The S/KEY One-Time Password System
RFC 1760
|
Document |
Type |
|
RFC - Informational
(February 1995; Errata)
|
|
Author |
|
Neil Haller
|
|
Last updated |
|
2020-04-14
|
|
Stream |
|
Legacy
|
|
Formats |
|
plain text
html
pdf
htmlized
bibtex
|
Stream |
Legacy state
|
|
(None)
|
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
IESG |
IESG state |
|
RFC 1760 (Informational)
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group N. Haller
Request for Comments: 1760 Bellcore
Category: Informational February 1995
The S/KEY One-Time Password System
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Abstract
This document describes the S/KEY* One-Time Password system as
released for public use by Bellcore and as described in reference
[3]. A reference implementation and documentation are available by
anonymous ftp from ftp.bellcore.com in the directories pub/nmh/...
Overview
One form of attack on computing system connected to the Internet is
eavesdropping on network connections to obtain login id's and
passwords of legitimate users. The captured login id and password
are, at a later time, used gain access to the system. The S/KEY
One-Time Password system is designed to counter this type of attack,
called a replay attack.
With the S/KEY system, only a single use password ever crosses the
network. The user's secret pass-phrase never crosses the network at
any time, including during login or when executing other commands
requiring authentication such as the UNIX commands passwd or su.
Thus, it is not vulnerable to eavesdropping/replay attacks. Added
security is provided by the property that no secret information need
be stored on any system, including the host being protected.
The S/KEY system protects against external passive attacks against
the authentication subsystem. It does not prevent a network
eavesdropper from gaining access to private information, and does not
provide protection against "inside jobs" or against active attacks
where the potential intruder as able to intercept and modify the
packet stream.
Haller [Page 1]
RFC 1760 The S/KEY One-Time Password System February 1995
Introduction
There are two sides to the operation of the S/KEY one-time password
system. On the client side, the appropriate one-time password must
be generated. On the host side, the server must verify the one-time
password and permit the secure changing of the user's secret pass-
phrase.
An S/KEY system client passes the user's secret pass-phrase through
multiple applications of a secure hash function to produce a one-time
password. On each use, the number of applications is reduced by one.
Thus a unique sequence of passwords is generated. The S/KEY system
host verifies the one-time password by making one pass though the
secure hash function and comparing the result with the previous one-
time password. This technique was first suggested by Leslie Lamport
[1].
Secure Hash Function
A secure hash function is a function that is easy to compute in the
forward direction, but computationally infeasible to invert. The
S/KEY system is based on the MD4 Message Digest algorithm designed by
Ronald Rivest [2]. Since the S/KEY authentication system went into
use, the MD5 Message Digest was released. We have chosen to continue
to use MD4 due the large number of client programs that have been
distributed. Some sites have generated functionally similar systems
based on MD5. Clearly clients and hosts must use the same secure
hash function to interoperate.
The S/KEY system one-time passwords are 64 bits in length. This is
believed to be long enough to be secure and short enough to be
manually entered (see below, Form of Passwords) when necessary.
The S/KEY system applies the secure hash function multiple times,
producing a 64 bit final output. MD4 accepts an arbitrary number of
bits as input and produces a 128 bit output. The S/KEY secure hash
function consists of applying MD4 to a 64 bit input and folding the
output of MD4 with exclusive or to produce a 64 bit output.
Generation of One-Time Passwords
This section describes the computation of the S/KEY one-time
passwords. It consists of a preparatory step in which all inputs are
combined, a generation step where the secure hash function is applied
multiple times, and an output function where the 64 bit one-time
Haller [Page 2]
RFC 1760 The S/KEY One-Time Password System February 1995
password is displayed in readable form.
The client's secret pass phrase may be of any length and should be
more than eight characters. As the S/KEY secure hash function
described above accepts a 64 bit input, a preparatory step is needed.
In this step, the pass phrase is concatenated with a seed that is
transmitted from the server in clear text. This non-secret seed
Show full document text