From stevev@miser.uoregon.edu Sun Nov 5 15:55:26 MET 1995 Article: 26339 of comp.sys.hp48 Path: u-psud.fr!jussieu.fr!math.ohio-state.edu!uwm.edu!vixen.cso.uiuc.edu!news.uoregon.edu!news.uoregon.edu!stevev From: stevev@miser.uoregon.edu (Steve VanDevender) Newsgroups: comp.sys.hp48 Subject: S/KEY pass phrase generator for HP 48 Date: 3 Nov 95 22:37:42 Organization: University of Oregon Chemistry Stores Lines: 553 Distribution: world Message-ID: NNTP-Posting-Host: miser.uoregon.edu This is the first release of a system for generating S/KEY pass phrases using the HP 48. If you are not currently using a system that authenticates logins using S/KEY pass phrases, you will probably not be very interested in this software. * An Overview of S/KEY Normal password authentication has one major problem -- the characters of the password are generally passed "in the clear" over a network, where anyone can obtain them and use them with surprisingly little effort. S/KEY provides a more secure authentication method in two ways. S/KEY pass phrases are generated algorithmically and are only good for one session, so even though they are transmitted in the clear, an eavesdropper cannot use an intercepted pass phrase, and the pass phrase is generated using a secret that is never transmitted over the network or stored on a host computer. When logging in to a host that authenticates using S/KEY, you are issued a challenge that consists of a sequence number and challenge word, and may also identify whether the host uses an MD4- or MD5-based version of S/KEY. You enter the sequence number, challenge word, and your secret into a program for generating the S/KEY pass phrase, then type that phrase into the remote computer to authenticate yourself. The algorithm for generating S/KEY pass phrases depends on a one-way function based on the MD4 or MD5 message digest algorithms. The one-way function is relatively easy to compute, but has no known inverse and properties that make it very difficult to invert. The one-way function is first applied to the publicly visible challenge word and privately held secret to produce a 64-bit output, then that output is again fed to the function, repeating by the number of times specified by the sequence number. The final 64-bit output is displayed as a sequence of six 1-4 letter English words from a dictionary of 2048 words. When you set up S/KEY, you pick the public challenge word and your private secret, and then use some fairly large number of iterations of the S/KEY function (say 500-1000) to calculate a pass phrase; you then give the sequence number, challenge word, and pass phrase to the host system. After that, each time you log in, the host asks you for the _previous_ password in the sequence by subtracting one from the sequence number. It applies the one-way function to the pass phrase you respond with and compares the result with the pass phrase you gave at your last login to authenticate you. Because the S/KEY one-way function is not feasibly invertible, it is unlikely that an eavesdropper can calculate the previous pass phrase in the sequence; only you are capable of producing the sequence in backwards order because you hold the secret information that is used to initialize the sequence. Eventually, when the sequence number reaches a low value, you must re-seed the algorithm and start again with a high sequence number. However, this can be done by telling the host to change the challenge word, rather than you changing your secret, since both are used to seed the S/KEY calculation. * This S/KEY software This is an implementation of the S/KEY pass phrase generation algorithm that runs on the HP 48. It supports both the MD4-based S/KEY function used with most older S/KEY implementations and the MD5-based version used by newer S/KEY implementations. It also has a basic user interface for managing the information used to generate S/KEY pass phrases for several different systems. To get started, download the attached uuencoded binary of the software. It requires approximately 15.6K of memory, so it will be a tight fit on an HP 48S or G. This will create a directory called SKEY. Enter the SKEY directory and press CST to get the menu of functions for the S/KEY software -- SYSP, GETP, UPDATE, and DELETE. UPDATE lets you enter or update information for a system. When you press UPDATE, you will be prompted for: the system name the S/KEY function type, MD4 or MD5 (as a menu selection) the initial sequence number the challenge word the secret You must always enter a system name and the S/KEY function type. You may also enter default values for the sequence number, challenge word, and secret. You can leave off a default by pressing ENTER without typing any characters. You may omit the secret, both the secret and the challenge word, or all three of the secret, challenge word, and sequence number. If you do not enter defaults for some items then you will be prompted for those items whenever you generate a pass phrase with SYSP. After you enter all these items, the information you provided will be stored for later use. If you use UPDATE and enter a previously-stored system name, the information for that system will be overwritten with the new values you entered. UPDATE stores the information in a variable called SYSLIST in the SKEY directory. To set up an initial pass phrase for S/KEY, first use UPDATE to enter the default information, then use SYSP (described below) to generate the initial pass phrase. SYSP generates a pass phrase for a system. If you have stored information for more than one system using UPDATE, you will be prompted for a system name, with the last system name you used shown as a default. If you have information stored for only one system, it is used automatically without prompting for a name. SYSP will also prompt for: the sequence number (with the current sequence number shown as a default, if one is stored for this system) the challenge word (if no default is stored) the secret (if no default is stored) In other words, you will always be prompted for a sequence number for confirmation, and for any other information not stored for this system. After entering all the required information, SYSP will generate and display the pass phrase. If a default sequence number is stored for this system, the sequence number you entered minus one is stored for next time, since that is most likely what you will use. GETP is used to generate an S/KEY pass phrase from information you enter without using information from the system list. It always prompts for: the S/KEY function type the sequence number the challenge word the secret It then generates and displays the pass phrase. DELETE is used to delete system information from the system database. It prompts for the system name, and deletes that record from the database. * Preventing "over-the-shoulder" attacks When you enter the S/KEY secret using UPDATE, SYSP, or GETP, you may be concerned about the possibility of someone reading the secret as you enter it. If you want the secret to be unreadable while you enter it, set flag 1 (1 SF) and the screen will be blanked by setting the display contrast to 0 for the duration of the input. When you press ENTER or abort the input with ATTN-ATTN, the display is cleared and the original display contrast is restored. If for some reason the contrast is not restored, you can use ON-+ (hold down ON, press +) to raise it back to normal. A couple of user-RPL-callable functions in the SKEY directory are used to do this. GETCONTR returns the current contrast as a real number in the range 0-19. CONTRAST sets the contrast to a value provided as a real number; if the number is outside the range 0-19, it is ignored and the contrast is left unchanged. If you feel that you can keep your calculator physically secure enough that no one could ever take it and obtain your S/KEY secrets, you can store them at the time you use UPDATE. You will not be prompted for them when you use SYSP to generate pass phrases, so they will not be visible to eavesdroppers. You then risk having the secrets discovered if you ever leave your calculator unattended. * Program information and quasi-legal stuff This software was written and is copyrighted by Steve VanDevender (stevev@miser.uoregon.edu, stevev@cosmix.com). It is distributed under the terms of the GNU General Public License. You are welcome to distribute the program with source or to derive works >from it as allowed by the GPL. A small group of beta-testers was very helpful in verifying that the program worked and in suggesting new features. In no particular order, they were: Walter A. Koziarz Othniel Rawlins Eric Smith Andre Schoorl Craig Metz Jay 'Whip' Grizzard Matthew J. Ryan Jens Kerle Craig Metz is a maintainer of the excellent OPIE (One-time Passwords in Everything) S/KEY package, available from ftp://ftp.nrl.navy.mil/pub/security/nrl-opie, which I used in verifying the operation of my S/KEY package. If you are thinking of installing S/KEY authentication on your system, I heartily recommend OPIE. Craig also strongly encouraged me to include the screen-blanking security feature for entering the S/KEY secret. S/KEY is a trademark of AT&T Bell Laboratories. * Finally, the software itself [Extracted to the file "skey" , in this ftp directory - ftp.box.eu.org maintainer -- dl ] -- Steve VanDevender stevev@greylady.uoregon.edu "Bipedalism--an unrecognized disease affecting over 99% of the population. Symptoms include lack of traffic sense, slow rate of travel, and the classic, easily recognized behavior known as walking."