Identification, Authentication and Authorization

S/Key (RFC 2289, 1998)

Authentication credentials.

  • A password (pwd).

The authenticator knows.

  • The last used one-time password (OTP).

  • The last used OTP index.

    • Defines an order among consecutive OTPs.

  • A seed value for each person’s OTPs.

    • The seed is similar to a UNIX salt.

Setup

The authenticator defines a random seed.

The person generates an initial OTP as:

  • Some S/Key versions also use MD5 or SHA-1.

The authenticator stores seed, n and OTPn as authentication credentials

Authentication protocol

The authenticator sends the seed and index of the person.

  • They act as a challenge.

The person generates index-1 OTPs in a row.

  • And selects the last one as a result.

  • result = OPT_(index-1).

The authenticator computes h(result) and compares the result with the stored OPT_index.

  • If they match, the authentication succeeds.

  • Upon success, stores the recently used index & OTP.

    • index-1 and OPT_(index-1).

Advantages

Users' passwords are unknown to authenticators.

OTPs can be used as ordinary passwords.

Disadvantages

People need an application to compute OTPs.

Passwords can be derived using dictionary attacks.

  • From data stored in authenticators.

  • From captured protocol runs.

PreviousPAP & CHAP (RFC 1334, 1992, RFC 1994, 1996)NextGSM

Last updated