Browse Prior Art Database

A One-Time Password System (RFC2289)

IP.com Disclosure Number: IPCOM000002851D
Original Publication Date: 1998-Feb-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 19 page(s) / 52K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

N. Haller: AUTHOR [+4]

Abstract

This document describes a one-time password authentication system (OTP). The system provides authentication for system access (login) and other applications requiring authentication that is secure against passive attacks based on replaying captured reusable passwords. OTP evolved from the S/KEY (S/KEY is a trademark of Bellcore) One-Time Password System that was released by Bellcore and is described in references [3] and [5].

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 5% of the total text.

Network Working Group N. Haller

Request for Comments: 2289 Bellcore

Obsoletes: 1938 C. Metz

Category: Standards Track Kaman Sciences Corporation

P. Nesser

Nesser & Nesser Consulting

M. Straw

Bellcore

February 1998

A One-Time Password System

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1998). All Rights Reserved.

1.0 ABSTRACT

This document describes a one-time password authentication system

(OTP). The system provides authentication for system access (login)

and other applications requiring authentication that is secure

against passive attacks based on replaying captured reusable

passwords. OTP evolved from the S/KEY (S/KEY is a trademark of

Bellcore) One-Time Password System that was released by Bellcore and

is described in references [3] and [5].

2.0 OVERVIEW

One form of attack on networked computing systems is eavesdropping on

network connections to obtain authentication information such as the

login IDs and passwords of legitimate users. Once this information is

captured, it can be used at a later time to gain access to the

system. One-time password systems are designed to counter this type

of attack, called a "replay attack" [4].

The authentication system described in this document uses a secret

pass-phrase to generate a sequence of one-time (single use)

passwords. With this system, the user's secret pass-phrase never

needs to cross the network at any time such as during authentication

or during pass-phrase changes. Thus, it is not vulnerable to replay

attacks. Added security is provided by the property that no secret

information need be stored on any system, including the server being

protected.

The OTP system protects against external passive attacks against the

authentication subsystem. It does not prevent a network eavesdropper

from gaining access to private...