seed value. The password calculator is a one-way hashing function, which is defined as a function that loses information each time it is applied. The network protocol between the client and the host is completely independent of the scheme.

Token Cards
Another one-time password authentication method that adds a new layer of security uses a token card or smart card, and a token server. Each token card, about the size of a credit card, is programmed to a specific user and each user has a unique PIN that can generate a password keyed strictly to the corresponding card. Token cards and servers generally work as demonstrated in the following steps :

  1. The user generates a one-time password with the token card using a security algorithm.
  2. The user enters the one-time password into the authentication screen generated by the remote client, the Windows Dial-Up Networking screen in Figure .
  3. The remote client sends the one-time password to the token server via the network and a NAS.
  4. The token server uses the same algorithm to verify the password is correct and authenticates the remote user.

Token Card and Server Methods
Two token card and server methods are used :

  • Time-based
  • Challenge-response

Web Links