OTP Support in MIT Kerberos

Jeffrey Altman jaltman at secure-endpoints.com
Fri Jul 28 19:04:25 EDT 2006

Henry B. Hotz wrote:

> "Soft" tokens are preferred to "hard" tokens, if tokens are needed,  
> though undetected theft becomes an issue.  It might be possible to  
> make my internet kiosk example work with a java applet, but I'm not  
> sure I know all the concerns to address there.

The java applet has a boot strap problem.  Applets such as Citicorp's
Credit Card Number generator require a username and password to be
used over TLS in order to access the account so that the necessary data
can be obtained to produce and register the new numbers.  I suspect
you will have the same issues by trying to use an applet to generate
a one time password.

The primary benefit to using the concatenated PIN + OTP as a password
is that it is theoretically possible to use existing clients such as
Windows 2000/XP or web based authentication without requiring changes
in the protocols or user interfaces.  However, this requires that the
OTP sequence for the user be made available to the authentication
service so that the appropriately derived keys can be produced.

If you are aware of a OTP vendor who is willing to make OTP sequences
available, please let us know.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060728/57aa4c12/attachment.bin

More information about the krbdev mailing list