[PATCH] Virtual Token (VToken) challenge authentication method

paul pgsery at swcp.com
Fri Feb 8 17:25:41 EST 2008


The Virtual Token (VToken) patch 
(https://bugzilla.mindrot.org/show_bug.cgi?id=1439) creates a kbdint 
device that provides a new challenge-based authentication mechanism. The 
server calculates a challenge from two secrets and a counter. You 
authenticate by proving by correctly answering the challenge, proving 
you know the secrets. This creates a software-based token, similar in 
function to commercial ones, that can be run from your workstation or 
better yet, ubiquitous devices such as PDAs, cell phones, calculators, 
and even pen/paper.

VToken has the advantage of not only using cheap, generic devices but 
also not requiring a dedicated network. Commercial system can only be 
used with networks configured for their use. VToken can be used on any 
machine running OpenSSH and a properly configured sshd_config file. 
Thus, a single virtual token can authenticate to an unlimited number of 
servers.

The current challenge is a place-holder for a more rigorous one. It uses 
the simple equation: Challenge=Secret*Counter Mod(PIN). The secret is 
designed to be embedded in the virtual token, while you must keep the 
PIN secret; the counter protects against replay attacks. Taking the 
modulus of the product maps the answer into a number set (or something 
like that;). Ultimately, the calculation should probably be done by 
taking the hash of the combined terms (anyone who captures the current 
challenge will be able to calculate the secrets using brute force).

vtoken.c is an example virtual token app. It prompts you for your PIN 
and calculates the challenge response from the secret, which is embedded 
in it's source.

VToken in it's present form should be used in conjunction with the 
"Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435), 
which allows you to use multiple authentication methods tolog into a 
machine. You'll want to use Pubkey together with VToken.

In the future, VToken will by itself will provide two-factor 
authentication. The secret will be embedded in the app and effectively 
be embedded in your PDA, cell phone, etc. You'll keep your PIN separate, 
of course, and use the two just like on commercial tokens.

This patch might indeed be better suited for PAM or other platform. 
However, I'm submitting here because I use OpenSSH every day and would 
like the ability to natively use stronger authentication. It's also been 
fun learning and hacking the code.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-kbdint-hack.patch
Type: text/x-patch
Size: 24583 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080207/7658f397/attachment-0001.bin 


More information about the openssh-unix-dev mailing list