time interval (e.g., each minute), the SecurID token generates a new one-time

password and displays it. If the holder of the SecurID token (i.e., the user)

wants to authenticate himself or herself, he or she reads from the token's

display the currently valid one-time password and types it in at the login

prompt (typically together with a static password). Due to the proprietary

nature, there are only a few security analyses related to the SecurID tokens

and the cryptographic algorithms they implement (e.g., [13]).

•

An alternative one-time password scheme that does not require the imple-

mentation of a cryptosystem was originally proposed by Leslie Lamport in

the early 1980s [14]. In this scheme, the claimant (i.e., the user) begins with a

secret password pw . A one-way function h is then used to generate a sequence

of t one-time passwords:

pw, h ( pw ) ,h ( h ( pw )) ,...,h t ( pw )

This sequence is then used by the claimant in the reverse order, meaning

that h t ( pw ) is used first and that h t− 1 ( pw ), h t− 2 ( pw ), ... , h ( h ( pw )),and

h ( pw ) are then used afterwards. In fact, the (one-time) password for the i th

authentication process (for 1

t )is h t−i ( pw ). This password is used by

the claimant to authenticate himself or herself to the verifier. Lamport's one-

time password scheme was implemented at Bell Communications Research

(Bellcore) in a one-time password system called S/Key [15]. S/Key employed

the one-time function MD4. More recently, the use of MD4 was replaced with

MD5 in a similar system called one-time passwords in everything (OPIE)

developed at the U.S. Naval Research Laboratory (NRL). S/Key and OPIE

both conform to the one-time password system specified in [16].

≤

i

≤

In addition to SecurID tokens, S/Key, and OPIE, many other one-time pass-

word systems are commercially or freely available on the Internet. Many of them are

proprietary, and hence they are not addressed in this topic.

Challenge-Response Mechanisms

One-time password schemes and corresponding systems are simple and straightfor-

ward. The major advantage is that they do not require an interaction between the

claimant and the verifier. The claimant simply provides a piece of authentication

information to the verifier, and the verifier can verify the validity of it (without in-

teracting with the claimant). The major disadvantage, however, is that the claimant

and verifier must be synchronized in some way or another.