tags:

views:

61

answers:

1
+2  Q: 

OTP S/KEY - How are Seeds generated, are they random each time? thanks

Hi there i'm looking at developing a One-time Password authentication system (j2me for phone, php for server side)

I'm trying to get my head around the process, here is what i understand

  1. user > inputs random secret (S) into hash n number of times
  2. user > submits S^n to server
  3. server > saves n and S^n
  4. user > generates (S^n)-1 and submits to server
  5. server > takes user input and applies hashing function 1 more time and checks it against previously stored hash

Now, from reading RFC2289 (S/Key) There is a seed that is issued to the client and concatenated with the user's secret when they input a unique identifier (at step 4) How is this seed created, is it random, is it stored.

I hope you can help, thanks in advance

A: 

From what I understand of seeds they would typically be random. In the case of random number generators you need something to start the random process with - the more "random" this is in the first place the better (predictability is the enemy of successful cryptosystems).

In your case, you're creating a user generated random seed S and concaternating that with the server generated random seed G to get a new seed X = (S,G). I'd guess that seed itself needs to be as random as possible, so I'd recommend all components be generated as randomly as possible.

Ninefingers  2010-02-18 16:07:55
The only problem is that if you took the following;user input > hashing algorithm > outputand separately diduser input + seed > hashing algorithm > outputThe outputs would differ. And being that the users final hash must equal the next hash in line this wouldn't work. Therefore this would suggest that a seed is only randomly generated once and then used each time the user wishes to authenticate.
Garbit  2010-02-18 16:40:20
I think that would do... just provided it is as random as possible initially, it should be hard to break.
Ninefingers  2010-02-18 17:10:01

related questions

What's the difference between a midlet and a corelet?
What can be better way to send WBXML data to web server ?
How to debug multithreaded midlet app in EclipseMe
What is the best framework for Unit Testing in JavaME?
Determining the index of an Item on a Form (J2ME)
How to read console output in j2me cellphones? Where does System.out.println() go?
How can I add a REGEX match to my J2ME project?
Logging in J2ME
Java ME UI libraries
What unit-test frameworks would you recommend for J2ME?
Problems with sound on a 6265i Nokia using J2ME and Netbeans 6.1
J2ME coverage tools
Best Java Obfuscation Application For Size Reduction
What are the best remoting technologies for mobile applications ?
Which IDE is the best to get started for developin Java ME application on Mac OS X?
kSOAP Marshalling help needed
Windows Mobile 6 J2SE-scale JVM implementation
How do I fix a "broken" debugger in EclipseME (MTJ)?
j2me screen flicker when switching between canvases
moving to android from j2me
How to create J2ME midlets for Nokia using Eclipse
Yes/No dialog in Java ME
Painting javax.microedition.lcdui.Graphics on LWUIT Component
Best practice for storing large amounts of data with J2ME
Best binary XML format for JavaME