OTP Support in MIT Kerberos

Douglas E. Engert deengert at anl.gov
Mon Jul 31 10:52:50 EDT 2006

Crypto card has been open to suggestions, and we have been talking.
Contact their sales poeple. I have bcc'ed ours on this note.

In addition to knowing the OTP sequences you must keep the state too.
Thus if the OPT is to be used for more then Kerberos, like Radius
for example, the KDC and RADIUS server must both update the state
in some common database. This is the missing piece today.

Jeffrey Altman wrote:

> Henry B. Hotz wrote:
>>"Soft" tokens are preferred to "hard" tokens, if tokens are needed,  
>>though undetected theft becomes an issue.  It might be possible to  
>>make my internet kiosk example work with a java applet, but I'm not  
>>sure I know all the concerns to address there.
> The java applet has a boot strap problem.  Applets such as Citicorp's
> Credit Card Number generator require a username and password to be
> used over TLS in order to access the account so that the necessary data
> can be obtained to produce and register the new numbers.  I suspect
> you will have the same issues by trying to use an applet to generate
> a one time password.
> The primary benefit to using the concatenated PIN + OTP as a password
> is that it is theoretically possible to use existing clients such as
> Windows 2000/XP or web based authentication without requiring changes
> in the protocols or user interfaces.  However, this requires that the
> OTP sequence for the user be made available to the authentication
> service so that the appropriately derived keys can be produced.
> If you are aware of a OTP vendor who is willing to make OTP sequences
> available, please let us know.

> Jeffrey Altman
> ------------------------------------------------------------------------
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list