RFC 1760 (rfc1760) - Page 2 of 12


The S/KEY One-Time Password System



Alternative Format: Original Text Document



RFC 1760           The S/KEY One-Time Password System      February 1995


Introduction

   There are two sides to the operation of the S/KEY one-time password
   system.  On the client side, the appropriate one-time password must
   be generated.  On the host side, the server must verify the one-time
   password and permit the secure changing of the user's secret pass-
   phrase.

   An S/KEY system client passes the user's secret pass-phrase through
   multiple applications of a secure hash function to produce a one-time
   password.  On each use, the number of applications is reduced by one.
   Thus a unique sequence of passwords is generated.  The S/KEY system
   host verifies the one-time password by making one pass though the
   secure hash function and comparing the result with the previous one-
   time password.  This technique was first suggested by Leslie Lamport
   [1].

Secure Hash Function

   A secure hash function is a function that is easy to compute in the
   forward direction, but computationally infeasible to invert.  The
   S/KEY system is based on the MD4 Message Digest algorithm designed by
   Ronald Rivest [2].  Since the S/KEY authentication system went into
   use, the MD5 Message Digest was released.  We have chosen to continue
   to use MD4 due the large number of client programs that have been
   distributed.  Some sites have generated functionally similar systems
   based on MD5.  Clearly clients and hosts must use the same secure
   hash function to interoperate.

   The S/KEY system one-time passwords are 64 bits in length.  This is
   believed to be long enough to be secure and short enough to be
   manually entered (see below, Form of Passwords) when necessary.

   The S/KEY system applies the secure hash function multiple times,
   producing a 64 bit final output.  MD4 accepts an arbitrary number of
   bits as input and produces a 128 bit output.  The S/KEY secure hash
   function consists of applying MD4 to a 64 bit input and folding the
   output of MD4 with exclusive or to produce a 64 bit output.

Generation of One-Time Passwords

   This section describes the computation of the S/KEY one-time
   passwords.  It consists of a preparatory step in which all inputs are
   combined, a generation step where the secure hash function is applied
   multiple times, and an output function where the 64 bit one-time






Haller