OTP Support in MIT Kerberos

Frank Cusack fcusack at fcusack.com
Mon Jul 31 11:38:05 EDT 2006

On July 28, 2006 7:04:25 PM -0400 Jeffrey Altman <jaltman at secure-endpoints.com> wrote:
> Henry B. Hotz wrote:
>> "Soft" tokens are preferred to "hard" tokens, if tokens are needed,
>> though undetected theft becomes an issue.  It might be possible to
>> make my internet kiosk example work with a java applet, but I'm not
>> sure I know all the concerns to address there.
> The java applet has a boot strap problem.  Applets such as Citicorp's
> Credit Card Number generator require a username and password to be
> used over TLS in order to access the account so that the necessary data
> can be obtained to produce and register the new numbers.  I suspect
> you will have the same issues by trying to use an applet to generate
> a one time password.
> The primary benefit to using the concatenated PIN + OTP as a password
> is that it is theoretically possible to use existing clients such as
> Windows 2000/XP or web based authentication without requiring changes
> in the protocols or user interfaces.  However, this requires that the
> OTP sequence for the user be made available to the authentication
> service so that the appropriately derived keys can be produced.
> If you are aware of a OTP vendor who is willing to make OTP sequences
> available, please let us know.

We do.  tri-dsystems.com.  But as Douglas points out, this is not enough,
even if krb5 is your only means of authentication.


More information about the krbdev mailing list