Editor's note: These minutes have not been edited. IETF 36 - WG on One-Time Password Authentication Co-chairs: Neil Haller (Bellcore) Ran Atkinson (cisco) Mailing List Info: General Interest: ietf-otp@bellcore.com [Un]subscribe: ietf-otp-request@bellcore.com Archive: ftp.bellcore.com:/pub/ietf-otp/archive Reported by: Neil Haller (notes recorded by Richard Graveman) Steve Belovin gave a brief talk about the hacker system "Monkey" that is a combination of a sniffer and a dictionary attack. The message is that OTP depends on having a well chosen secret pass-phrase. Solutions were left for the WG to invent. Steve pointed out that Kerberos also has the same problem Also, active attacks, and attacks on DNS are not prevented with this technology. RFC 1938 requires a 10 character pass-phrase. It was pointed out that requiring additional strength checking would change conforming generators to non-conforming. One suggestion was to have generators optionally pass a strength code to servers which could decide if the strength was acceptable to the installation. Craig Metz, Denis Pinkas, Phil Servita, with input from others, came up with joint proposal for automating the the re-initialization of the sequence of one-time passwords. Craig presented a way of adding "extended responses" to the OTP protocol and how this could be used for automated re-initialization. The extended responses are optional and are of the form: :[:...] Examples are: word:anne vein coke boom gut pun hex:4d3e 81a6 ae51 7e6b This eliminates the ambiguity between hex and dictionary words made of only the letters a-f. Eliminating this ambiguity is necessary, and therefore required, for automated initialization of the OTP sequence. A reinitialization request would look like: init:::[::] It was agreed that, subject to changes made on the list, the proposed addition to the OTP protocol would move towards an elective standards track rfc. Craig agreed to post this proposal as an Internet Draft. Denis Pinkus brought up the problem that a server can give you someone else's challenge and this trick you into providing the server with the ability to break into another system. This issue was deferred to the mailing list. At the next IETF meeting, San Jose in December 1996, rfc 1938 will be eligible for advancement to Draft Standard. There was complete agreement that interoperability demonstrations should be planned for that meeting with the intention of advancing the OTP protocol. Phil Servita announced that his OTP toolkit for UNIX is available at: ftp.ftp.com:/pub/meister/otp/unix/otp.tar It supports MD4, MD5, SHA1, and has alternate dictionary support. It does not yet do extended responses. A re-init scheme which is NOT compliant with the current extended response draft is included, but should not be used. OTP generators for DOS, Windows, 95, and NT (with source, Borland C++) are available at: ftp.ftp.com:/pub/meister/otp/dosotp/ ftp.ftp.com:/pub/meister/otp/winotp/ An alpha version of the OTP toolkit which implements the extended responses, and also provides support for the RIPEMD160 hash function is available at: ftp.ftp.com:/pub/meister/otp/pre-release/unix/otpalpha.tar Documents RFC 1760, N Haller, February 1995 RFC 1938, N Haller & C Metz, May 1996