Full Disclosure: Re: One-Time Pad Authentication

[Eric Rescorla <ekr () rtfm com>]

"Jonathan A. Zdziarski" <jonathan () nuclearelephant com> writes:

> Before I write this thing, I wanted to check and see if anyone on the
> list knows if such a tool already exists in the open-source community. 
> I've done some google and freshmeat searches but didn't find anything
> that seemed to fit the bill.  The closest thing I found was E-Pad which
> seems to be more related to file encryption than authentication.
>
> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).  
>
> The user then has a software token on their machine with the token code
> that changes either every use, or uses some type of challenge/response
> system, blah blah blah.  This token is used to log into systems,
> etcetera.
>
> I'd be interested in knowing if such an open-source tool exists, and if
> not who would be interested in working on it with me (email me privately
> if interested).
Yes, this exists.

What you're describing was originally known a S/Key and was
standardized by the IETF under the name of "One-time Password" (OTP)
See http://www.ietf.org/rfc/rfc2289.txt

S/Key and OTP calculators, PAM modules, etc. are fairly widely
available.

-Ekr



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html