One-Time Passwords

December 2nd, 2009

I've installed pam-ppp, tested, corrected, liked it and recently - rewritten totally from scratch to implement more features and to correct some pitfalls. I called this program "OTPasswd" and I regard it's cool. UPDATE: This article is pretty outdated. See savannah page or OTPasswd page.

Features (this is outdated already. There're policies implemented, static passwords, out-of-band messaging in 0.7 and more!):

  • Secure locking of state files to resolve race conditions.
  • Many user definable options: many alphabets to choose (64 or 88 characters, admin-defined), (not)showing entered passcodes, selectable passcode length (from 2 to 16), passcard label, contact information for OOB (SMS)
  • Many admin definable options: enforcing enforcing otpasswd usage, enforcing passcode (not)show setting, enabling passcode retry on failure, enforcing salting, enforcing alphabet, code length, system-wide default values, ...
  • Passcard output in plain ASCII or in LaTeX
  • Implemented SMS/Mail/pigeon notification of current passcode
  • Written with respect for security.
  • Compatible with Perfect Paper Passwords version 3 if salting is disabled during key creation. With salt enabled a known-plain-text attacks on AES cypher (which are pretty impossible) are made even more impossible (as plain-text is no longer known for attacker) and increases KEY length from 256 bits to 352 bits which makes impossible brute-force attacks even more impossible.

Project is hosted on Savannah:
http://savannah.nongnu.org/projects/otpasswd/

You can browse source there, download tarballs, read docs and report bugs.

You can checkout latest version with command:
git clone git://git.savannah.nongnu.org/otpasswd.git

Savannah has 0.5rc version in tarballs, which changes A LOT comparing to 0.4 version previously released. (Also there's 0.7 currently which has many security-related advantages).

This is kind of outdated:
Currently you can get tarball otpasswd-0.3.tar.gz and/or otpasswd-0.3.ebuild
There's also README and ChangeLog/TODO with a lot more information.

Comment by Luke Faraone

submitted on December 6th, 2009 at 18:48

Hi,

I'm curious, how does this differ from existing, widely-tested OTP implementations, such as BSD's OPIE?

Comment by bla

submitted on December 6th, 2009 at 19:58

You know ppp-pam I believe. It keeps all it's main ideas intact.

OPIE page doesn't seem to work (inner.net)... but from what I've seen across the net (and from manual) OPIE requires some 'calculator' to calculate reply, while otpasswd/ppp-pam does not by default. By default both of them use passcards printed on paper; otpasswd can (in newest version in repos currently) send out-of-bound passcode with SMS as an example. And of course usage of calculator is also possible.

OPIE keys seems a bit clumsy, I don't like its using md5 (which is considered kind of broken already).

Of course otpasswd can't be called "tested" currently, but it's for sure written a little bit better than ppp-pam (as it tries to fix it's mistakes), it uses testcases to ensure it's compatibility with pppv3 which is, kind of, reviewed.

There's also OTPW. I don't really like the way it generates/stores passcodes. It's not very universal, although it's secure for sure. Also it's triple-passcode authentication is bizarre.

Comment by bla

submitted on December 6th, 2009 at 20:07

OPIE and S/KEY were developed in 'telnet' times it seems. User logged over a sniffed network connection got OTP request, generated locally (on his trusted machine) reply with opie-client and sent it back.

Currently such scenario (in case of ssh, mail) is fixed with SSL with respect to MITM attack.

OTPasswd is proposed when you want to login from untrusted workstation (while trusting the ssh client not to give up your connection to some malice input) without having your key data near-by. Just passcards or secure channel (phone).

Comment by Luke Faraone

submitted on December 7th, 2009 at 17:41

Sorry, I should have included a link to some documentation. OPIE is part of FreeBSD, and its use is explained there: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/one-time-passwords.html

See esp. Section 14.5.4 "Generating Multiple One-time Passwords", which seems to be what you're talking about.

It's also in Debian: http://packages.debian.org/search?searchon=sourcenames&keywords=opie

Comment by Luke Faraone

submitted on December 7th, 2009 at 17:50

Hm. I've done additional research, and it looks like OPIE is considered by many to be in need of replacement anyway. With review, OTPasswd could be a viable replacement.

You might benefit from posting to the freebsd-security list. They were even discussing PPP a few months ago: http://lists.freebsd.org/pipermail/freebsd-security/2009-February/005132.html

Granted, you'd have to change the code license to have it included in the distro, but otherwise it could be in ports.

Add a comment [+] Hide the comment form [-]

I'm a bot, please ignore this comment.

I'm not a bot. Tick this box.

This is a mail of my good friend who loves rubbish email. Send him some if you want to land on my not-so-welcome lists: John Sparrow john@thera.be john(at)thera.be