S/Key One Time Password Standardization BOF (SKEY)

Reported by Neil Haller/Bellcore

The SKEY BOF was co-chaired by Neil Haller and Ran Atkinson.  The
minutes of the meeting were reported by Neil Haller from notes compiled
by Rich Graveman.

Mailing list information for the group:


    General Interest:    ietf-otp@bellcore.com
    [Un]subscribe:       ietf-otp-request@bellcore.com
    Archive:             ftp://ftp.bellcore.com/pub/ietf-otp/archive


Overview

The BOF was attended by about 70 people, most of whom were familiar with
the use of S/KEY authentication.  Brief presentations were made of four
existing implementations.

Neil Haller presented a brief overview of how S/KEY authentication
worked.  He described the Bellcore reference implementation that has
been available for 3-4 years and has been in use by a segment of
Bellcore.  This implementation is based on the MD4 hash function.  For
further details of the reference implementations, see RFC 1760.

Ran Atkinson described the NRL implementation called ``One Time
Passwords In Everything'' (OPIE). This implementation is more portable
than the Bellcore implementation and has been ported to IRIX, HPUX,
Solaris 2, Linus, BSDI, and BSD 4.4, and it should work on OSF/1.  OPIE
uses the MD5 hash algorithm and will have SHA available in the near
future.  A Version 2 that includes MD4 support and an improved Mac
client should be available soon.

Neil Haller described Bellcore's S/KEY Version 2 that is expected to
become a supported product.  Version 2 overcomes what Neil thinks is a
potential weakness in the S/KEY system; user's picking trivial secret
pass phrases.  Password screening is added to the clients, and a
randomly generated 64-bit ``secret seed'' known only to the client is
added.

The S/KEY variants from Hobbit and Wietse Venema (logdaemon) were
briefly discussed.


Availability By Anonymous FTP

     ftp.bellcore.com:/pub/nmh/...  (skey, docs, dos, mac)
     ftp.nrl.navy.mil:/pub/security/nrl-opie
     avian.org:/src/hacks/skey.tgz.PRERELEASE
     ftp.win.tue.nl:/pub/security
     ftp.ftp.com:/pub/meister/skey.new (available in about 1 month)
     ftp.bpsinc.com:/pub/u/corwin/skey (available in about 1 week)



General Discussion

Phil Servita, FTP Software, presented a passive attack against S/KEY
systems that relies on eavesdropping and then racing the user for the
last part of the one-time password.  This weakness will be fixed in the
FTP version of S/KEY in about a month.

There was general consensus that a standards track RFC should be written
based on the several S/KEY compatible implementations.  It was agreed
that a working group should be formed, but that there would be an
attempt to reach agreement on the RFC completely on the mailing list.

The transformations should include MD4, MD5, SHA, and a provision should
be included to add other transformations in the future.

There was rough consensus that the issue of an authentication server
should be outside the charter of working group so that faster progress
could be made.



What The Standard Should Include

Where was a broad discussion of what should be included in the standard,
and what should be left to the implementor of the server and the client
software.  The elements that the group could agree to include in the
standard are:


   o The overall algorithm.
   o The challenge, that should identify the hash algorithm.
   o The dictionary - as specified in RFC 1760.
   o That all servers should accept hex as well as 6-word format.
     (This would allow a generator not to include the dictionary.)
   o The screening of the secret pass phrase - this is needed for
     interoperability.


Denis Pinkas suggested that the standard include procedure(s) for
changing the secret pass phrase (see Glossary) when the sequence count
gets low.  He was invited to send a proposal to the mailing list.

The group discussed the ``S/KEY0'' system being considered in the CAT
Working Group for Kerberos.  It was agreed that this was not within the
scope of the proposed one time password working group.

There was a brief discussion of the challenge (or prompt).  This
discussion was postponed to the mailing list.  One proposal was:


            otp-alg sequence seed    e.g., otp-md5 496 seed2


There was agreement that to avoid possible infringement of the Bellcore
trademark, the strings ``skey'' and ``S/KEY'' should not be a part of
the challenge.  Along that line, the string ``skey'' was to be removed
from the mailing list address.  (This has been done.)


Glossary

The generation of a glossary was delegated to the mailing list.  The
agreements reached are:


   o generator:  the application program or device that produces a
     one-time password (called the response) when provided with
     appropriate inputs.  Rejected were ``calculator'' and ``client.''

   o secret passphrase:  the secret provided to the generator by the
     user.  Passphrase is preferred to password as it encourages a
     longer secret.


Charter

A draft charter was presented.  There were no substantial disagreements,
but it was felt that the tone should be ``less tentative'' and the
reference to S/KEY in the final paragraph should be replaced.  Ran
Atkinson agreed to modify the charter and send it to the Security Area
Director.

The body of the draft charter, as originally presented, was:

     Description of Working Group:

     One form of attack on computing systems connected to the Internet
     is eavesdropping on network connections to obtain login ID's and
     passwords of legitimate users (RFC 1704).  The S/KEY(tm) one-time
     password system was designed to counter this type of attack, called
     a replay attack.

     Since the release of a reference implementation by Bellcore, the
     S/KEY system has gained wide popularity.  There are several
     implementations on a variety of platforms.

     The object of this working group is to write a standards track RFC
     for the S/KEY system.  It is hoped that the RFC will encourage
     vendors to include S/KEY authentication in their products.  It is
     expected that independent clients and servers that adhere to this
     RFC will interoperate and provide the desired security from passive
     replay attacks.

     Goals and Milestones:

          May 95 -- Agreement on required and optional attributes.
         June 95 -- Internet-Draft published specifying the S/KEY
                    protocol.
         July 95 -- Working group ``last call.''
       August 95 -- Offer to IESG for Last Call.

     Request for Comments:

         RFC 1704, R. Atkinson, N. Haller
         RFC 1760, N Haller, February 1995