Bugtraq mailing list archives
otp - the next generation
From: Lukasz Luzar <lluzar () DEVELOPERS OF PL>
Date: Thu, 22 Mar 2001 01:36:23 +0100
SMSOTP - One-Time Passwords via SMS Introduction ============ smsotp is an authorization system based on SMS (Short Message Service). The system is the most reliable way of secure authorization. It eliminates all disadvantages of a typical login/password and any other otp implementations. How does it work ? ================== When you want to log into the server from an untrusted network, then you send a SMS message with your real login and password (e.g. "john 12blah45") in the body of message to the GSM phone connected to the server. When the server receive a message, the smsotpd daemon process the request in the following steps: 1.Checks if the user is permitted to authorize from the phone number (checks /etc/smsotp.access file), 2.When the user is _not_ permitted to use the smsotp authorization, no special actions are performed (except a warning via syslog()) 3.Otherwise the daemon do login/password authorization and if the authorization is successful then it creates a ticket for the user in /var/smsotp directory and save there a temporary access code (e.g. "4f21"). Finally, it sends the ticket to the user's mobile-phone. Otherwise the user receives the message "password incorrect". 4.When the user receive the SMS with the ticket (e.g. "4f21"), then he is able to log into the system using that new temporary password. e.g. john@unix:~$ telnet blah Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. blah login: john Password: (type here "smsotp") Enter smsotp ticket: (type here your temporary ticket e.g. "4f21") After successful authentication, the ticket is immediatelly removed. A user has only 45 sec. for the authorization process, after this time the ticket is automatically removed by smsotpd daemon. A user can send a request only from the specified phone number, otherwise the request is _ignored_ . Platforms and requirements ========================== The package was tested on a Linux Slackware 7.1 with gnokii-1.3.2 package and NOKIA 5110 phone connected to the server via special-serial cable. Integration =========== Integration process is very easy. When you want to add the smsotp support to your package, you need to do the following steps: - copy the smsotp.c and smsotp.h file into your source tree, - add some proper build steps in your Makefile, - update your authorization procedure with smsotp_auth() function, and add the #include "smsotp.h" entry at the beginning of the file, Example login(1) patch for Linux Slackware 7.1 is available at the official website. It's an early beta version of the package. So, all comments and bug reports are welcome...:-) For more information, see: http://developers.of.pl/projects/smsotp/ Btw. I am looking for an organization/company/agency that would be interested in a kind of sponsorship of my security related research and/or study at a university in US. Cheers, -- Lukasz Luzar http://developers.of.pl/ Crede, quod habes, et habes
Current thread:
- otp - the next generation Lukasz Luzar (Mar 22)
- Re: otp - the next generation Szilveszter Adam (Mar 23)
- Re: otp - the next generation Casper Dik (Mar 23)
- Re: otp - the next generation Denis A. Doroshenko (Mar 23)
- Re: otp - the next generation Gregory Steuck (Mar 23)
- Re: otp - the next generation Tollef Fog Heen (Mar 23)
- Re: otp - the next generation Ben Laurie (Mar 23)
- Re: otp - the next generation Dag-Erling Smorgrav (Mar 23)
- Re: otp - the next generation Tristam Fenton-May (Mar 23)
- <Possible follow-ups>
- Re: otp - the next generation Elias Levy (Mar 23)
- Re: otp - the next generation Szilveszter Adam (Mar 23)