Whispered Once

Despite the biometrics boom, passwords are still the most popular means of authentication. In hostile environments, rogue users try to sniff or log password entries. You can foil these attempts by using one-time passwords. A one-time password becomes obsolete after it is used.

Even if an attacker were to sniff the password en route to the authentication server, the password would be useless.For a one-time password to work, the client must have some means for determining what password to use, and the server must know what password to expect.

Figure 1: The Digipass Pro 300 by Vasco relies on the challenge-response approach. The user types the challenge via the keypad on the token and reads off the response from the display.

Techniques

Security experts have developed several techniques for generating one-time passwords. Some methods base a new password on a mathematical manipulation of the previous password – or on a mathematical manipulation of the current time. Another technique known as challenge-response starts with the server sending a random number to the client. The client then calculates a response using a process that is known to both parties.

Of course, an attacker who sniffs a couple of these challenges and responses could theoretically uncover the method. This crypto-analysis technique, which is often called known plaintext, has been described in several scientific publications. But if both partners apply a hash function after calculating the response, a sniffer will find it far more difficult to uncover the original value. The result looks very much like a random number.

These kinds of calculations are difficult to do in your head, so users often employ an electronic device called a token, which looks something like a pocket calculator. Figures 1 and 2 show examples of some popular tokens. Another option is to set up a mobile phone or PDA with the necessary software to act as a hardware-based token.

Figure 2: The Secur-ID-Token SID700 by RSA/EMC encodes the current time of day and the internal key. The display shows a different PIN every minute.

Software-Based Solutions

Of course, tokens are relatively expensive; also, the technology is often patented, or else the internal mechanisms are not fully disclosed as a security measure. If you prefer to avoid the effort and expense of a hardware token, you can also use a software-only solution.

Software-based one-time password systems have been around for several years are are even enshrined in a number of Internet RFCs. The S/Key system, which was developed in 1995 by Bellcore, is defined in RFC 1760. S/Key originally relied on MD4 encryption. Its successor, OTP, which is specified in RFC 2289, can also use MD5 and SHA hashes.

Figure 3: To initialize, the generator sends a password to the server. The server hashes the password and a seed to calculate the first one-time password.

Figure 4: During authentication, the server presents the seed and a counter. The user runs a generator to calculate the one-time password and returns it to the server for validation.

Universal OPIE

A pair of open source projects known as OPIE [3] and OTPW [4] provide one-time password tools for Linux. The leading OTP software implementation on Linux comes courtesy of the OPIE project (One-Time Passwords in Everything).

OPIE is easily installed from the packages that exist for many distributions, and easily built from the sources. The installation adds OTP-capable programs for login, su, and ftpd, as well as the pam_opie.so library, a number of tools, and the /etc/opiekeys configuration.

The first step is to initialize the OTP system (see Listing 1). Users handle this step themselves by logging on to the system and executing the opiepasswd command (Line 1). The results might be confusing at first glance (Line 3); by default, the tool assumes that the user is not logged on locally at the console.

01 # opiepasswd
02 Adding root:
03 You need the response from an OTP generator.
04 New secret pass phrase:
05         otp-md5 499 te3049
06         Response:
07 ^C
08 # opiepasswd -c
09 Adding root:
10 Only use this method from the console; NEVER
11 from remote. If you are using telnet, xterm,
12 or a dial-in, type ^C now or exit with no
13 password. Then run opiepasswd without the -c
14 parameter.
15 Sorry, but you don't seem to be on the console
16 or a secure terminal.
17 # opiepasswd -cf
18 Adding root:
19 Only use this method from the console; NEVER
20 from remote. If you are using telnet, xterm,
21 or a dial-in, type ^C now or exit with no
22 password. Then run opiepasswd without the -c
23 parameter.
24 Using MD5 to compute responses.
25 Enter new secret pass phrase:
26 Again new secret pass phrase:
27
28 ID root OTP key is 499 te5843
29 DANG TOOK HUNT GYM HICK PAW
30 # cat /etc/opiekeys
31 root 0499 te5843     6f1dba738c197a64
32                      Feb 16,2008 05:42

Because network traffic is often sniffable and insecure, opiepasswd expects an OTP. To avoid a chicken and egg problem, users must declare (by setting the -c option) that they are working at the secure console (see Line 8 in Listing 1).

If the command catches the user lying, it will refuse to cooperate. Users who take security seriously should avoid the -f option (Line 17), which ignores the subsequent warning.

The process is user-specific; in other words, any user wanting to work with one-time passwords needs to run the command individually.

After completing the initialization, a user entry is added to the /etc/opiekeys file. This file also contains the seed (te5843 in this case), the hash (6f1dba738c197a64), the newly-generated one-time password, and the sequence number (499 in this example – Lines 31 and 32).

To generate valid one-time passwords later, users need their own password, the seed, and the sequence number. There is no need to memorize all this – with the exception of the user password. The other two credentials are provided and displayed by the server.