1 - 2 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X
OTP
Click on the red underlined text to get to the source
... 1] method suitable for use with One-Time Password (OTP) tokens, and
offers particular advantages for tokens ...
... EAP method intended to meet the needs of organizations
wishing to use OTP tokens in an interoperable manner to authenticate
...
... EAP. The method is designed to be independent of
particular OTP algorithms and to meet the requirements on modern EAP ...
... constructions. It is therefore intended that the document will also
serve as a framework for use with other OTP algorithms.
...
... EAP-POTP method has
been designed to support a wide range of OTP algorithms, with
profiling expected for specific such algorithms ...
... 1], which builds on [14], is an
example of a particular OTP algorithm and is not related to the EAP
...
... method defined in [1] is intended to work
with a variety of OTP algorithms. The same is true for EAP-POTP, the
...
... EAP method defined herein. Advantages of profiling a particular OTP
algorithm for use with EAP-POTP ...
... client, or "peer", using EAP terminology, acting on behalf of a
user possessing an OTP token;
...
... "seed", which is known both by the user and the backend
authentication server. The secret seed is stored on an OTP token
that the user possesses, as well as on the authentication server ...
... by the server. The EAP server typically
also includes an OTP TLV in the EAP-Request. The OTP ...
... OTP TLV
instructs the peer to respond with the current OTP (possibly in
protected form), and may contain a challenge and some other
information, like server policies. The EAP server ...
... EAP server, and the received EAP-Request message
contains an OTP TLV, the peer requests (possibly through user
interaction) the OTP ...
... OTP TLV, the peer requests (possibly through user
interaction) the OTP token to calculate a one-time password
...
... token time), a shared secret (the "seed"),
and a user-provided PIN (note that, depending on the OTP token
type, some of the information in the EAP-Request ...
... type, some of the information in the EAP-Request may not be
used in the OTP calculation, and the PIN may be optional too).
If the received OTP TLV ...
... used in the OTP calculation, and the PIN may be optional too).
If the received OTP TLV has the P bit set (see below), the
...
... P bit set (see below), the
peer then combines the token-provided OTP with other
information, and provides the combined data to a key
derivation function. The key derivation ...
... with some other information. The resulting MAC, together with
some additional information, is then placed in an OTP TLV
(with the P bit ...
... TLV. If the P bit is not
set in the received OTP TLV, the peer instead inserts the
calculated OTP ...
... OTP TLV, the peer instead inserts the
calculated OTP value directly in an OTP TLV, which then is
...
... TLV, the peer instead inserts the
calculated OTP value directly in an OTP TLV, which then is
sent to the EAP server ...
... that session resumption was not possible, and ask for a new
OTP (this would be the case when the peer responded with a
Resume TLV, and the session ...
... EAP-Request of type POTP-X to the peer (e.g., to
ask for the next OTP),
* accept the authentication ...
... TLV could be that the user needs to
update her OTP PIN; hence, the EAP server needs to send a New PIN
TLV. At that point, the handshake ...
... a number of times before completion of the exchange. One example of
this is when the authentication server initially requests an OTP,
accepts the response from the peer, performs an (intermediary)
Confirm TLV ...
... TLV exchange, requests the peer to select a new PIN, and
finally asks the peer to authenticate with an OTP based on the new
PIN (which again will be followed with a final Confirm TLV exchange).
...
... session, it will respond with another EAP-Request
containing an OTP TLV and a Server-Info TLV with the N bit ...
... attacker could be successful in brute-force
searching for the OTP in 24 hours, then EAP-POTP session lifetimes
...
... Notification (2)
when it has received an EAP-Response containing an OTP TLV and is
unable to authenticate ...
... authentication and send a new EAP-Request containing an
OTP TLV, or it MAY fail the session and send an EAP ...
...
Since OTPs may be relatively short, it is important to slow down an
attacker sufficiently so that it is economically unattractive to
...
...
a. The EAP server indicates in its OTP TLV whether it supports
pepper searching. Additionally, it may indicate to the peer that
...
... did not indicate that a new pepper shall be generated, then it
uses the existing pepper value, as specified in Section 4.11.3
below, to calculate an OTP TLV response. In this case, the
iteration count shall be kept to a minimum, as the security ...
... length (the maximum length supported by the server is provided in
the server's OTP TLV), and includes the new pepper in the PBKDF2
...
... EAP-Request of type POTP-X
that also carries an OTP TLV, as long as the peer has not been
authenticated ...
... EAP server. The identifier MAY also be used by the peer to select
a suitable key on the OTP token (when there are multiple keys
available).
...
... EAP-Request, the OTP TLV is used to request an OTP (or a value
derived from an OTP) from the peer. In an EAP-Response ...
... TLV is used to request an OTP (or a value
derived from an OTP) from the peer. In an EAP-Response, the OTP TLV ...
... conforming to this specification and MUST NOT be responded to with a
NAK TLV. The OTP TLV MUST NOT be present in an EAP-Request of type
...
... POTP-X that contains a New PIN TLV. Further, the OTP TLV MUST NOT be
present in an EAP-Response ...
... In an EAP-Response, the A bit, when set, indicates that the OTP
was calculated with the use of the newly selected user PIN. The A
bit ...
... bit MUST be set in a response if and only if the EAP-Request which
triggered the response contained an OTP TLV with the A bit set.
...
... In an EAP-Request, the P bit indicates that the OTP in the
response MUST be protected. Use of this bit also indicates that
...
... In an EAP-Response, this bit indicates that the provided OTP has
been protected (see below). The P bit MUST be set in a response
...
... been protected (see below). The P bit MUST be set in a response
(and hence the OTP MUST be protected) if and only if the EAP-
Request that triggered the response contained an OTP ...
... OTP MUST be protected) if and only if the EAP-
Request that triggered the response contained an OTP TLV with the
P bit ...
...
The C bit carries meaning only when the OTP algorithm in question
makes use of server challenges. For other OTP ...
... OTP algorithm in question
makes use of server challenges. For other OTP algorithms, the C
bit ...
... In an EAP-Request, the C bit ("Combine") indicates that the OTP
SHALL be calculated using both the provided challenge and internal
state ...
... state (e.g., current token time). The OTP SHALL be calculated
based only on the provided challenge (and the shared secret) if
...
... the C bit is not set, and a challenge is present. The returned
OTP SHALL always be calculated based on the peer's current state
(and the shared secret ...
... In an EAP response, this bit indicates that the provided OTP has
been calculated using a provided challenge and the token state ...
... bit MUST be set in a response if and only if the EAP-Request
that triggered the response contained an OTP TLV with the C bit
...
... In an EAP-Request, the N bit, when set, indicates that the OTP to
calculate SHALL be based on the next token "state ...
... In an EAP-Response, the N bit, when set, indicates that the OTP
was calculated based on the next token "state ...
... response if and only if the EAP-Request that triggered the
response contained an OTP TLV with the N bit set.
...
... In an EAP-Request, the T bit, when set, indicates that the OTP to
calculate MUST NOT include a user PIN.
...
... In an EAP-Response, the T bit, when set, indicates that the OTP
was calculated without the use of a user PIN. The T bit MUST be
...
... set in a response if and only if the EAP-Request that triggered
the response contained an OTP TLV with the T bit set. Note that
...
... PBKDF2 computation. Rather, it MUST generate a new pepper
(if supported by the peer) and/or use the iteration count
parameter to protect the OTP (if the server's Max Pepper Length is
0, then the peer MUST rely on the iteration count only to protect
the OTP ...
... OTP (if the server's Max Pepper Length is
0, then the peer MUST rely on the iteration count only to protect
the OTP). This bit will usually not be set in initial EAP-Request
...
... EAP-Request
messages, but may be set in subsequent ones, e.g., if the server,
upon receipt of an OTP TLV with a pepper identifier, detects that
...
... EAP-Request, the S bit ("Same"), when set, indicates that
the peer SHOULD calculate its response based on the same OTP value
as was used for the preceding response. This bit MAY be set when
...
... bit MAY be set when
the EAP server has received an OTP TLV from the peer protected
with a pepper, of which the server is no longer in possession.
...
... validation of the provided
data, there is no need for the EAP peer to retrieve a new OTP
value. This bit carries no meaning, and MUST be set to zero ...
... NOT be longer than 64 octets. When the challenge is not present,
the OTP will be calculated on the current token state only. The
...
... token state only. The
peer MAY ignore a provided challenge if and only if the OTP token
the peer is interacting with is not capable of including a
...
... token
the peer is interacting with is not capable of including a
challenge in the OTP calculation. In this case, EAP server
policies will determine whether or not to accept a provided OTP ...
... OTP calculation. In this case, EAP server
policies will determine whether or not to accept a provided OTP
value.
...
... * When the P bit is not set, the peer SHALL directly place the
OTP value calculated by the token in the Authentication Data
field. In this case, the EAP server ...
... P bit is set, the peer SHALL populate this field as
follows. After the token has calculated the OTP value, the
peer SHALL compute:
...
... attacker, having observed the response and
initiating a search for a matching OTP, will be sufficiently
slowed down. The "iteration_count" value MUST be chosen to
provide a suitable level of protection ...
... attacker's search
for a matching OTP, while not slowing down the peer (which
iterated hashes do). If the pepper has been generated by
...
... OTP within the
lifetime of that OTP.
As mentioned previously, a peer MUST NOT include a newly
...
... EMSK (recommended, since they will be used later). This is
because the peer cannot be guaranteed to be able to generate
the same OTP value again. For the same reason (the Confirm-
TLV from the EAP server ...
... hash computation).
Given a set of possible OTP values, the authentication
server verifies an authentication request from the peer by
...
... salt | pepper' | auth_id, iteration_count, key_length)
for each possible OTP value otp' and each possible pepper
value pepper' , and the provided values for salt,
authenticator ...
... search mentioned elsewhere in this document. Note
also that the EAP server may accept more than one OTP value
at a given time, e.g., due to clock drift in the token ...
... TLV may be used by an EAP server when policy dictates that
the peer (user) needs to change a PIN associated with the OTP Token.
...
... bit is set, there MUST be an
accompanying PIN and the provided PIN MUST be used in subsequent
OTP generations. A peer SHALL respond with an empty POTP-X EAP-
...
... POTP-X and MUST NOT be sent unless the
peer has been authenticated through an OTP TLV with the P bit set or
...
... was not set. A peer MUST NOT accept an EAP-Success message when it
has sent an OTP TLV with the P bit set unless it has received an
...
... identifier, typically the
username, for the holder of the OTP token used to generate the OTP.
...
... username, for the holder of the OTP token used to generate the OTP.
At least one of the User Identifier ...
... identifier for the OTP token key used to generate the OTP. The
field MUST be less than 128 octets in length.
...
... Time Stamp TLV MAY be sent by peers to simplify authentications.
When present, it carries the time as reported by the OTP Token.
...
... token, at which the OTP used for
the accompanying OTP TLV was calculated. The field SHALL contain
a UTF-8 ...
... counter value, as reported by the OTP token, at which the OTP
used for the accompanying OTP TLV ...
... token, at which the OTP
used for the accompanying OTP TLV was calculated. The counter
value SHALL be represented as an unsigned integer ...
... TLV carries the challenge used by the token to
calculate the OTP, as reported by the token to the peer. The
Challenge TLV ...
... Challenge
The challenge value that was used to calculate the OTP used for
the accompanying OTP TLV ...
... TLV MAY be sent by a peer to avoid timeouts when the
peer has received an EAP-Request containing an OTP TLV or a New PIN
TLV and is waiting for a response from the user.
...
... EAP-Request of type POTP-X
that also carries an OTP TLV indicating protected mode, assuming the
EAP server ...
... EAP-Request of type
POTP-X that carries an OTP TLV that is sent as a result of a failed
session ...
... Replay protection: Yes (see below)
Confidentiality: Only in the OTP protection variant, and
then only OTP values and any information
...
... Confidentiality: Only in the OTP protection variant, and
then only OTP values and any information
sent after exchange of the Confirm TLV
...
... Key derivation: Yes (No in basic variant)
Key strength: Depends on size of OTP value, strength of
underlying shared secret, strength and
...
... underlying shared secret, strength and
characteristics of OTP algorithm, pepper
length, iteration count, and whether the
...
...
The basic variant (i.e., when the protection of OTPs and mutual
authentication is not used) of this EAP method ...
... authenticator in order to
acquire a valid OTP, are possible.
Similarly, the basic variant of this EAP ...
... method
provides privacy for OTPs and new PINs, negotiation of cryptographic
algorithms, mutual authentication ...
... man-in-the-middle to solve for a valid OTP given an OTP TLV, but due
to the computational expense of finding the OTP ...
... OTP TLV, but due
to the computational expense of finding the OTP in the limited time
period during which it is valid (this is mainly true for tokens ...
... valid (this is mainly true for tokens,
including the current time in their OTP calculations, or when a sent
challenge has a certain lifetime). It should be noted, however, that
...
... challenge has a certain lifetime). It should be noted, however, that
a retrieved OTP, even if "old" and invalid, still may divulge some
information about the user's PIN. Clearly, this is also true for the
basic variant. Implementations of this EAP ...
... EAP method, where user PINs
are sent with OTPs, are therefore RECOMMENDED to ensure regular user
PIN changes, regardless of whether the protected variant or the basic
variant is employed.
...
... and hence the difference will be detected.
The OTP protection variant also protects against session hijacking,
...
... derived key material is used (directly or indirectly) to
protect a subsequent session. For these reasons, use of the OTP
protection variant is RECOMMENDED.
...
... protection variant is RECOMMENDED.
However, it should be noted that not even the OTP protection variant
provides privacy for user names ...
... attacker guessing the correct combination of session identifier and
OTP value. Assuming OTPs with entropy about 32 bits ...
...
An active attacker may replace the iteration count value in OTP TLVs
sent by the peer to slow down an authentication server ...
... Authentication servers SHOULD protect against this, e.g., by
disregarding OTP TLVs with an iteration count value higher than some
number that is preset or dynamically set (depending on load).
...
... attacker's search for a matching OTP. The ability to transfer a
pepper value in encrypted form from the EAP server ...
... An attacker, observing an EAP-Request containing an OTP TLV
calculated using a pepper chosen by the peer, may, however, depending
...
...
relatively short pepper value or only an iteration count. Once the
correct OTP has been found, eavesdropping on the EAP server's Confirm
TLV ...
... method) for an attacker to listen to most of an
OTP, guess the remainder, and then race the legitimate user to
complete the authentication. Conforming backend authentication
server ...
... B.9. Use of Next OTP Mode ...
...
In this example, the peer is requested to provide a second OTP to the
EAP server.
...
... In this example we assume the following:
OTPs are six decimal digits long;
4-digit PINs are added to generated OTPs ...
... OTPs; and
OTP hardening (iteration count and pepper searching combined)
effectively adds 10 bits of entropy ...
... In this example we assume the following:
OTPs are eight decimal digits long;
4-character alphanumeric PINs are added to generated OTPs ...
... OTPs are eight decimal digits long;
4-character alphanumeric PINs are added to generated OTPs; and
OTP ...
... OTPs; and
OTP hardening (iteration count and pepper searching combined)
effectively adds 10 bits of entropy ...