From daddy.what.is.hipcrime@usenet.com Sun May 21 09:42:03 2000
Newsgroups: alt.2600,alt.hackers.malicious
Subject: one time passwords or how I stopped caring and started loving cryptography
From: loop <daddy.what.is.hipcrime@usenet.com>
Date: Sun, 21 May 2000 19:42:03 +0300

--[ intro and background ]--

I already wrote a lil guide on one time passwords, but it sucked, so I 
decided
to write a new one.

This document touches OTP, or one time passwords on OpenBSD - with little
effort you should be able to apply this text to other unixes too, and
to linux, which seems to be the favorite of the masses nowadays.

The one time password - thingy dates back to the early days of unicses,
with Bellcore's S/Key. The same type of OTP comes with OpenBSD also.
There are also fancy things like SecurID, which is a credit card size
machine showing a new id number every sixty seconds - these we won't
touch here. The simple s/key support that comes with OpenBSD needs
no extra peripherals or other stuff, just the core OS.

The s/key idea is very simple cryptography. You supply a passphrase,
which is the heart of the algorithm, the key. You only need this when 
getting new keys or creating your s/key account, you should never use
(or be forced to use) this for authentication purposes anytime.

The computer then supplies you with an id, on OpenBSD this is 4 letters
of the hostname and a random 5-number sequence. The default number of
s/key passwords to use is 100 per passphrase per user. The number counts
downwards - so your first number is 100. This sequence number along with 
the
id (host12345) is used as a challenge, which all equal to your one time
password.

Thus you can, in advance, count the passwords the machine should ask you 
-
and you should, you should calculate them in advance, print them or 
something,
and always remember which one you used - thus you can see if someone's 
sneaked
a password from you.

The ending result you supply the target with (the otp) is always a big
hexadecimal number, which, for ease of use, is converted to six (mostly)
English words. An example would be JACK HURT WIN BEST DRUG MORE.

The reason why each password is unique, and why each password cannot be 
the
same as any other in that sequence, is that a part of the challenge is 
the
password's sequence number (counting downwards from 100, remember?).

So how do I do all this, you may ask - fear not, for even as my 
explanation
was really, really hazy, the application of this all is simple.

--[ preparations ]--

/etc/skeykeys is the default place for the current skey stats. If you 
want
to stop your users from using skey (BOFH does what he wants) you can 
delete
this. I suggest it is chmod 600, or -rw------- so that noone can read it.
This way, noone can find out anyone else's next challenge, because login,
ftpd, telnetd (which uses login) et al log any attempts, while just
catting a file wouldn't be logged. Anyways, if for some odd reason your
system doesn't have this file, touch it and chown 0.0.

--[ programs ]--

skeyinit
--------

Probably skeyinitialize, this is what you use when you.. yeah, initialize 
your
one time password thingy.

It asks for your password. If you're already using skeys and you want to 
change
your skey passphrase or you're soon running out on skeys, just give the 
simple
password of s/key and it will present you with a challenge. It then 
proceeds
to ask for your passphrase, note, this is _not_ a password!

I suggest you set this to a big sentence or something - normal 
smallercase
English text without metacharacters is pretty stupid however, as it 
provides
extremely little entropy.

After this, your skey should be initialized.

skeyinfo
--------

Shows your next challenge. This isn't _that_ useful on it's own, but it's
best used with skey - check the next section.

skey
----

This is the base program of skey, it creates the passwords. Parameters
are the # of the password in question, the id part of the challange, and
optionally -n # to show the next # of passwords, or -p passphrase, to
supply the passphrase. I suggest you combine it with skeyinfo and
shell substitutions as skey `skeyinfo` - note the backticks. This runs
skeyinfo, and replaces `skeyinfo` with the output of the program.

skeyaudit
---------

Best run from cron with -a, mails all the users in /etc/skeykeys with 
less
than 12 one time passwords left to warn them about the situation.

skeyprune
---------

Also nice to run from cron, prunes out oldified (fun word) or commented 
out
entries from /etc/skeykeys.

--[ misc ]--

If you ever find yourself telnetting to your shell, not having any skeys
printed out, most telnets come with builtin skey completion. The shell
usually gives your challenge to you cleartext. Most unix text-based 
telnet
clients let you Ctrl-] to jump into control mode, where the skey command
works just like on the commandline.

The OpenBSD ftpd does skey challenging with no questions asked - this
is a security risk where malicious users could enumerate user accounts.
When given a username, ftpd does not ask for further password or 
anything,
but acknowledges for anyone to see that the username in question _does_
exist, by simply printing out it's skey challenge.

login, telnetd (which uses login at many times), sshd (which can be
(mis)configured to use login) and some other applications require you
to use the password s/key, whereupon you will be presented with your
challenge. This way, no one can enumerate user accounts, since when
given the s/key password for a nonexistent user account, it just
gives you a bogus challenge.

The actual s/key thing can be used _with_ normal passwords, if you use
one of the programs mentioned in previous paragraph. Thus, when logging
in, you simply give your normal password instead of the s/key common
password.

I suggest your print out some skeys when going to a conference, expo or
somesuch - just don't print the login name / dns name of your shell too 
;)
This is best accomplished with something as simple as this:
skey -n 100 -p 'my passphrase is this' `skeyinfo` | lpr
This prints out the next hundred passwords for you. It might be a 
security
risk to use the -p function, as many shells (bash notably, very popular
shell) log all your commands to a file. With bash, this is
$HOME/.bash_history while other (common) shells don't log per default.
This isn't such a big security risk IMHO because .bash_history is 
normally
only readable or writable by the owner, and I like to erase it often
anyways.

--[ buhbyes ]--

In ending, you must note a few things. The idea to telnet to your shell,
authenticate via one time passwords, and then fetch a list of some more
is really, really stupid - the whole idea is lost if and when you type
your _passphrase_ over the insecure wire.

And no, you can't get around this by using skey -p or echo passphrase | 
skey
or whatever fun stuff I've heard - you must never type the actual 
passphrase
when connected through insecure wires.

One time passwords are a fun add to authentication, but they do not give
you more security over the connection itself. For this, there is ssh.

I suggest the default 100 passwords per passphrase, in case someone 
decides
to take somehow advantage of your otp - the system is cryptographically
simple, yet something makes me say this (FUD maybe?).

----snip----

sorry, written in my other (unix) computer, linefeeds messed up. For a 
proper version please consult 
http://www.organicmeat.net/loop/texts/otp.txt
I'm in the course of rewriting all my texts. I'm also in the course of
self denial - no, rewriting 50k texts on unix just for fun isn't geeky.

-- 
Just another perfect day for scrubbing the floor and other exciting 
things.