Network Working Group N. Haller
Request for Comments: 2289 Bellcore
Obsoletes: 1938 C. Metz
Category: Standards Track Kaman Sciences Corporation
P. Nesser
Nesser & Nesser Consulting
M. Straw
Bellcore
February 1998
A One-Time Password System
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
1.0 ABSTRACT
This document describes a one-time password authentication system
(OTP). The system provides authentication for system access (login)
and other applications requiring authentication that is secure
against passive attacks based on replaying captured reusable
passwords. OTP evolved from the S/KEY (S/KEY is a trademark of
Bellcore) One-Time Password System that was released by Bellcore and
is described in references [3] and [5].
2.0 OVERVIEW
One form of attack on networked computing systems is eavesdropping on
network connections to obtain authentication information such as the
login IDs and passwords of legitimate users. Once this information is
captured, it can be used at a later time to gain access to the
system. One-time password systems are designed to counter this type
of attack, called a "replay attack" [4].
The authentication system described in this document uses a secret
pass-phrase to generate a sequence of one-time (single use)
passwords. With this system, the user's secret pass-phrase never
needs to cross the network at any time such as during authentication
Haller Standards Track [Page 1]
RFC 2289 A One-Time Password System February 1998
or during pass-phrase changes. Thus, it is not vulnerable to replay
attacks. Added security is provided by the property that no secret
information need be stored on any system, including the server being
protected.
The OTP system protects against external passive attacks against the
authentication subsystem. It does not prevent a network eavesdropper
from gaining access to private information and does not provide
protection against either "social engineering" or active attacks [9].
3.0 INTRODUCTION
There are two entities in the operation of the OTP one-time password
system. The generator must produce the appropriate one-time password
from the user's secret pass-phrase and from information provided in
the challenge from the server. The server must send a challenge that
includes the appropriate generation parameters to the generator, must
verify the one-time password received, must store the last valid
one-time password it received, and must store the corresponding one-
time password sequence number. The server must also facilitate the
changing of the user's secret pass-phrase in a secure manner.
The OTP system generator passes the user's secret pass-phrase, along
with a seed received from the server as part of the challenge,
through multiple iterations of a secure hash function to produce a
one-time password. After each successful authentication, the number
of secure hash function iterations is reduced by one. Thus, a unique
sequence of passwords is generated. The server verifies the one-time
password received from the generator by computing the secure hash
function once and comparing the result with the previously accepted
one-time password. This technique was first suggested by Leslie
Lamport [1].
4.0 REQUIREMENTS TERMINOLOGY
In this document, the words that are used to define the significance
of each particular requirement are usually capitalized. These words
are:
- MUST
This word or the adjective "REQUIRED" means that the item is an
absolute requirement of the specification.
Haller Standards Track [Page 2]
RFC 2289 A One-Time Password System February 1998
datatracker.ietf.org