Simon's Projects 1997
Software Oriented Projects:
Network monitoring
Scientific data analysis
Web diary
Speech interface for X
One time password
Slides viewer

Paper Based One Time Password System


Network security is a big issue within the University. The Computer Laboratory (T&R) prohibits remote access to its computers unless prior consent has been given. This is inconvenient.

A one time password system for rlogining into machine would probably be adequate. In commercial systems such a password is usually sourced using a device similar in shape, size and component complexity to a picket calculator. However, such a device costs a significant amount of money and can easily be lost.


A paper based one time password system is proposed. The user of the system would carry around a single A4 sheet printed on both sides which forms a code book. This code "book" would be valid for, say, one month or 50 accesses which ever comes sooner. It could be used in the following challenge-response scenario:
  • user types "rlogin gateway-host -l userID"
  • machine asks for a conventional password which the user duly enters
  • machine replies with a series of alphanumeric quintuples
  • user looks up quintuples in the code book and responds accordingly
Time constraints could be added to this process. For example, the user may only be allowed three attempts to login per hour.

In case the user looses a code book there should be a mechanism to withdraw the book from circulation. This could be provided by a web page hooked to an appropriate CGI script.

The interface to code book generation could also be provided by a local web page. A large print two page code book might be desirable for those ocularly challenged. It would be reasonable to assume that local printing facilities are secure enough.

Previous work

I've proposed the project before and at least one person has had a stab at it though there are no doubt alternative approaches/major improvements.

Special resources

None to develop the theory. However, to put the work into practice you'll probably need to modify the rlogin daemon so it would be useful if you had your own Linux box to experiment on.

Possible supervisors

I'm not prepared to supervise this project. You might like to contact members of the security research group. This project could also be supervised by many other people in the lab.