Robert Hahn

inspired by integration

I'm always interested in infrastructure that brings people together and facilitates communication. I'm currently exploring social software, markup & scripting languages, and abstract games.

Home | In This Site … | Google Thread
noted on Thu, 04 Sep 2003

One Time Password Generation

Holy cow. I was just last night/this morning conceiving in my mind a web service for generating one time passwords (OTP’s) that anyone can use.

The way it would work is as follows: You need an OTP. You visit this site, which is running under https, and input a URI for what you want the password for. It generates a random number, or an MD5 of the URI combined with a random number, or something like that. Doesn’t matter. You take that generation, go to whatever resource that requires a one-time password (which may be connected to the internet, but not a web-based application), and input it along with the rest of your data.

That second site, upon receiving the password, contacts the OTPG (One Time Password Generator), and sends the random password. That server would only send an http status code (204 No Content, 401 Unauthorized , 403 Forbidden , and 404 Not Found status codes come to mind) as a response, and mark that random number as being ‘used’.

One scenario I can see this being immediately useful for is blogging by email - Once you get an OPT, you can embed it in an email containing a blog, and the script receiving and processing the mail can ping the OTPG server to ensure the mail is valid.

All that isn’t why I said “Holy cow.”

The reason why I said “Holy Cow” was because earlier today (relative to this post date), Sam Ruby started a discussion about what a nonce is - a topic particularly relevant to this application. And I’m glad he did, because he raised some concerns I hadn’t given thought to (yet). Like what happens when you DoS the password server.

One thing I like about my design is what happens if you’re being attacked, but aren’t at the point of collapse. Because I’m requiring a URI as part of the input, the number of possible OTP’s generated per URI remains the same, so as long as it’s giving out random strings, the damage is limited on a per-uri basis, and doesn’t pollute the entire range of values. I had given some thought to expiry, but not a lot. Sam has given me some ideas. I am going to go think on this one some more.

But I think this will work.

tall ship