Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



One-Time Password Authentication

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

A basic authentication scheme is for a server to request a password from the client. The client types the password and sends it over the wire to the server. This technique is vulnerable to eavesdroppers who may be monitoring the line with sniffers and network analyzers. Captured information can be used by a hacker in what is called a "replay attack" to illegally log on to a system. Even an encrypted password can be used in this manner.

A challenge/response is a security mechanism for verifying the identity of a user or system without the need to send the actual password across the wire. The server sends a challenge, which is a string of alpha or numeric characters, to a client. This client then combines the string with its password and, from this, a new password is generated. The new password is sent to the server. If the server can generate the same password from the challenge it sent the client and the client's password, then the client must be authentic. See "CHAP (Challenge Handshake Authentication Protocol)."

An OTP (one-time password) system generates a series of passwords that are used to log on to a specific system. Once one of the passwords is used, it cannot be used again. The logon system will always expect a new one-time password at the next logon. This is done by decrementing a sequence number. Therefore, the possibility of replay attacks is eliminated.

The series of passwords is created by the client, which combines a seed value with a secret password that only the client knows. This combination is then run through either the MD4 or MD5 hash functions repeatedly to generate the sequence of passwords.

Smart cards and token-based authentication methods use one time passwords. The IETF has developed an OTP that is based on the earlier Bellcore S/KEY one-time password system. A number of Internet RFCs discuss one-time passwords. These include RFC 1760 (The S/KEY One-Time Password System, February 1995), RFC 2243 (OTP Extended Responses, November 1997), RFC 2289 (A One-Time Password System, February 1998), and RFC 2444 (The One-Time- Password SASL Mechanism, October 1998). Also see RFC 1511 (Common Authentication Technology Overview, September 1993), RFC 1704 (On Internet Authentication, October 1994), and RFC 2401 (Security Architecture for the Internet Protocol, November 1998).

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.