1 - 2 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X
token
Click on the red underlined text to get to the source
... method suitable for use with One-Time Password (OTP) tokens, and
offers particular advantages for tokens that are electronically
...
... OTP) tokens, and
offers particular advantages for tokens that are electronically
connected to a user's computer, e.g., through a USB interface. The
...
... method intended to meet the needs of organizations
wishing to use OTP tokens in an interoperable manner to authenticate
users over EAP ...
... authenticator, reducing the need for user interactions and allowing
for local generation of user prompts, when needed. In contrast, the
Generic Token Card (GTC) method from [1 ...
... EAP terminology, acting on behalf of a
user possessing an OTP token;
o A server, or "authenticator ...
... by the user and the backend
authentication server. The secret seed is stored on an OTP token
that the user possesses, as well as on the authentication server.
...
... algorithm with
EAP-POTP. As an example, in the case of using RSA SecurID tokens
within EAP-POTP, the EAP ...
... identity provided here may alleviate the need
for a "User Identifier" or a "Token Key Identifier" triplet
(TLV ...
... TLV, the peer requests (possibly through user
interaction) the OTP token to calculate a one-time password
based on the information in the received EAP-Request ...
... EAP-Request message
(which could, for example, carry a challenge), the current
token state (e.g., token time), a shared secret ...
... token state (e.g., token time), a shared secret (the "seed"),
and a user-provided PIN (note that, depending on the OTP ...
... shared secret (the "seed"),
and a user-provided PIN (note that, depending on the OTP token
type, some of the information in the EAP-Request may not be
...
... TLV has the P bit set (see below), the
peer then combines the token-provided OTP with other
information, and provides the combined data to a key
derivation ...
... identifier MAY also be used by the peer to select
a suitable key on the OTP token (when there are multiple keys
available).
...
... SHALL be calculated using both the provided challenge and internal
state (e.g., current token time). The OTP SHALL be calculated
based only on the provided challenge (and the shared secret ...
... bit indicates that the provided OTP has
been calculated using a provided challenge and the token state.
The C bit ...
... bit, when set, indicates that the OTP to
calculate SHALL be based on the next token "state", and not the
current one. As an example, for a time-based ...
... state", and not the
current one. As an example, for a time-based token, this means
the next time slot. For an event-based token, this could mean the
...
... time-based token, this means
the next time slot. For an event-based token, this could mean the
next counter value, if counter values ...
... bit, when set, indicates that the OTP
was calculated based on the next token "state" (as explained
above), and not the current one. The N bit ...
... 64 octets. When the challenge is not present,
the OTP will be calculated on the current token state only. The
peer MAY ignore a provided challenge if and only if the OTP ...
... state only. The
peer MAY ignore a provided challenge if and only if the OTP token
the peer is interacting with is not capable of including a
challenge in the OTP ...
... P bit is not set, the peer SHALL directly place the
OTP value calculated by the token in the Authentication Data
field. In this case, the EAP server MUST NOT send a Confirm
...
... * When the P bit is set, the peer SHALL populate this field as
follows. After the token has calculated the OTP value, the
peer SHALL compute:
...
... OTP value
at a given time, e.g., due to clock drift in the token. If
the given pepper length is not a multiple of 8, each tested
pepper value will be padded to the left to the nearest
...
... EAP server when policy dictates that
the peer (user) needs to change a PIN associated with the OTP Token.
This TLV ...
... 1], Section 2). Use of the User
Identifier TLV and/or the Token Key Identifier TLV is RECOMMENDED
...
... Key Identifier TLV as
specifying a particular token key for the given user. The EAP server
MUST respond with an EAP ...
... EAP server
MUST respond with an EAP-Failure if it cannot find a token key for
the provided user.
...
... The value SHALL be an UTF-8 encoded string representing the holder
of the token (MUST NOT be NULL-terminated). The string MUST be
less than 128 octets in length.
...
... 1], Section 2). Use of the User
Identifier TLV and/or the Token Key Identifier TLV is RECOMMENDED
...
... Key Identifier TLV as
specifying a particular token key for the given user. The EAP server
MUST respond with an EAP ...
... EAP server
MUST respond with an EAP-Failure if it cannot find a token key
corresponding to the provided token key identifier ...
... EAP-Failure if it cannot find a token key
corresponding to the provided token key identifier.
...
... TLV type is sent by peers and MUST be supported by all EAP
servers conforming to this specification. The Token Key Identifier
TLV ...
... TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Token Key Identifier ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
... Length
Length of Token Key Identifier, >= 1
...
... An identifier for the OTP token key used to generate the OTP. The
field MUST be less than 128 octets in length.
...
... TLV MAY be sent by peers to simplify authentications.
When present, it carries the time as reported by the OTP Token.
An EAP server ...
... Counter TLV MAY be sent by peers to simplify authentications.
When present, it carries the token counter value, as reported by the
OTP ...
... The counter value, as reported by the OTP token, at which the OTP
used for the accompanying OTP ...
...
The Challenge TLV carries the challenge used by the token to
calculate the OTP, as reported by the token ...
... token to
calculate the OTP, as reported by the token to the peer. The
Challenge TLV MUST be sent by a peer if and only if the challenge
...
... TLV MUST be sent by a peer if and only if the challenge
otherwise would be unknown to the EAP server (e.g., the token or peer
modified a received challenge or generated its own challenge).
...
... OTP in the limited time
period during which it is valid (this is mainly true for tokens,
including the current time in their OTP calculations, or when a sent
...
... Note: The RSA SecurID product is a hardware token card (or software
emulation thereof) produced by RSA Security Inc., which is used for
...
... characters long. The user selects another PIN than the one suggested
by the server. The token key is identified through a combination of
the user identifier and the token ...
... token key is identified through a combination of
the user identifier and the token key identifier. While waiting for
the user input, to avoid network ...