Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

The One-Time-Password SASL Mechanism (RFC2444)

IP.com Disclosure Number: IPCOM000003022D
Original Publication Date: 1998-Oct-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 6 page(s) / 12K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

C. Newman: AUTHOR

Abstract

OTP [OTP] provides a useful authentication mechanism for situations where there is limited client or server trust. Currently, OTP is added to protocols in an ad-hoc fashion with heuristic parsing. This specification defines an OTP SASL [SASL] mechanism so it can be easily and formally integrated into many application protocols.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 22% of the total text.

Network Working Group C. Newman

Request for Comments: 2444 Innosoft

Updates: 2222 October 1998

Category: Standards Track

The One-Time-Password SASL Mechanism

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1998). All Rights Reserved.

Abstract

OTP [OTP] provides a useful authentication mechanism for situations

where there is limited client or server trust. Currently, OTP is

added to protocols in an ad-hoc fashion with heuristic parsing. This

specification defines an OTP SASL [SASL] mechanism so it can be

easily and formally integrated into many application protocols.

1. How to Read This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",

"RECOMMENDED" and "MAY" in this document are to be interpreted as

defined in "Key words for use in RFCs to Indicate Requirement Levels"

[KEYWORDS].

This memo assumes the reader is familiar with OTP [OTP], OTP extended

responses [OTP-EXT] and SASL [SASL].

2. Intended Use

The OTP SASL mechanism replaces the SKEY SASL mechanism [SASL]. OTP

is a good choice for usage scenarios where the client is untrusted

(e.g., a kiosk client), as a one-time password will only give the

client a single opportunity to act on behalf of the user. OTP is

also a good choice for situations where interactive logins are

permitted to the server, as a compromised OTP authentication database

is only subject to dictionary attacks, unlike authentication

databases for other simple mechanisms such as CRAM-MD5 [CRAM-MD5].

It is important to note that each use of the OTP mechanism causes the

authentication database entry for a user to be updated.

This SASL mechanism provides a formal way to integrate OTP into

SASL-enabled protocols including IMAP [IMAP4], ACAP [ACAP], POP3

[POP-AUTH] and LDAPv3 [LDAPv3].

3. Profiling OTP for SASL

OTP [OTP] and OTP extended responses [OTP-EXT] offer a number of

options. However, for authentication to succeed, the client and

server need compatible option sets. This specification defines a

single SASL mechanism: OTP. The following rules apply to this

mechanism:

o The exten...