Editor's note: These minutes have not been edited. Date: Wed, 20 Dec 1995 09:56:18 -0500 From: Neil M Haller Subject: One-Time Password (OTP) WG Minutes IETF 34 - WG on One-Time Password Authentication Co-chairs: Neil Haller (Bellcore) Ran Atkinson (NRL) Mailing List Info: General Interest: ietf-otp@bellcore.com [Un]subscribe: ietf-otp-request@bellcore.com Archive: ftp.bellcore.com:/pub/ietf-otp/archive Reported by: Neil Haller (notes recorded by Antonio Fernandez) It was announced that the fifth and latest internet draft had been submitted from the working group to the Area Director of Security, Jeff Schiller, with the recommendation that it go to "Proposed Standard". It was noted that the WG had met this goal before ever meeting as a working group. Jeff Schiller summarized the standards process. The IETF has three levels of standards documents. Proposed Standard, Draft Standard, and Full Standard. Proposed Standard requires that the WG come to consensus. If the Area Director approves, the draft is sent out for IETF last call for a period of at least two weeks. The IESG then votes; each member may vote yes, abstain, no objection, or discuss. To pass, there must be at least one yes, 2/3 yes or no objection, and no discuss votes. Jeff does not anticipate any objection to the OTP document going through this process. Draft Standard requires the passage of time and at least two independent implementations must interoperate. It is a commitment not to change unless something drastic happens compromising the basic assumptions of the draft. Full Standard, of which there are very few, requires six months (not 100% sure that six is correct) after the promotion to Draft Standard. Short presentations were invited on implementations. Phil Servita reported on his implementation. He recently discovered that the SHA algorithm did not work, but that it would be fixed shortly. His implementation currently supports the Alternative Dictionary as described in the working group I-D. It also defends against the "wrong line" attack, which can occur if the user of a paper list of one-time passwords enters the wrong otp. Phil's version also supports automatic reinitialization. In addition to his OTP programs, Phil also a has available an OTP toolkit (see below). Phil said he thought his Windows client code (OTP passphrase generator) should run just fine under NT as it is just a Windows application. Phil offers his code free for non-commercial use; commercial organizations interest in using it should contact him. [Phil has since reported that both the DOS/Windows and UNIX code now do SHA1 correctly.] Ran Atkinson described the NRL implementation called OPIE. It defends against the race attack (see I-D), but is not very different from Bellcore's reference implementation of S/KEY. He expects it to be upgraded to conform to the draft specification in January. It is available free as long as NRL gets some credit. Available from ftp:/ftp.nr.navy.mil/nrl-opie. There is also a Macintosh key generator compiled for the PowerMac. Neil Haller discussed the status of Bellcore's work. The public version (reference implementation) will not be upgraded. It does not conform to the OTP draft. Bellcore is doing a commercial implementation that will conform to the OTP draft. The was a discussion of proposals for additions to the OTP protocol. Most changes could be added after OTP is promoted to Proposed Standard as it is likely that they would be classed as editorial changes. It was agreed that the defense against the "wrong line attack" should be described in the standard. It should be classified as optional (MAY implement) for servers. It was proposed on the mailing list that the standard dictionary be modified to remove homonyms. There was strong agreement that the dictionary was used in too many implementations and should not be changed. It was agreed that automatic re-initializaton of the one-time password sequence was desirable. The details of various proposals will be discussed on the mailing list. It was agreed that all proposals should be submitted to the list by January 1, 1996. OTP authentication toolkit for UNIX - by Phil Servita - Supports OTP as defined in WG draft. - Supports MD4, MD5, and SHA1 simultaneously - Queued access protects against the race attack - Supports Alternative Dictionary - Supports Reinitialization without having to access a command-line shell - Configurable acceptance window to protect against the wrong-line attach - A utility for converting from S/KEY style "skeykeys" file - A utility to generate alternative dictionaries. - Compiles under SunOS, Solaris, OSF/1, Linus, and soon under HPUX, AIX, IRIX. Available from: ftp.ftp.com:/pub/meister/otp/unix/otp.tar (source code) ftp.ftp.com:/pub/meister/otp/unix/otp.sig (PGP signature) Phil's DOS and Windows code is available from: ftp.ftp.com:/pub/meister/otp/dosotp/* ftp.ftp.com:/pub/meister/otp/winotp/* Each directory contains binaries, a tar file containing source code, and PGP signatures. Documents RFC 1760, N Haller, February 1995 I-D draft-haller-otp-05.txt, November 21, 1995