S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. The purpose of a one-time password (OTP is to make it more difficult to gain unauthorized access to restricted resources like a computer account Authentication (from Greek αυθεντικός real or genuine from authentes author is the act of establishing or confirming something (or someone as A Unix-like (sometimes shortened to *nix) Operating system is one that behaves in a manner similar to a Unix system while not necessarily conforming An operating system (commonly abbreviated OS and O/S) is the software component of a Computer system that is responsible for the management and coordination A computer terminal is an electronic or electromechanical hardware device that is used for entering data into and displaying data from a Computer or a Computing A user's real password is combined in an offline device with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers.

Because the short set of characters does not change until the counter reaches zero, it is possible to prepare a list of single-use passwords, in order, that can be carried by the user. Alternatively, the user can present the password, characters and desired counter value to a local calculator to generate the appropriate one-time password that can then be transmitted over the network in the clear. The latter form is more common and practically amounts to challenge-response authentication. In Computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge" and another party must provide

S/KEY is supported in Linux (via Pluggable authentication modules), OpenBSD, NetBSD, and FreeBSD, and a generic open source implementation can be used to enable its use on other systems. Linux (commonly pronounced ˈlɪnəks Pluggable authentication modules or PAM are a mechanism to integrate multiple low-level Authentication schemes into a high-level Application programming interface OpenBSD is a Unix-like computer Operating system descended from Berkeley Software Distribution (BSD a Unix derivative developed at the NetBSD is a freely redistributable Open source version of the Unix -derivative Berkeley Software Distribution (BSD Computer Operating FreeBSD is a Unix-like free Operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD branch through S/KEY is a trademark of Telcordia Technologies, formerly known as Bell Communications Research (Bellcore). Telcordia Technologies, formerly Bell Communications Research Inc

S/KEY is also sometimes referred to as Lamport's scheme, after its author. Dr Leslie Lamport (born February 7, 1941 in New York City) is an American computer scientist. It was developed by Neil Haller, Phil Karn and John Walden at Bellcore in the late 1980s. Phil Karn is an engineer from Baltimore Maryland. He earned a bachelor's degree in Electrical engineering from Cornell University in 1978 and a master's With the expiration of the basic patents on public key cryptography and the widespread use of laptop computers running SSH and other cryptographic protocols that can secure an entire session, not just the password, S/KEY is falling into disuse. Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key A laptop computer, also known as a notebook computer, is a small Personal computer designed for mobile use. SecurID is a related one-time password scheme that still sees widespread use because, unlike S/KEY, it provides two-factor authentication by requiring a physical token that cannot be easily reproduced. RSA SecurID is a mechanism developed by RSA Security for performing Two-factor authentication for a user to a network resource An Authentication factor is a piece of Information and Process used to authenticate or verify a person's Identity or other entity requesting access

Contents 1 Password generation 2 Authentication 3 Security 4 Usability 5 References 6 External links

Password generation

The server is the computer that will perform the authentication.

1. This step begins with a secret key w. This secret can either be provided by the user, or can be generated by a computer. Either way, if this secret is disclosed then the security of S/KEY is compromised
2. H is a cryptographic hash function
3. H is applied n times to w, thereby producing a hash chain of n one-time passwords (the passwords are the results of the cryptographic hash H). A cryptographic Hash function is a transformation that takes an input (or 'message' and returns a fixed-size string which is called the hash value (sometimes In Computer security, a hash chain is a method to produce many one-time keys from a single key or Password.
4. The initial secret w is discarded
5. The user is provided with the n passwords, printed out in reverse order.
6. The last n-1 passwords are discarded from the server. Only the first password, at the top of the user's list, is stored on the server.

Authentication

After password generation, the user has a sheet of paper with n passwords on it. The first password is the same password that the server has stored. This first password will not be used for authentication (the user should scratch this password on the sheet of paper), the second one will be used instead:

• The user provides the server with the second password on the list and scratches that password
• The server attempts to compute H(pwd) where pwd is the password supplied. If H(pwd) produces the first password (the one the server has stored), then the authentication is successful. The server will then store pwd as the current reference.

For subsequent authentications, the user will provide password i. (The last password on the printed list, password n, is the first password generated by the server, H(w), where w is the initial secret). The server will compute H(password i) and will compare the result to password i-1, which is stored as reference on the server.

Security

The security of S/KEY relies on the difficulty of reversing cryptographic hash functions. A cryptographic Hash function is a transformation that takes an input (or 'message' and returns a fixed-size string which is called the hash value (sometimes Assume an attacker manages to get hold of a password that was used for a successful authentication. Supposing this is password i, this password is already useless for subsequent authentications, because each password can only be used once. It would be interesting for the attacker to find out password i-1, because this password is the one that will be used for the next authentication.

However this would require inverting the hash function that produced password i using password i-1 (password i = H(password i-1)), which is extremely difficult to do with current cryptographic hash functions. A cryptographic Hash function is a transformation that takes an input (or 'message' and returns a fixed-size string which is called the hash value (sometimes

S/KEY is however vulnerable to a man in the middle attack if used by itself. In Cryptography, the man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM) sometimes Janus attack, is a It is also vulnerable to certain race conditions, such as where an attacker's software sniffs the network to learn the first N-1 characters in the password (where N equals the password length), establishes its own TCP session to the server, and in rapid succession tries all valid characters in the Nth position until one succeeds. A race condition or race hazard is a flaw in a System or process whereby the output and/or result of the process is unexpectedly and critically dependent These types of vulnerabilities can be avoided by using ssh, SSL, SPKM or other encrypted transport layer. Secure Shell or SSH is a Network protocol that allows data to be exchanged using a Secure channel between two networked devices Transport Layer Security ( TLS) and its predecessor Secure Sockets Layer ( SSL) are Cryptographic protocols that provide secure

Usability

Internally, S/KEY uses 64 bit numbers. '64-bit' CPUs have existed in Supercomputers since the 1960s and in RISC -based workstations and servers since the early 1990s. For human usability purposes, each number is mapped to 6 short words of 1 to 4 characters each from a publicly accessible 2048-word dictionary. For example, one 64 bit number maps to "ROY HURT SKI FAIL GRIM KNEE. "

References

• 'THE S/KEY(TM) ONE-TIME PASSWORD SYSTEM' by Neil M. Haller
• The handbook of applied cryptography, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Chapter 10 describes Lamport's scheme on page 396
• RFC 1760 - The S/KEY One-Time Password System
• RFC 2289 - A One-Time Password System

External links

• jsotp: JavaScript OTP & S/Key Calculator
• Introduction to the system
• Java Micro Edition S/key calculator for cell phones

---

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic