-
Notifications
You must be signed in to change notification settings - Fork 4
/
otpw.html
552 lines (465 loc) · 24.1 KB
/
otpw.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<HTML>
<HEAD>
<TITLE>OTPW – a one-time password login package</TITLE>
<META NAME="keywords" CONTENT="computer security, S/KEY, Ssh,
secure login, password sniffing, eavesdropping, OTPW">
<META NAME="description" CONTENT="Free implementation of a one-time
password scheme allowing remote access from untrusted terminals.">
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
<link rel="stylesheet" href="https://www.cl.cam.ac.uk/~mgk25/default.css"
type="text/css">
</HEAD>
<BODY>
<H1>OTPW – A one-time password login package</H1>
<P><A HREF="https://www.cl.cam.ac.uk/~mgk25/">Markus Kuhn</A>, Computer
Laboratory, University of Cambridge
<P><A HREF="https://www.cl.cam.ac.uk/~mgk25/otpw.html">Latest release</A>:
Version 1.5, 2014-08-07
<H2 id="abstract">Abstract</H2>
<P>The OTPW package consists of the one-time-password generator
<CITE>otpw-gen</CITE> plus two verification routines
<CITE>otpw_prepare()</CITE> and <CITE>otpw_verify()</CITE> that can
easily be added to programs such as <CITE>login</CITE> or
<CITE>ftpd</CITE> on POSIX systems. For platforms that support the
Pluggable Authentication Method (PAM) interface, a suitable wrapper is
included as well. Login software extended this way will allow
reasonably secure user authentication over insecure network lines. The
user carries a password list on paper. The scheme is designed to be
robust against theft of the paper list and race-for-the-last-letter
attacks. Cryptographic hash values of the one-time passwords are
stored for verification, either in the user’s home directory or in
a dedicated system directory.
<H2 id="intro">Introduction</H2>
<P>A well-known classic vulnerability of the Internet application
protocol suite is the frequent cleartext transfer of passwords in the
telnet, rsh, and ftp protocols. Modern replacements for these
protocols such as <A HREF="http://www.cs.hut.fi/~ylo/">Tatu
Ylönen</A>’s <A
HREF="http://www.ietf.org/html.charters/secsh-charter.html">Secure
Shell</A> allow comfortable and secure remote sessions and file
transfers over network connection that are not trusted to provide
confidentiality.
<P>However, traveling computer users often want to connect to their
home system via untrusted terminals at conference hotels, other
universities, and airports, where trusted encryption software is not
available. Even Secure Shell does not protect against keyboard
eavesdropping software on the untrusted terminal. A loss of
confidentiality is often acceptable in these situations for the
session content, but not for reusable login passwords.
One-time-password schemes avoid the transmission of authentication
secrets that are of any value after they have been used. This provides
a reasonable level of protection against the widely encountered
password sniffing attacks. The goal of a one-time-password login
scheme is merely to provide a significant increase of security over
the classic telnet/rlogin login procedure. It does
<STRONG>not</STRONG> aim to protect from sophisticated active attacks
such as session hijacking, host emulation, man-in-the-middle, etc.
against which ssh and SSL based protocols should be used if this level
of protection is required.
<P>A widely known one-time-password scheme is <A
HREF="ftp://ftp.cert.dfn.de/pub/tools/password/SKey/">S/KEY</A>
[Hal94, HM96]. OTPW is not compatible with and is not derived from
either S/KEY or <A HREF=
"http://www.inner.net/pub/opie/">OPIE</A>. It is a
completely independent and different design, which I believe fulfils
my functional and security requirements better.
<H2 id="operation">How it works</H2>
<P>One-time password authentication with the OTPW package is
accomplished via a file containing hash values of passwords. Depending
on the installation option chosen, this can either be a
file <CITE>~john/.otpw</CITE> located in the user’s home directory, or
it can be a file <CITE>~otpw/john</CITE> in the home directory of a
dedicated pseudo user “otpw”. In the latter case, the otpw-gen tool
for generating new passwords must be owned by pseudo user “otpw” and
have the SETUID bit set. As long as users do not have such a hash
file, the one-time-password facility is not active for them.
<P>A user who wants to setup the one-time-password capability just
executes the <CITE>otpw-gen</CITE> program. The program will ask for a
<EM>prefix password</EM> that the user has to select and memorize and
it will then write to standard output a password list such as:
<PRE>
OTPW list generated 2003-08-31 21:06 on trillium.cl.cam.ac.uk
000 IZdB bqyH 006 rF62 k6zi 012 JCFe 6at3 018 uaYT azuu 024 Nt7n b=fQ
001 yCSo /VQs 007 Phvb =6ZW 013 8Pm7 DbYJ 019 OdAk H62c 025 /pOm :ZEA
002 mESf +nWK 008 J9fH iXrn 014 MAds 6TTS 020 Aj6W 9O4P 026 DhCc yrPY
003 x4vX HXr2 009 DGPC amts 015 B=xZ waPx 021 MzUP Ahsc 027 UWTe G3Fh
004 A5z9 japt 010 s6cr xwZ5 016 sCgq Da5Y 022 Q=XK 4I7w 028 xszW Ha9L
005 YCcA k29/ 011 inn6 Rsa/ 017 m8za o/HB 023 umS= gYoU 029 +HmG Rr6P
!!! REMEMBER: Enter the PREFIX PASSWORD first !!!
</PRE>
<P>Normally the output of <CITE>otpw-gen</CITE> should be sent directly to
the printer as in
<PRE>
otpw-gen | lpr
</PRE>
<P>or should be first formatted with an ASCII to PostScript converter
where necessary.
<P>Fetch the printed list immediately from the printer, fold it, and
keep it with you. The list shows the machine name and the creation
time to allow users to find the latest list for the right machine. It
does not show the user’s name, because nobody is supposed to have the
list of anyone else, but printer drivers such as <CITE>a2ps</CITE>
might add it. Only a single list is required for a set of networked
machines on which the user has a common home directory.
<P>By default, <CITE>otpw-gen</CITE> generates 60 lines of output. Use
the command line options <SAMP>-h</SAMP> <VAR>lines</VAR>,
<SAMP>-w</SAMP> <VAR>columns</VAR>, and
<SAMP>-s</SAMP> <VAR>pages</VAR> to specify the length of the
output. No more than 1000 passwords will be generated at a time.
<P>Where one-time-password authentication is used, the password prompt
will be followed by a 3-digit password number. Enter first the prefix
password that was given to <CITE>otpw-gen</CITE>, followed directly
(without hitting return between) by the password with the requested
number from the printed password list:
<PRE>
login: <B>kuhn</B>
Password 019: <B>geHeimOdAkH62c</B>
</PRE>
<P>In this example, <SAMP>geHeim</SAMP> was the prefix password. The
spaces in the password list are just there to increase readability and
can be dropped.
<P>A clever attacker might observe the password being entered and
might try to use the fact that computers can send data much faster
than users can finish entering passwords. In the several hundred
milliseconds that the user needs to press the return key after the
last character, an attacker could on a parallel connection to the same
machine send the code of the return key faster than the user.
<P>To prevent such a race-for-the-last-key attack, any login attempt
that is taking place concurrently with another attempt will require
three one-time passwords to be entered:
<PRE>
login: <B>kuhn</B>
Password 022/000/004: <B>geHeimQ=XK4I7wIZdBbqyHA5z9japt</B>
</PRE>
<P>This might look inconvenient at first, but remember that three
passwords will only be requested when someone tries to login
simultaneously, which in itself should already cause suspicion. The
three requested passwords are randomly selected but they will never
include the single password that was requested in the first of the
concurrent login attempts. Only the first requested single password
will be locked, not any of the requested triples. This way, the
three-password method ensures that an attacker cannot disable the OTPW
mechanism by locking all passwords. The triple challenge ensures that
many ten thousand network connections would be necessary to perform a
race attack on the same password triple, which is not practical. The
OTPW package creates a symbolic link <SAMP>.otpw.lock</SAMP> in the
user’s home directory to lock the first requested password while its
input is pending. If a system crash created a stale lock, it will be
removed after 24 hours.
<P>The <SAMP>.otpw</SAMP> file looks like
<PRE>
OTPW1
30 3 12 8
---------------
---------------
023vf+Uvbg7AqjC
025Mm+mJWbStzL5
024aPEXvP3pgUYa
008r3b5efMVT%IU
002AQ63iP8ymMWq
005:PcEr:LoieKO
---------------
0135:Gw==tjv=rA
020rQQ2C2SQP%EU
02197Jh5deXd8ga
016qN9qPHh4CNz6
010BcqejWc+kI6i
027hkkmBcMZYxgg
029tkB6Wm5yS=F7
003BpcMoM=YwTPY
018f=4hAXWpwetr
014jiOz/aMow83k
0099gRB2+8QX8BC
012QBhdmm7k=Hqs
007g6zMK%Ryp6hZ
015XsTSUVUYTJ+8
017uxVFK6BikgpV
---------------
0067t5Z8SIdz/6h
026CN/JqBQJLKZE
028V5hj+3wYkFHq
011VooKgV4PAJRD
0016AtPvgkVe+Rw
</PRE>
<P>The first line identifies the file format. The second line shows the
<UL>
<LI>number of originally generated password entries,
<LI>digits per password number (3),
<LI>characters per base-64 encoded hash value (12),
<LI>characters per one-time password.
</UL>
<P>Every subsequent line is a password number followed by the <A HREF=
"http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html">RIPEMD-160</A>
hash value of the prefix password concatenated with one of the printed
one-time passwords. Only the first 12×6 = 72 bits of the hash value
encoded in the same modified base-64 encoding that was used to
generate the passwords is stored there. As soon as a one-time password
has been entered correctly, the corresponding <SAMP>.otpw</SAMP> line
will be overwritten with hyphens to prevent any reuse of this
password.
<H2 id="install">Installation</H2>
<P>Get the OTPW package <SAMP>otpw-*.*.tar.gz</SAMP> from <A
HREF="https://www.cl.cam.ac.uk/~mgk25/download/">
https://www.cl.cam.ac.uk/~mgk25/download/</A> or use
<pre>
git clone https://www.cl.cam.ac.uk/~mgk25/git/otpw
</pre>
<P>First have a look into <SAMP>otpw.c</SAMP>
and <SAMP>otpw-gen.c</SAMP> where some system parameters can be
changed. The only item there really worth being checked carefully is
<SAMP>entropy_cmds</SAMP>. It contains a list of shell commands, whose
output is used to initialize the random number generator
in <CITE>otpw-gen</CITE>. Make sure that at least most of these shell
commands actually do work on your system and produce an output that is
extremely difficult to predict for potential attackers. If your
operating system has a <SAMP>/dev/random</SAMP> or
<SAMP>/dev/urandom</SAMP> device that gives access to a good true
random number generator, then make sure that a command reads and
outputs about 20 bytes from there. In <SAMP>entropy_env</SAMP>, some
environment variables (e.g., <SAMP>PATH</SAMP>) can be set for these
shell commands.
<P>Just start <CITE>make</CITE> to compile the <CITE>otpw-gen</CITE>
and <CITE>demologin</CITE> programs. While <CITE>otpw-gen</CITE> can
directly be made available to the user, <CITE>demologin</CITE> is only
an example of the modifications that you have to make to your login
program to support one-time passwords using OTPW.
<P>The login program has to call
<PRE>
#include "otpw.h"
struct challenge ch;
struct passwd *pwd;
otpw_prepare(&ch, pwd);
</PRE>
<P>after the user name has been entered and the POSIX password
database entry has been read into <SAMP>*pwd</SAMP>. The routine will
select a challenge password, which will be stored in
<SAMP>ch.challenge</SAMP>, and will lock it if necessary. If this was
not possible, for instance because the user has no unused passwords
left, then <SAMP>ch.challenge</SAMP> will be an empty string.
Otherwise, <SAMP>ch.challenge</SAMP> should be displayed to the user
in some way before the password prompt. After the password has been
entered, call
<PRE>
result = otpw_verify(&ch, password);
</PRE>
<P>and if <SAMP>result == OTPW_OK</SAMP> then accept the user as
authorized, otherwise do not. It is very important that
<SAMP>otpw_verify()</SAMP> is always called after
<SAMP>otpw_prepare()</SAMP> has returned successfully (i.e., with a
non-empty <SAMP>ch.challenge</SAMP> string), as otherwise a stale lock
might remain set. In <SAMP>otpw_prepare()</SAMP>, the current working
directory will be changed to the user’s home directory, and
<SAMP>otpw_verify()</SAMP> expects that it is still there. If after
<SAMP>otpw_verify()</SAMP> has returned, the condition
<SAMP>ch.entries > 2 * ch.remaining</SAMP> is true and half of all
passwords have been used, the user should be remembered to generate a
new password list by executing <CITE>otpw-gen</CITE>. The security of
OTPW is increased if a new password list is created long before all
passwords on the old list have been used.
<P>Both routines can be called with the <SAMP>root</SAMP> user id and
they will temporarily change the effective user-id to that of the user
in order to access the password file in the home directory. OTPW does
not use any of the POSIX advisory file locking system calls, as those
often do not work reliably over network file systems.
<H3 id="pam">PAM installation</H3>
<P>If your system supports Pluggable Authentication Modules
[Mor01,XSSO], then simply compile the shared library
<CITE>pam_otpw.so</CITE> and copy it to the directory in which other
PAM modules reside (under Linux usually <SAMP>/lib/security/</SAMP>).
Then edit the PAM configuration file for the application in which you
want to use OTPW, as described in your <A
HREF="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">PAM
System Administrators’ Guide</A>. The <CITE>pam_otpw.so</CITE>
provides both an authentication and a session component. The
authentication component asks for and verifies a one-time password,
the session component prints after each successful login a reminder on
how many unused passwords you have left.
<P>To use both components when loggin into your system via Secure
Shell, you might have to add in <SAMP>/etc/pam.d/sshd</SAMP> the lines
<PRE>
auth required pam_otpw.so
session optional pam_otpw.so
</PRE>
<P>With <SAMP>OpenSSH 5.9p1</SAMP> for example, you need to make sure
that it has PAM support compiled in, and you will need
in <SAMP>/etc/ssh/sshd_config</SAMP> the lines
<PRE>
UsePrivilegeSeparation no
UsePAM yes
ChallengeResponseAuthentication yes
</PRE>
<P>To force OpenSSH to use PAM authentication (instead of its own
hostbased or publickey methods, which it normally tries first), use
“<SAMP>ssh -o PreferredAuthentications=keyboard-interactive</SAMP>”.
<h3>Pseudo user setup</h3>
<p>Starting with otpw-1.5, if you would like to keep the password hash
files out of the reach of your users, you can create a pseudo user
“otpw” (uid < 1000) and an associated home directory where the
password files will be stored. On Ubuntu Linux, for example, the steps
necessary for such a setup might be
<pre>
$ adduser --system --gecos 'OTPW pseudouser' --home /var/lib/otpw otpw
$ chown otpw /usr/bin/otpw-gen && chmod u+s /usr/bin/otpw-gen
</pre>
<H2 id="rationale">Design rationale</H2>
<P>Unlike S/KEY [Hal94, HM96], OTPW is not based on the Lamport scheme
[Lam77] in which every one-time password is the one-way hash value of
its successor. Password lists based on the Lamport scheme have the
problem that if the attacker can see one of the last passwords on the
list, then all previous passwords can be calculated from it. We also
do not store the encrypted passwords as suggested by Rubin [Rub96], in
order to keep the host free of files with secrets. Both proposals
aimed to save memory in the host system. Instead, we store the one-way
hash value of every single password in a potentially widely readable
file in the user’s home directory. For instance, hash values of 300
passwords (a typical A4 page) require only a four kilobyte long
<SAMP>.otpw</SAMP> file, a typically negligible amount of storage
space.
<P>The passwords are carefully generated random numbers. The random
number generator is based on the RIPEMD-160 secure hash function
[DBP96, ISO03]. The random number generator is seeded by hashing
together the output of various shell commands. These provide
unpredictability in the form of a system random number seed, access
times of important system files, usage history of the host, and more.
The random state is the 160-bit output of the hash function. The
random state is iterated after each use by concatenating the old state
with the current high-resolution timer output and hashing the result
again. The first 72 bits of the hash output are encoded with a
modified base64 [FB96] scheme to produce readable passwords, while the
remaining 88 bits represent the undisclosed internal state of the
random number generator.
<P>In many fonts, the characters <SAMP>0O</SAMP> or <SAMP>1lI</SAMP>
are difficult to distinguish, therefore the modified base64 encoding
replaces the three characters <SAMP>01l</SAMP> by <SAMP>:=%</SAMP>. If
for instance a zero is confused with a capital <SAMP>O</SAMP> by the
user, the password verification routine will automatically correct for
this.
<P>S/KEY uses sequences of short English words as passwords. OTPW uses
by default a base64 encoding instead, because that allows more
passwords to be printed on a single page, with the same password
entropy. In addition, an average human spy needs over 30 seconds to
write a 12-character random string into short-term memory, which
provides a good protection against brief looks that an attacker might
have on a password list. Lists of short words on the other hand are
much faster to memorize. OTPW can handle arbitrary password generation
algorithms, as long as the length of the password is fixed. In the
current version, <SAMP>otpw-gen</SAMP> can generate both base-64
encoded (option <samp>-p</samp>) and 4-letter-word encoded (option
<samp>-p1</samp>) passwords with a user-specified entropy (option
<samp>-e</samp>).
<P>The prefix password ensures that neither stealing the password list
nor eavesdropping the line alone can provide unauthorized access.
Admittedly, the security obtained by OTPW is not comparable with that
of a challenge-response system in which the user has a PIN protected
special calculator that generates the response. On the other hand, a
piece of paper is much more portable, much more robust, and much
cheaper than a special calculator. OTPW was designed for the large
user base, for which an extra battery-powered device is inconvenient
or not cost effective and who therefore still use normal Unix
passwords everywhere.
<P>In contrast to the suggestion made in RFC 1938, OTPW does not lock
more than one one-time password at a time. If we did this, an attacker
could easily exhaust our list of unlocked passwords and force us to
either not login at all or use the normal Unix login password.
Therefore, OTPW locks only one single password and for all further
logins a triple-challenge is issued. If more than 100 unused passwords
remain available, then there are over a million different challenges
and an attacker has very little chance to perform a successful race
attack while the authorized user finishes password entry.
<P>The RIPEMD-160 routine was provided by Antoon Bosselaers
(Katholieke Universiteit Leuven). Steven Murdoch wrote significant
parts of the PAM wrapper and prepared a test setup. Also thanks to Kan
Zhang, Piete Brooks and David Wheeler for useful suggestions.
<H2 id="bugs">Known problems</H2>
<UL>
<LI id="opensshbug">The OTPW PAM module exposes a <a
href="http://bugzilla.mindrot.org/show_bug.cgi?id=632">bug</a> in <a
href="http://www.openssh.com/">OpenSSH</a> 3.6.1–5.9 (and possibly many
other versions) under Linux:
<p><b>Observation:</b> If the ssh user aborts the keyboard-interactive
password entry, for example by pressing Ctrl-C, then OTPW will not
remove its <samp>~/.otpw.lock</samp> file. As a result, the user will
get a triple-password request prompted at the next login attempt.
<p><b>Analysis:</b> Debugging the sshd process with a breakpoint at
the start of <SAMP>pam_end()</SAMP> shows that when ssh aborts the
connection while sshd is inside the “conversation function” that sshd
provides to the PAM system, then the conversation function never
returns to PAM. Instead sshd calls <SAMP>pam_end()</SAMP> directly
from inside the conversation function. This is in violation of <em><a
href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html">The
Linux-PAM application developers’ guide</a></em> (draft 0.73,
2000-12-02), which states in <a
href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html#ss3.2">section
3.2.1</a>, page 14 that “should an error occur the application should
[...] simply return PAM_CONV_ERR”. Linux-PAM keeps in
<SAMP>pamh->caller_is</SAMP> track of whether the calling thread was
supposed to come from the application (caller_is=2) or from the PAM
module (caller_is=1). (See
<samp>Linux-PAM-0.75/libpam/pam_private.h</samp> for the relevant
macros.) The incorrect call of <SAMP>pam_end()</SAMP> simply results
in an error message by Linux-PAM, because Linux-PAM thinks based on
its <SAMP>pamh->caller_is=1</SAMP> value that <SAMP>pam_end()</SAMP>
was accidentally called by the module. As a result, none of the PAM
data structures are cleaned up, one side effect of which is that the
OTPW lock file remains in place. Sshd reacts on the failure of
<SAMP>pam_end()</SAMP> with the syslog message “Cannot release PAM
authentication[4]: System error”. Another security-relevant side
effect is that the memory scrubbing that PAM normally applies
carefully to any password buffers never takes place!
<p><b>Workaround:</b> None. This needs to be fixed urgently by the
OpenSSH developers, as it also breaks the proper deallocation of
buffers with secrets.
</UL>
<H2 id="license">License</H2>
<p>OTPW – A one-time password login package
<p>Copyright © 1998–2014 Markus Kuhn
<p>This program is free software; you can redistribute it and/or
modify it under the terms of the <a
href="http://www.gnu.org/licenses/gpl.txt">GNU General Public
License</a> as published by the <a href="http://www.fsf.org/">Free
Software Foundation</a>; either version 2 of the License, or (at your
option) any later version.
<p>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
<H2 id="refs">References</H2>
<P>[Lam77] Leslie Lamport: <CITE>Password Authentication with Insecure
Communication</CITE>, Communications of the ACM, Vol 24, No 11,
November 1981, pp 770–772
<P>[Hal94] Neil Haller, <CITE><A
HREF="ftp://cag.lcs.mit.edu/pub/dm/papers/haller:skey.ps.gz">The S/KEY
One-Time Password System</A></CITE>, Proceedings of the ISOC Symposium
on Network and Distributed System Security, February 1994, San Diego,
CA.
<P>[HM96] Neil Haller, Craig Metz: <CITE><A HREF=
"http://www.ietf.org/rfc/rfc1938.txt"> A One-Time Password
System</A></CITE>, RFC 1938, May 1996.
<P>[Rub96] Aviel D. Rubin: <CITE><A
HREF="http://www.cs.nyu.edu/~rubin/one-time.ps.gz">Independent
One-Time Passwords</A></CITE>, USENIX Journal of Computer Systems,
February, 1996.
<P>[DBP96] H. Dobbertin, A. Bosselaers, B. Preneel: <CITE><A
HREF="ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/ripemd160.ps.gz">
RIPEMD-160, a strengthened version of RIPEMD</A></CITE>, Fast Software
Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag,
1996, pp. 71-82.
<P>[ISO03] ISO/IEC 10118-3, <CITE>Information technology — Security
techniques — Hash-functions — Part 3: Dedicated hash-functions</CITE>,
International Organization for Standardization, Geneva, 2003.
<P>[FB96] Ned Freed, Nathaniel S. Borenstein: <CITE><A HREF=
"http://www.ietf.org/rfc/rfc2045.txt">Multipurpose Internet Mail
Extensions (MIME) – Part One: Format of Internet Message
Bodies</A></CITE>, RFC 2045, November 1996.
<P>[Mor01] Andrew G. Morgan:
<A HREF="http://www.kernel.org/pub/linux/libs/pam/">Linux-PAM</A>.
<P>[XSSO] <A
HREF="http://www.opengroup.org/pubs/catalog/p702.htm">X/Open Single
Sign-On Service (XSSO) – Pluggable Authentication</A>. June 1997.
<P><A HREF= "https://www.cl.cam.ac.uk/~mgk25/">Markus Kuhn</A>
<p class=footdate>created 1997-11-25 –
last modified 2014-08-07 –
https://www.cl.cam.ac.uk/~mgk25/otpw.html
</BODY>
</HTML>