Hi there i'm looking at developing a One-time Password authentication system (j2me for phone, php for server side)
I'm trying to get my head around the process, here is what i understand
- user > inputs random secret (S) into hash n number of times
- user > submits S^n to server
- server > saves n and S^n
- user > generates (S^n)-1 and submits to server
- server > takes user input and applies hashing function 1 more time and checks it against previously stored hash
Now, from reading RFC2289 (S/Key) There is a seed that is issued to the client and concatenated with the user's secret when they input a unique identifier (at step 4) How is this seed created, is it random, is it stored.
I hope you can help, thanks in advance