RFC 1760 (rfc1760) - Page 2 of 12
The S/KEY One-Time Password System
Alternative Format: Original Text Document
RFC 1760 The S/KEY One-Time Password System February 1995
Introduction
There are two sides to the operation of the S/KEY one-time password
system. On the client side, the appropriate one-time password must
be generated. On the host side, the server must verify the one-time
password and permit the secure changing of the user's secret pass-
phrase.
An S/KEY system client passes the user's secret pass-phrase through
multiple applications of a secure hash function to produce a one-time
password. On each use, the number of applications is reduced by one.
Thus a unique sequence of passwords is generated. The S/KEY system
host verifies the one-time password by making one pass though the
secure hash function and comparing the result with the previous one-
time password. This technique was first suggested by Leslie Lamport
[1].
Secure Hash Function
A secure hash function is a function that is easy to compute in the
forward direction, but computationally infeasible to invert. The
S/KEY system is based on the MD4 Message Digest algorithm designed by
Ronald Rivest [2]. Since the S/KEY authentication system went into
use, the MD5 Message Digest was released. We have chosen to continue
to use MD4 due the large number of client programs that have been
distributed. Some sites have generated functionally similar systems
based on MD5. Clearly clients and hosts must use the same secure
hash function to interoperate.
The S/KEY system one-time passwords are 64 bits in length. This is
believed to be long enough to be secure and short enough to be
manually entered (see below, Form of Passwords) when necessary.
The S/KEY system applies the secure hash function multiple times,
producing a 64 bit final output. MD4 accepts an arbitrary number of
bits as input and produces a 128 bit output. The S/KEY secure hash
function consists of applying MD4 to a 64 bit input and folding the
output of MD4 with exclusive or to produce a 64 bit output.
Generation of One-Time Passwords
This section describes the computation of the S/KEY one-time
passwords. It consists of a preparatory step in which all inputs are
combined, a generation step where the secure hash function is applied
multiple times, and an output function where the 64 bit one-time
Haller