S/Key One-Time Password Authentication

An S/Key password is a password consisting of several words. The S/Key algorithm encrypts the password based on a `seed' string. The encryption process is repeated a certain number of times, specified by a sequence number. The result of this process is a string consisting of six words. It is this string that is exchanged, rather than the original password; this, together with the fact that the sequence number changes after each successful password exchange, makes S/Key safe from sniffing attacks (provided the key is generated locally and not remotely over a telnet connection, in which case a sniffer could pick up the original password!).

When a user attempts to access a service which requires an S/Key password, the firewall will send the seed and sequence number over, and expect the appropriate six word response. The sequence number usually starts at 99 and decreases by one each time (reducing the number of iterations); after 99 uses a new password must be set up for the user (can you think why the number of iterations is reduced each time, and not increased?). Most UNIX systems have utilities to generate the six word S/Key passwords from a specified seed, sequence number and password.

William Knowles erehwon@dis.org
PGP Key & Trust Information
Last updated 3.2.99