Jonathan A. Zdziarski | 1 Dec 01:40 2003

One-Time Pad Authentication

Before I write this thing, I wanted to check and see if anyone on the
list knows if such a tool already exists in the open-source community. 
I've done some google and freshmeat searches but didn't find anything
that seemed to fit the bill.  The closest thing I found was E-Pad which
seems to be more related to file encryption than authentication.

I'm interested in coding a one-time pad authentication system; similar
to SecurID or other types of token authentication only with software
tokens.  The administrator would generate the one-time pads for each
user and distribute them using whatever secure method gets coded (PGP,
SSH, or whatever).  

The user then has a software token on their machine with the token code
that changes either every use, or uses some type of challenge/response
system, blah blah blah.  This token is used to log into systems,
etcetera.

I'd be interested in knowing if such an open-source tool exists, and if
not who would be interested in working on it with me (email me privately
if interested).

Jonathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Michael Sierchio | 1 Dec 02:21 2003

Re: One-Time Pad Authentication

Jonathan A. Zdziarski wrote:

> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).  

You've thereby reduced the security of a one-time pad to that of
the cryptologic and protocol used to distribute it.  Simply isn't
done, old chap.

Use:

	trusted courier;
	registered US mail;
	etc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Jeremiah Cornelius | 1 Dec 02:16 2003
Picon

Re: One-Time Pad Authentication


On Sunday 30 November 2003 16:40, Jonathan A. Zdziarski wrote:
<SNIP>
> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).  

Uhhhh...

Is S/KEY suitable? 

http://www.ece.northwestern.edu/CSEL/skey/skey_eecs.html
http://www.freebsdsystems.com/handbook/skey.html
http://www.ja.net/CERT/Long/Securing_Remote_Access.html

You can run s/key calculators on PC's, Macs and even Palm Pilots (turning them 
into a token - of sorts).

Jeremiah Cornelius
Eric Rescorla | 1 Dec 02:47 2003

Re: One-Time Pad Authentication

"Jonathan A. Zdziarski" <jonathan <at> nuclearelephant.com> writes:

> Before I write this thing, I wanted to check and see if anyone on the
> list knows if such a tool already exists in the open-source community. 
> I've done some google and freshmeat searches but didn't find anything
> that seemed to fit the bill.  The closest thing I found was E-Pad which
> seems to be more related to file encryption than authentication.
> 
> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).  
> 
> The user then has a software token on their machine with the token code
> that changes either every use, or uses some type of challenge/response
> system, blah blah blah.  This token is used to log into systems,
> etcetera.
> 
> I'd be interested in knowing if such an open-source tool exists, and if
> not who would be interested in working on it with me (email me privately
> if interested).

Yes, this exists.

What you're describing was originally known a S/Key and was
standardized by the IETF under the name of "One-time Password" (OTP)
See http://www.ietf.org/rfc/rfc2289.txt

S/Key and OTP calculators, PAM modules, etc. are fairly widely
(Continue reading)

Gary E. Miller | 1 Dec 02:42 2003

Re: One-Time Pad Authentication

Yo Jonathan!

On Sun, 30 Nov 2003, Jonathan A. Zdziarski wrote:

> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.

No need to reinvent that wheel.  Check out RFC 2289/ STD 61.  Not many
RFCs make it to standard status and this one did:

	ftp://ftp.rfc-editor.org/in-notes/std/std61.txt

You can get the Bellcore reference implementation here:
	ftp://thumper.bellcore.com/pub/nmh/

PAM-s/key here:
	http://www.srce.hr/~kreator/projects/tarballs/

It is even available on PalmOS:
	http://gnukeyring.sourceforge.net/

Lots more to be found with a little googling.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem <at> rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

(Continue reading)

jon schatz | 1 Dec 02:51 2003

don't waste your time (was: Re: One-Time Pad Authentication)

Jonathan A. Zdziarski wrote:
> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).  

http://www.schneier.com/crypto-gram-0210.html#7

-jon

--

-- 
jon <at> divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Blue Boar | 1 Dec 03:40 2003

Re: One-Time Pad Authentication

Jonathan A. Zdziarski wrote:

> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).  

You don't actually mean a one-time pad, do you?  Sounds like you're 
referring to a one-time token authentication system, especially since you 
mention SecurID.  (I mention this because a few responses are reacting to 
you mentioning an OTP, but I don't think that's what you meant.)

					BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Jonathan A. Zdziarski | 1 Dec 03:25 2003

Re: One-Time Pad Authentication

Thanks for all the responses =) Looks like there are a couple good tools
out there that would work.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Jonathan A. Zdziarski | 1 Dec 04:23 2003

Re: One-Time Pad Authentication


> You don't actually mean a one-time pad, do you?  Sounds like you're 
> referring to a one-time token authentication system, especially since you 
> mention SecurID.  (I mention this because a few responses are reacting to 
> you mentioning an OTP, but I don't think that's what you meant.)

Actually I was interested in a pad...not a seeded authentication
mechanism.  I realize there's a key distribution issue, but it's not
difficult to give out a CD with a few years worth of codes on it.

Seeded will suffice though, in lieu of rolling my own OTP.

I've been using SecurID at the companies I've worked at, so I didn't get
a chance to see what's on the open source network, but now that I'm
looking to implement this on my own systems, looks like a couple of the
tools people mentioned might work.  

Jonathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Timothy J. Miller | 1 Dec 05:13 2003

Re: One-Time Pad Authentication


On Nov 30, 2003, at 6:40 PM, Jonathan A. Zdziarski wrote:

> I'm interested in coding a one-time pad authentication system; similar
> to SecurID or other types of token authentication only with software
> tokens.  The administrator would generate the one-time pads for each
> user and distribute them using whatever secure method gets coded (PGP,
> SSH, or whatever).

One Time Passwords In Everything (OPIE):  http://inner.net/opie

-- Cerebus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Gmane