WG ACTION: One Time Password Authentication (otp)
Steve Coya <scoya@CNRI.Reston.VA.US> Sat, 10 June 1995 17:14 UTC
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa03838; 10 Jun 95 13:14 EDT
Received: from ietf.cnri.reston.va.us by CNRI.Reston.VA.US id aa07262; 10 Jun 95 13:14 EDT
Received: from ietf.cnri.reston.va.us by IETF.CNRI.Reston.VA.US id aa03794; 10 Jun 95 13:14 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa03717; 10 Jun 95 13:11 EDT
Received: from ietf.cnri.reston.va.us by CNRI.Reston.VA.US id aa07225; 10 Jun 95 13:11 EDT
Received: from [127.0.0.1] by IETF.CNRI.Reston.VA.US id aa03711; 10 Jun 95 13:11 EDT
To: IETF-Announce:;
Subject: WG ACTION: One Time Password Authentication (otp)
Date: Sat, 10 Jun 1995 13:10:59 -0400
Sender: ietf-announce-request@IETF.CNRI.Reston.VA.US
From: Steve Coya <scoya@CNRI.Reston.VA.US>
Message-ID: <9506101311.aa03711@IETF.CNRI.Reston.VA.US>
A new working group has been formed in the Security Area of the IETF.
For more information, please contact the working group chairs or the
Area Director.
One Time Password Authentication (otp)
--------------------------------------
Chair(s):
Neil Haller <nmh@bellcore.com>
Ran Atkinson <atkinson@itd.nrl.navy.mil>
Security Area Director(s):
Jeffrey Schiller <jis@mit.edu>
Mailing lists:
General Discussion:ietf-otp@bellcore.com
To Subscribe: ietf-otp-request@bellcore.com
Archive: ftp://ftp.bellcore.com/pub/ietf-otp/archive
Description of Working Group:
One form of attack on computing systems connected to the Internet is
eavesdropping on network connections to obtain login id's and passwords
of legitimate users [RFC1704]. Bellcore's S/KEY(TM) one-time password
system was designed to counter this type of attack, called a replay
attack [RFC1760]. Several one-time password implementations compatible
with Bellcore's S/KEY (TM) system exist. These implementations are
increasingly widely deployed in the Internet to protect against passive
attacks.
The object of this working group is to write a standards track RFC for
one-time password technology, using the technology in the Bellcore
S/KEY system and related interoperable packages (e.g. logdaemon, NRL
OPIE) as the basis for the group's effort. The standards-track RFC will
enhance multi-vendor interoperability in one-time password
authentication technologies and thereby help reduce security risks in
the Internet.
General authentication servers are outside the scope of this working
group. The ``S/Key-0'' system being considered for use in Kerberos is
outside the scope of this working group.
The standards-track specification will describe how this one-time
password technology can be used with at least the MD4, MD5, and SHA
algorithms. The standard one-time password dictionary from RFC-1760
will be reused in order to maintain backwards compatibility with the
various deployed systems, however support for hexadecimal format
passwords will also be mandatory to implement. The standard might
specify passphrase quality checks for the secret passphrase. The
standard will be specified so as to eliminate any possible conflict
with the Bellcore trademark on the term ``S/Key.''
An informational RFC might also be issued that describes conventions
for the UNIX commands relating to one-time passwords, including
command(s) to securely update a remote one-time password.
Goals and Milestones:
May 95 Reach agreement on required and optional attributes.
Jun 95 Produce Internet-Draft specifying the IETF one-time password
authentication technology.
Jul 95 Final review (Working Group Last Call) of the Internet-Draft.
Aug 95 Submit One-Time Password document to IESG for consideration as a
Proposed Standard.