One-time password implementation.
Alexander Leidinger
Alexander at Leidinger.net
Tue Dec 8 09:12:17 UTC 2009
Quoting Mark Fullmer <maf at eng.oar.net> (from Mon, 7 Dec 2009 19:11:23 -0500):
> I recently released a BSD licensed smart card based OTP system we've
> used over the past few years. It uses the OATH HOTP algorithm and
> includes an OTP library, PAM module, smart card firmware, pin pad
> reader firmware, associated management utilities and man page
> documentation. The smart card and reader(s) hardware can be
> purchased in single quantities and it all works natively with
> FreeBSD. The HOTP algorithm has gained some momentum with a few
> vendors now selling hardware tokens which should work with this
> software.
>
> http://www.splintered.net/sw/otp
>
> It might be easier to add GRC PPP to this than to start from scratch.
After reading your presentation it seems that your algorithm does not
limit the time the user is able to use a specific generated password.
Are you interested in an algorithm which does this (requires a more or
less synchronisated clock on client and destination sides, some
seconds difference does not matter, but some minutes difference does).
Yes, this would require a smart card which is able to produce the
current time, and I do not know if there is such a card and how much
it costs, but there are scenarios where you do not need the additional
security of a tamper-resistant smart card and a mobile with a java app
would be enough (and this would then allow to have a more or less
unlimited amount of different destinations with different passwords on
one device).
Bye,
Alexander.
--
What makes us so bitter against people who outwit us
is that they think themselves cleverer than we are.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-security
mailing list