This page was last updated 17 november 2004.

OTP Keygen - one-time pad password generator

The current version is 1.3.

Contents:


Program Description

The telnet or SSH login procedures for access to remote host over public networks require (in the case of SSH, optionally) a password to authenticate the user. The problem is that the password can be observed while being typed in at an insecure location such as a web cafe, and in the case of telnet it travels over public networks unencrypted. If an eavesdropper captures the password he might gain illegitimate access to the host.

For this reason, there are variants of telnet and SSH that use a challenge-response mechanism for logging in. The host prompt provides a "challenge" such as the string 123 ga01234. The user must then compute a response (using the MD4 or MD5 hash algorithms) from this response and the secret password. The response is used as the host password. It changes every time because the challenge is different every time.

The MD4 or MD5 computation is way too difficult to carry out in your head, so a computer must do it. The web cafe won't have the necessary tool, and anyway you wouldn't use it because typing your secret password into a strange computer defeats the whole purpose. Hence, OTP Keygen.

OTP Keygen requires four pieces of information:

OTP Keygen will then compute the response in two different forms, an easy-to-remember nonsense sentence consisting of six short words, and the hexadecimal equivalent. Most login procedures accept either.

OTP Keygen: screen shot

The GUI is very simple. Enter the number, seed, and the secret passphrase, and press Compute. Since the host will normally present challenges in a fixed order, decrementing the number part of the challenge for each login, OTP Keygen provides a Next button to decrement the number. (This is also the reason why OTP Keygen has separate entry fields for the number and the seed.)

OTP Keygen will also remember the last ten challenge seeds, and the corresponding mode and number. This saves a lot of typing if you need to log in into several different hosts on a regular basis. For obvious reasons, the secret passphrase is not saved, and is replaced with a row of asterisks when Compute is pressed.

OTP Keygen will warn if the challenge number is less than 10, because your login expires after you have used the number 1. After that, login is no longer possible. To renew your login, ask the system administrator to reset the counter (with a new seed); this procedure requires an OTP so don't use up the number 1 for a login!


System Requirements

OTP Keygen runs on Linux PDAs such as the Sharp Zaurus and the Compaq iPAQ running Trolltech's graphical Qtopia palmtop environment. The Sharp Zaurus comes with Linux and Qtopia preinstalled; the iPAQ must be installed first with the ``Familar'' variant of Linux for PDAs (see handhelds.org) and then with Qtopia, the palmtop variant of their ``Qt'' libraries. Linux is software (GPL), and Qtopia is also free for personal noncommercial use (check with Trolltech here). The Qtopia download page is here.

Check out Trolltech's Qtopia screenshots.

OTP Keygen will not work with PDAs running raw X11 or GTK+. This is why, if you have an iPAQ, it's not sufficient to install Linux, you must also install Qtopia. (Better buy a Sharp Zaurus instead, it's the better machine anyway.) In fact, if you install Linux, you can omit all the X11 and GTK+ stuff to save space in your ROM. Note that installation of Linux on an iPAQ is not for the faint of heart because it involves replacing the flash memory contents, and a flash failure leaves you with an expensive brick. Follow handheld.org's instructions exactly, and do not lose patience if the update appears to be stuck. Never reset during flashing! Once you have the bootloader installed, not much can go wrong. Here is how I installed mine with Linux; the information is unfortunately widely scattered. I had LISA install Qtopia for me.


Download

Download the installable IPK package at
ftp://ftp.bitrot.de/pub/otpkeygen/otpkeygen_1.3.0_arm.ipk .

Download the source code at
ftp://ftp.bitrot.de/pub/otpkeygen/otpkeygen-src_1.3.0.tar.gz .

Please send bug reports or ideas for new features to me, at w4d@bitrot.de. Since I get quite a lot of mail, please be patient, I am not very good at replying quickly...


Change History

Only recent changes are listed with details, intended for finding out whether a bug has already been fixed and your copy should be upgraded.

Tell me if you found this information interesting or useful, or if you have comments.