OTP - One Time Password (also One Time Pad)

The information provided here is incomplete and is intended to provide some insight into OTP's, however does not fully cover all the elements of the algorithms, methods, etc

The most secure form of cryptography ever devised was the One-Time-Pad which involved randomly generated sheets of letters, numbers and symbols for each letter, number and symbol, e.g.:
A -> B, B->C, 1->2, 2->3

The method evolved from the substation cipher but had more cons then pros which is the reason it's not main-stream.

The key to the system was to have the substituted characters (or numbers, etc) be truly random, which is harder then one might think, as most systems have some sort of repetitive frequency which can be eventually found.

OTP is used for computer system access, software specific access, room access and even for person to person verification.

OTP works in one of two ways: either both sides have a method of computing the next expected password or the other side has a method of verifying the next password is really the next one expected.

Lets start with the latter, but first a very very quick introduction to "hash" or "hashing"; hashing is an algorithm (there are many hashing algorithms) that should theoretically always produce a unique output to a processed string/data sequence.

Note! S/key has some more properties not covered here. Read more about S/key elsewhere to fully understand the algorithm.

One of the earliest OTP solutions was called S/Key and was used mostly on Unix systems. Like most modern OTP solutions, S/Key used hashing, but unlike modern OTP solutions the user had a set number of login passwords generated. Once they were all used, they had to generate more. This was because the Unix system only stored the hash of the last password, so the user would start using the second to last password down towards the first password.

Each time the user entered the password, the Unix system would hash the password entered to see if it match's the stored hash.

Each password in the list is based on the previous one, so it is difficult to hack even if one knows the currently entered/stored password.

For example:

4 passwords generated

1. 5555 ab
2. 3333 cd
3. 1212 tr
4. 9223 pf

The S/key server saves the 4th password, the user has 3 useable passwords 3, 2, 1
When they enter the 3rd password, the S/key (e.g. Unix) server runs it through the hash algorithm (usually MD4 or MD5). If it match's the 4th password which it has stored, it grants access and saves the 3rd password instead of the 4th password.

There are other many types of OTP solutions including time based which rely on a time synchronization between the OTP user software (which may be software, phone software, token, SMS, etc.), and of course event based OTP which S/key falls into.

A lot of OTP solutions are secret and/or proprietary however some like OATH (usually HMAC-SHA1) are open-source and widely used and supported between OTP providers.

OATH uses an event based OTP algorithm (it can also support time based however this isn't wide spread) which usually uses a secret character sequence (a.k.a. seed) only known to the two parties (being the user software/device and the OTP server) and the request number and sometimes other data such as customer unique seed, etc.

All this data is ran via the algorithm (usually HMAC-SHA1) to generate the OTP.

RSA was one of the first companies to offer an enterprise OTP solution using various software platforms and other form factors such as tokens.

RSA uses a time based algorithm to calculate the OTP and as such requires the time to be synchronized between the client side and server side OTP components and has on the user side a time indicator so the user can time their password entry.

The major upside to time based OTP is that in an event based token, if someone got an OTP the only time limit they have to using it is until you generated a new OTP and used it.

In a time based OTP one would only have a pre-defined time limit to use set OTP (e.g. 25 seconds) which would be more than enough at most instances.

Event based OTPs, on the other hand, do not require time synchronization to take place and do not require the user to wait for a password to expire before entering it, etc.

Some of the most popular OTP vendors today include Aladdin, Vasco, CIDWay, and of course, RSA.

Note: OTP can also refer to One Time Pad, not described above.
Note: OTP is also One Time Pad - not described in this article.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.