The S/KEY One-Time Password System
RFC 1760

Document Type RFC - Informational (February 1995; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1760 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          N. Haller
Request for Comments: 1760                                      Bellcore
Category: Informational                                    February 1995

                   The S/KEY One-Time Password System

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.


   This document describes the S/KEY* One-Time Password system as
   released for public use by Bellcore and as described in reference
   [3].  A reference implementation and documentation are available by
   anonymous ftp from in the directories pub/nmh/...


   One form of attack on computing system connected to the Internet is
   eavesdropping on network connections to obtain login id's and
   passwords of legitimate users.  The captured login id and password
   are, at a later time, used gain access to the system.  The S/KEY
   One-Time Password system is designed to counter this type of attack,
   called a replay attack.

   With the S/KEY system, only a single use password ever crosses the
   network.  The user's secret pass-phrase never crosses the network at
   any time, including during login or when executing other commands
   requiring authentication such as the UNIX commands passwd or su.
   Thus, it is not vulnerable to eavesdropping/replay attacks.  Added
   security is provided by the property that no secret information need
   be stored on any system, including the host being protected.

   The S/KEY system protects against external passive attacks against
   the authentication subsystem.  It does not prevent a network
   eavesdropper from gaining access to private information, and does not
   provide protection against "inside jobs" or against active attacks
   where the potential intruder as able to intercept and modify the
   packet stream.

Haller                                                          [Page 1]
RFC 1760           The S/KEY One-Time Password System      February 1995


   There are two sides to the operation of the S/KEY one-time password
   system.  On the client side, the appropriate one-time password must
   be generated.  On the host side, the server must verify the one-time
   password and permit the secure changing of the user's secret pass-

   An S/KEY system client passes the user's secret pass-phrase through
   multiple applications of a secure hash function to produce a one-time
   password.  On each use, the number of applications is reduced by one.
   Thus a unique sequence of passwords is generated.  The S/KEY system
   host verifies the one-time password by making one pass though the
   secure hash function and comparing the result with the previous one-
   time password.  This technique was first suggested by Leslie Lamport

Secure Hash Function

   A secure hash function is a function that is easy to compute in the
   forward direction, but computationally infeasible to invert.  The
   S/KEY system is based on the MD4 Message Digest algorithm designed by
   Ronald Rivest [2].  Since the S/KEY authentication system went into
   use, the MD5 Message Digest was released.  We have chosen to continue
   to use MD4 due the large number of client programs that have been
   distributed.  Some sites have generated functionally similar systems
   based on MD5.  Clearly clients and hosts must use the same secure
   hash function to interoperate.

   The S/KEY system one-time passwords are 64 bits in length.  This is
   believed to be long enough to be secure and short enough to be
   manually entered (see below, Form of Passwords) when necessary.

   The S/KEY system applies the secure hash function multiple times,
   producing a 64 bit final output.  MD4 accepts an arbitrary number of
   bits as input and produces a 128 bit output.  The S/KEY secure hash
   function consists of applying MD4 to a 64 bit input and folding the
   output of MD4 with exclusive or to produce a 64 bit output.

Generation of One-Time Passwords

   This section describes the computation of the S/KEY one-time
   passwords.  It consists of a preparatory step in which all inputs are
   combined, a generation step where the secure hash function is applied
   multiple times, and an output function where the 64 bit one-time

Haller                                                          [Page 2]
RFC 1760           The S/KEY One-Time Password System      February 1995

   password is displayed in readable form.

   The client's secret pass phrase may be of any length and should be
   more than eight characters.  As the S/KEY secure hash function
   described above accepts a 64 bit input, a preparatory step is needed.
   In this step, the pass phrase is concatenated with a seed that is
   transmitted from the server in clear text.  This non-secret seed
Show full document text