views:

61

answers:

1

Hi there i'm looking at developing a One-time Password authentication system (j2me for phone, php for server side)

I'm trying to get my head around the process, here is what i understand

  1. user > inputs random secret (S) into hash n number of times
  2. user > submits S^n to server
  3. server > saves n and S^n
  4. user > generates (S^n)-1 and submits to server
  5. server > takes user input and applies hashing function 1 more time and checks it against previously stored hash

Now, from reading RFC2289 (S/Key) There is a seed that is issued to the client and concatenated with the user's secret when they input a unique identifier (at step 4) How is this seed created, is it random, is it stored.

I hope you can help, thanks in advance

A: 

From what I understand of seeds they would typically be random. In the case of random number generators you need something to start the random process with - the more "random" this is in the first place the better (predictability is the enemy of successful cryptosystems).

In your case, you're creating a user generated random seed S and concaternating that with the server generated random seed G to get a new seed X = (S,G). I'd guess that seed itself needs to be as random as possible, so I'd recommend all components be generated as randomly as possible.

Ninefingers
The only problem is that if you took the following;user input > hashing algorithm > outputand separately diduser input + seed > hashing algorithm > outputThe outputs would differ. And being that the users final hash must equal the next hash in line this wouldn't work. Therefore this would suggest that a seed is only randomly generated once and then used each time the user wishes to authenticate.
Garbit
I think that would do... just provided it is as random as possible initially, it should be hard to break.
Ninefingers