S/KEY is a one-time password system developed for Unix-like operating systems. Under S/KEY, each user is given a list of passwords to be used in authentication. As each password in the list is only used once, passwords intercepted by a password sniffer or keyboard logger are not useful to an attacker. S/Key is supported in Linux via Pluggable authentication modules, OpenBSD, NetBSD, and FreeBSD.

S/KEY is an authentication system that uses one-time passwords. It requires a one-time setup during which n passwords are generated. Each password can only be used for one authentication, after the n passwords have been used, the password generation step must be performed again.

S/KEY is also sometimes referred to as Lamport's scheme.

Password Generation

The server is the computer that will perform the authentication.

1. This step begins with a secret key w. This secret can either be provided by the user, or can be generated by a computer. Either way, if this secret is be disclosed then the security of S/KEY is compromised
2. H is a cryptographic hash function
3. H is applied n times to w, thereby producing n one-time passwords (the passwords are the results of the crytographic hash H).
4. The initial secret w is discarded
5. The user is provided with the n passwords, printed out in reverse order.
6. The first n-1 passwords are discarded from the server, only the last password is stored on the server that will authenticate the user.

Authentication

After password generation, the user has a sheet of paper with n passwords on it. The first one is the same password that the server has stored. This first password will not be used for authentication (the user should scratch this password on the sheet of paper), the second one will be used instead:

• The user provides the server with the second password on the list and scratches that password
• The servers attemps to compute H(pwd) where pwd is the password supplied. If H(pwd) produces the first password (the one the server has stored), then the authentication is successful. The server will then store pwd as the current reference.

For subsequent authentications, the user will provide password i-1 (where password 1 is the first password generated by the server, i.e. H(pwd), where pwd is the initial secret), the server will compute H(password i-1) and will compare the result to password i, which is stored as reference on the server.

Security

What makes the S/KEY system secure ? The security of S/KEY relies on the difficulty of reversing cryptographic hash functions. Let's assume an attacker manages to get ahold of a password that was used for a successful authentication.

Supposing this is password i. This password is already useless for subsequent authentications, because each password can only be used once. It would be interesting for the attacker to find out password i-1, because this password is the one that will be used for the next authentication.

However this would require inverting the hash function that produced password i using password i-1 (password i = H(password i-1)), which is extremely difficult to do with current cryptographic hash functions.

References

• 'THE S/KEY(TM) ONE-TIME PASSWORD SYSTEM' by Neil M. Haller
• The handbook of applied cryptography, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone Chapter 10 describes Lamport's scheme on page 396
• RFC1760 - The S/KEY One-Time Password System