S/Key One Time Password Standardization BOF (SKEY) Reported by Neil Haller/Bellcore The SKEY BOF was co-chaired by Neil Haller and Ran Atkinson. The minutes of the meeting were reported by Neil Haller from notes compiled by Rich Graveman. Mailing list information for the group: General Interest: ietf-otp@bellcore.com [Un]subscribe: ietf-otp-request@bellcore.com Archive: ftp://ftp.bellcore.com/pub/ietf-otp/archive Overview The BOF was attended by about 70 people, most of whom were familiar with the use of S/KEY authentication. Brief presentations were made of four existing implementations. Neil Haller presented a brief overview of how S/KEY authentication worked. He described the Bellcore reference implementation that has been available for 3-4 years and has been in use by a segment of Bellcore. This implementation is based on the MD4 hash function. For further details of the reference implementations, see RFC 1760. Ran Atkinson described the NRL implementation called ``One Time Passwords In Everything'' (OPIE). This implementation is more portable than the Bellcore implementation and has been ported to IRIX, HPUX, Solaris 2, Linus, BSDI, and BSD 4.4, and it should work on OSF/1. OPIE uses the MD5 hash algorithm and will have SHA available in the near future. A Version 2 that includes MD4 support and an improved Mac client should be available soon. Neil Haller described Bellcore's S/KEY Version 2 that is expected to become a supported product. Version 2 overcomes what Neil thinks is a potential weakness in the S/KEY system; user's picking trivial secret pass phrases. Password screening is added to the clients, and a randomly generated 64-bit ``secret seed'' known only to the client is added. The S/KEY variants from Hobbit and Wietse Venema (logdaemon) were briefly discussed. Availability By Anonymous FTP ftp.bellcore.com:/pub/nmh/... (skey, docs, dos, mac) ftp.nrl.navy.mil:/pub/security/nrl-opie avian.org:/src/hacks/skey.tgz.PRERELEASE ftp.win.tue.nl:/pub/security ftp.ftp.com:/pub/meister/skey.new (available in about 1 month) ftp.bpsinc.com:/pub/u/corwin/skey (available in about 1 week) General Discussion Phil Servita, FTP Software, presented a passive attack against S/KEY systems that relies on eavesdropping and then racing the user for the last part of the one-time password. This weakness will be fixed in the FTP version of S/KEY in about a month. There was general consensus that a standards track RFC should be written based on the several S/KEY compatible implementations. It was agreed that a working group should be formed, but that there would be an attempt to reach agreement on the RFC completely on the mailing list. The transformations should include MD4, MD5, SHA, and a provision should be included to add other transformations in the future. There was rough consensus that the issue of an authentication server should be outside the charter of working group so that faster progress could be made. What The Standard Should Include Where was a broad discussion of what should be included in the standard, and what should be left to the implementor of the server and the client software. The elements that the group could agree to include in the standard are: o The overall algorithm. o The challenge, that should identify the hash algorithm. o The dictionary - as specified in RFC 1760. o That all servers should accept hex as well as 6-word format. (This would allow a generator not to include the dictionary.) o The screening of the secret pass phrase - this is needed for interoperability. Denis Pinkas suggested that the standard include procedure(s) for changing the secret pass phrase (see Glossary) when the sequence count gets low. He was invited to send a proposal to the mailing list. The group discussed the ``S/KEY0'' system being considered in the CAT Working Group for Kerberos. It was agreed that this was not within the scope of the proposed one time password working group. There was a brief discussion of the challenge (or prompt). This discussion was postponed to the mailing list. One proposal was: otp-alg sequence seed e.g., otp-md5 496 seed2 There was agreement that to avoid possible infringement of the Bellcore trademark, the strings ``skey'' and ``S/KEY'' should not be a part of the challenge. Along that line, the string ``skey'' was to be removed from the mailing list address. (This has been done.) Glossary The generation of a glossary was delegated to the mailing list. The agreements reached are: o generator: the application program or device that produces a one-time password (called the response) when provided with appropriate inputs. Rejected were ``calculator'' and ``client.'' o secret passphrase: the secret provided to the generator by the user. Passphrase is preferred to password as it encourages a longer secret. Charter A draft charter was presented. There were no substantial disagreements, but it was felt that the tone should be ``less tentative'' and the reference to S/KEY in the final paragraph should be replaced. Ran Atkinson agreed to modify the charter and send it to the Security Area Director. The body of the draft charter, as originally presented, was: Description of Working Group: One form of attack on computing systems connected to the Internet is eavesdropping on network connections to obtain login ID's and passwords of legitimate users (RFC 1704). The S/KEY(tm) one-time password system was designed to counter this type of attack, called a replay attack. Since the release of a reference implementation by Bellcore, the S/KEY system has gained wide popularity. There are several implementations on a variety of platforms. The object of this working group is to write a standards track RFC for the S/KEY system. It is hoped that the RFC will encourage vendors to include S/KEY authentication in their products. It is expected that independent clients and servers that adhere to this RFC will interoperate and provide the desired security from passive replay attacks. Goals and Milestones: May 95 -- Agreement on required and optional attributes. June 95 -- Internet-Draft published specifying the S/KEY protocol. July 95 -- Working group ``last call.'' August 95 -- Offer to IESG for Last Call. Request for Comments: RFC 1704, R. Atkinson, N. Haller RFC 1760, N Haller, February 1995