RFC 1938 (rfc1938) - Page 2 of 18
A One-Time Password System
Alternative Format: Original Text Document
RFC 1938 A One-Time Password System May 1996
protection against either "social engineering" or active attacks [9].
3.0 INTRODUCTION
There are two entities in the operation of the OTP one-time password
system. The generator must produce the appropriate one-time password
from the user's secret pass-phrase and from information provided in
the challenge from the server. The server must send a challenge that
includes the appropriate generation parameters to the generator, must
verify the one-time password received, must store the last valid
one-time password it received, and must store the corresponding one-
time password sequence number. The server must also facilitate the
changing of the user's secret pass-phrase in a secure manner.
The OTP system generator passes the user's secret pass-phrase, along
with a seed received from the server as part of the challenge,
through multiple iterations of a secure hash function to produce a
one-time password. After each successful authentication, the number
of secure hash function iterations is reduced by one. Thus, a unique
sequence of passwords is generated. The server verifies the one-time
password received from the generator by computing the secure hash
function once and comparing the result with the previously accepted
one-time password. This technique was first suggested by Leslie
Lamport [1].
4.0 REQUIREMENTS TERMINOLOGY
In this document, the words that are used to define the significance
of each particular requirement are usually capitalized. These words
are:
- MUST
This word or the adjective "REQUIRED" means that the item is an
absolute requirement of the specification.
- SHOULD
This word or the adjective "RECOMMENDED" means that there might
exist valid reasons in particular circumstances to ignore this
item, but the full implications should be understood and the
case carefully weighed before taking a different course.
- MAY
This word or the adjective "OPTIONAL" means that this item is
truly optional. One vendor might choose to include the item
because a particular marketplace requires it or because it
Haller & Metz Standards Track