S/KEY: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
Line 19: Line 19:


This value is stored together with the seed and the sequence number somewhere on the host that is to be authenticated to. As the passphrase must not be exposed to any attacker, the calculation should be done on a trustworthy system over a secure connection. The <math>h_I</math> however does not need to be kept secret.
This value is stored together with the seed and the sequence number somewhere on the host that is to be authenticated to. As the passphrase must not be exposed to any attacker, the calculation should be done on a trustworthy system over a secure connection. The <math>h_I</math> however does not need to be kept secret.

== Authentication ==

When authentication is desired the host transmits a challenge to the user which consists of the <math>seed</math> and <math>n-1</math> (where <math>h_n</math> is the hash value that is stored on the host) and also mentions the <math>H_o</math> to be used. The user then comes up with <math>h_{n-1}</math> and transmits this hash to the host. The host computes <math>H(h_{n-1}, seed)</math> and compares this value with the one in its storage. The user is authenticated, if the result matches in which case <math>h_{n-1}</math> and <math>n-1</math> are stored on the host (replacing <math>h_n</math> and <math>n</math>). Otherwise the authentication fails.

Revision as of 01:12, 7 November 2004

The S/KEY One-Time Password system originally came from Bellcore and is described in RFC 1760. It further evolved through RFC 1938 and RFC 2289 under the name "A One-Time Password System". The system uses a cryptographically strong hash function to generate a sequence of One-Time Passwords from a passphrase and a system identifier or seed. There are several possible hash functions that can be used with the system — MD-4, MD-5 and SHA-1 — but only MD-5 is mandatory to support.

The output of the hash function is not used directly but rather folded down to 64 bits and then either input as a hex string or transformed to the so-called Six Word Format. For this a dictionary of 2048 short (mostly english) words is used, giving 11 bits per word. Six words make up the representation of the hash function's output. The additional two bits are used to store a simple checksum. An example for a resulting password would be TORN ACID SAD VAN RUM BEN.

Let's define the hash function to be used as , where is the folding applied, is the original secure hash function (e.g. MD-4, MD-5 or SHA-1) and is the string concatenation.

The folding function must shorten the result of (either 128 bits for MD-4 and MD-5, or 160 bits for SHA-1) down to a fixed size of 64 bits. This is done by XOR'ing the first and the last halves of the hash for MD-4 and MD-5 and in a similar fashion for SHA-1. See the aforementioned RFC for details.

Initialization

The system must be initialized before it can be used. During this process a (also called system identifier) is generated which can be between 1 and 16 characters in length and may for example be made up of the host name's first few characters and some random numbers. The seed should be different for each system the same passphrase is used on and should not be reused during successive initializations (at least as long the passphrase is not changed).

During the initialization step the user must choose a password or passphrase () which should be at least 10 characters long and must be kept secret. Reusing the same passphrase on different systems should be safe, as long as the seeds differ from each other.

A further parameter choosed during initialization is the initial sequence number or iteration count. A good choice would for example be 100. This number is decremented at each authentication process, and the system must be reinitialized once the sequence number reaches zero.

When initializing the system, a value is computed, where is the initial sequence number. The computation is done through:

This value is stored together with the seed and the sequence number somewhere on the host that is to be authenticated to. As the passphrase must not be exposed to any attacker, the calculation should be done on a trustworthy system over a secure connection. The however does not need to be kept secret.

Authentication

When authentication is desired the host transmits a challenge to the user which consists of the and (where is the hash value that is stored on the host) and also mentions the to be used. The user then comes up with and transmits this hash to the host. The host computes and compares this value with the one in its storage. The user is authenticated, if the result matches in which case and are stored on the host (replacing and ). Otherwise the authentication fails.