You may freely redistribute or republish this article, provided the following conditions are met as long as it is for non-commercial purposes. Otherwise permissions should be granted:

1. This article is left intact.

2. Proper credit is given to its authors; Hye Jin Youn and the Security KAIST

Background of OTP

• ÇöÀçÀÇ userid , password¸¦ ÀÎÁõ±â¹ÝÀ¸·Î ÇÏ°í ÀÖ´Â unix system Àº password¸¦ ´©Ãâ ½ÃÅ°´Â °æ¿ì À§ÇèÇÔ

• TCP/IP protocolÀº desine´ç½Ã º¸¾È ¹®Á¦´Â °í·ÁÇÏÁö ¾Ê¾Ò±â ¶§¹®¿¡ sniffing°ú IP spoofing µîÀ» ÀÌ¿ëÇÑ ÇØÅ·ÀÌ ¸¹ÀÌ ÀÌ¿ëµÇ°í ÀÖ´Ù.

• ±¹³»¿¡¼­ ¹ß»ýµÈ ´ëºÎºÐÀÇ ÇØÅ· »ç·Ê´Â ID¿Í passwordµµ¿ë »ç·Ê°¡ ÁÖ·ù¸¦ ÀÌ·ç°í ÀÖ´Ù.
  

Introduction to OTP

1. OTP¶õ?
   OTP( one time password )¶õ ¸» ±×´ë·Î Çѹø ¾²°í password¸¦ ¹ö¸®´Â ÀÏȸ¿ë passwordÀ̹ǷΠ±âÁ¸ÀÇ password°¡ sniffing µîÀ¸·Î °¡·Îä¿©µµ »õ·Î »ý¼ºµÈ password¸¦ »ç¿ëÇϹǷΠ¾ÈÀüÇÒ ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ otp¸¦ ±¸ÇöÇϱâ À§ÇÑ ¹æ¹ýÀ¸·Î´Â ´ÙÀ½°ú °°Àº °ÍµéÀÌ ÀÖ´Ù.
   • µ¿±âÈ­µÈ ½Ã°£À» À¯ÁöÇÏ¿© Time-Stamp¸¦ »ç¿ë
   • server¿Í clientÀÇ ÀÓÀÇÀÇ Æнº¿öµå ¸®½ºÆ® ³»ÀÇ À§Ä¡ÀÌ¿ë
   • Challenge-Response SchemesÀÌ¿ë

2. OTPÀÇ ¿©·¯°¡Áö »ç¿ë
   1. S/Key ¹æ½Ä
      S/Key ÀÎÁõ ½Ã½ºÅÛÀº passive attack¿¡ ´ëÇØ »ç¿ëÀÚÀÇ Æнº¿öµå¸¦ º¸È£Çϱâ À§ÇÑ °£´ÜÇÑ ½ºÅ´ÀÌ´Ù.

      ´õ ÀÚ¼¼ÇÑ °ÍÀº µÚ¿¡ ¼³¸íÇϵµ·Ï ÇÒ°ÍÀÌ´Ù.

   2. Challenge-Response ¹æ½Ä
      user°¡ loginÇϸé, server´Â Challenge message¸¦ º¸³½´Ù.
      user´Â PIN( Personal Identification Number )¿Í Challenge ¸¦ ÀÌ¿ëÇÏ¿©, OTP¸¦ »ý¼ºÇÏ¿© Response¸¦ ÇÑ´Ù.
      ¼­¹ö´Â µ¿ÀÏÇÑ Challenge¿Í µî·ÏµÈ »ç¿ëÀÚÀÇ Á¤º¸À» ÀÌ¿ëÇØ OTP¸¦ »ý¼ºÇÑ ÈÄ userÀÇ Response¿Í ºñ±³ÇÏ¿© »ç¿ëÀÚ ÀÎÁõÀ» ÇØÁÖ´Â ¹æ½ÄÀÌ´Ù

      

   3. Time-Synchoronous ¹æ½Ä
      ³­¼ö»ý¼º ¾Ë°í¸®ÁòÀº °ü¸®°¡°¡ Á¤ÇÑ ½Ã°£(t)¸¶´Ù 64bitÀÇ ºñ¹ÐÅ°°¡ »ý¼ºµÇ¾î Áø´Ù.
      °¢°¢ÀÇ »ç¿ëÀÚ¿¡°Ô´Â ƯÁ¤Å°°¡ ÇÒ´çµÇ¾îÁö°í, Áö´ÉÇü ÅäÅ«°ú ÀÎÁõ¼­¹ö µ¥ÀÌÅÍ º£À̽º¿¡ À̰͵éÀÌ ÀúÀåµÇ¾îÁø´Ù.
      »ç¿ëÀÚ°¡ loginÀ» ÇÒ¶§ PIN°ú 6°³ÀÇ ¼ýÀÚ·Î µÈ ³­¼ö¸¦ Àü´ÞÇϸé, (ÀÌ ³­¼ö´Â ÅäÅ«À¸·Î »ý¼ºµÇ¾î Áü)

      ³­¼ö´Â ÅäÅ«¾È¿¡ ÀúÀåµÇ¾î ÀÖ´ø ºñ¹ÐÅ°¿Í t¸¦ ÃʱⰪÀ¸·Î ÇÏ¿© ÅäÅ«¾ÈÀÇ ¾Ë°í¸®ÁòÀ» ÅëÇØ ¸¸µé¾îÁø´Ù.

      ÀÌ·¸°Ô ¸¸µé¾îÁø 10°³ÀÇ ¼ýÀÚ°¡ ¼­¹ö·Î °¡¸é ¼­¹ö´Â PINÀ» À妽º·Î ÇÏ¿© ÇØ´ç ºñ¹ÐÅ°¸¦ ã°í, »ý¼ºµÈ 6°³ÀÇ ·£´ý ¼ýÀÚµéÀ» ¼ö½Å °Í°ú ÀÏÄ¡ÇÏ´Â Áö¸¦ È®ÀÎÇÑ´Ù.

3. ±¹³»ÀÇ ±â¼ú µ¿Çâ.
   • ¹ÝµµÃ¼ Àåºñ Àü¹®¾÷üÀÎ ¹Ì·¡ »ó¾÷Àº »ç¿ë¶§¸¶´Ù °á°úÄ¡°¡ ´Ù¸¥ Çؽ¬ÇÔ¼ö¸¦ ±â¹ÝÀ¸·Î ±¸ÇöµÇ¾î Ãß·Ð¹× ÀçÇö °ø°ÝÀ» ºÀ¼âÇÒ ¼ö ÀÖ°í ¹ß»ý±â¿¡ °íÀ¯ ID ¸¦ ºÎ¿©, ºÐ½Ç½Ã ¿À¿ëµÇ´Â °ÍÀ» ¿øõÀûÀ¸·Î ¹æÁöÇÒ ¼ö ÀÖ´Â °øÁ߸Á ÀÎÁõ ½Ã½ºÅÛÀ» °³¹ß ('97.3)

   • ÄɽŠ½Ã½ºÅÛ¿¡¼­ ¹Ì±¹ ºêÀÌ¿ø»çÀÇ SmartGateÁ¦Ç°À» ¼öÀÔÇÏ¿© ÆǸÅÁß

   • internet security korea secure card, secure server, securid ( Time-Synchoronous ¹æ½Ä )À» °³¹ß ÆǸÅÁßÀÓ

   • Çѱ¹ ¿¢½Ã½º

   • ±×¿ÜÀÇ ¿©·¯ ´Üü¿¡¼­ ¿¬±¸ÁßÀÓ

   • ( ÀÚ½ÅÀÇ È¸»ç¿¡¼­ ¿¬±¸ÁßÀÎ ºÐÀº Àú¿¡°Ô ¿¬¶ôÀ» ÁÖ¼¼¿ä :) )

III. S/Key ¶õ?

• Ư¡
  • ±âº» otpÀÇ Æ¯Â¡À» °¡Áö°í ÀÖ´Ù.
  • »ç¿ëÇϱ⿡ °£´ÜÇÏ´Ù.
  • ºñ¹Ð Æнº¿öµå¸¦ ±â¾ïÇϵµ·Ï ÇÑ´Ù.
  • ÀÚµ¿È­°¡ µÇ¾îÁú¼ö ÀÖ´Ù.
  • ¾Ë°í¸®ÁòÀÌ °ø°³µÇ¾î ÀÖ´Ù.
    - MD4 ¶Ç´Â MD5 one-way hash ÇÔ¼ö¸¦ »ç¿ëÇÑ´Ù.
    ( 8byte ÀÔ·Â 8byte Ãâ·Â )
  • ¾î¶² ºñ¹Ð Á¤º¸µµ È£½ºÆ®¿¡ º¸°üµÇ¾îÁöÁö ¾Ê´Â´Ù.

• ¾Ë°í¸®Áò
  • ±âº»ÀûÀÎ ¾Ë°í¸®ÁòÀº one-way hash ÇÔ¼ö¸¦ ¿©·¯¹ø Àû¿ëÇÔÀ¸·Î °è¼ÓÇؼ­ »ý¼ºµÇ¾îÁø´Ù.

  • Âø¾È : f(x) = y ¿¡¼­ x¸¦ ¾Ë°í y ¸¦ ¾Ë¸é ±¸ÇØÁú¼ö ÀÖÀ¸³ª y¸¦ ¾Ë°í x¸¦ ¾Ë¾Æ³»±â¶õ, Áï x = f~(y) ´Â °ÅÀÇ ºÒ°¡´ÉÇÏ´Ù.
    ( * MD4¿Í MD5Âü°í )

  • ù ¹ø° OTP´Â userÀÇ ºñ¹Ð Æнº¿öµå(S)¸¦ Á¤ÇØÁø ƯÁ¤¼ö (N) ¸¸Å­ÀÇ one-way hash ÇÔ¼ö¸¦ ¼öÇàÇÔÀ¸·Î »ý¼ºµÇ¾îÁø´Ù.

    P(1) = f(f(f(f(S))))

    ´ÙÀ½¹ø¿¡´Â n-1¹øÀ» ¼öÇàÇÔÀ¸·Î »ý¼ºµÇ¾îÁö´Â P¸¦ ¾µ°ÍÀÌ´Ù.

    P(2) = f(f(f(S)))

    ±×·¸±â ¶§¹®¿¡ µµÃ»ÀÚ°¡ P(i)¸¦ ¾Ë°Ô µÇ´õ¶óµµ, ´ÙÀ½ password, P(i+1)À» ¾Ë¾Æ³½´Ù´Â °ÍÀÌ ºÒ°¡´ÉÇÏ°Ô µÈ´Ù.

  • óÀ½¿¡ È£½ºÆ® ÄÄÇ»ÅÍ´Â OTPÀÇ º¹»çº»À» ÀúÀåÇÑ´Ù. ±×¸®°í ±×°ÍÀ» one-way hash ÇÔ¼ö·Î °è»êÇÏ¿©, º¹»çº»°ú ºñ±³ÇÑ´Ù.
    ¸¸¾à ÀÏÄ¡ÇÏ°Ô µÈ´Ù¸é, system password fileÀÇ »ç¿ëÀÚÀÇ ¿£Æ®¸®´Â OTPÀÇ º¹»çº»À¸·Î °»½ÅµÇ¾îÁø´Ù.

  

• »ç¿ëÀÚ¿¡ ÀÇÇØ one-way hash ÇÔ¼öÀÇ ¼ö°¡ Çϳª¾¿ ÁÙ¾îµé°Ô µÇ¹Ç·Î ¾î´À ½ÃÁ¡¿¡ ´Ù´Ù¸£¸é ÃʱâÈ­¸¦ ½ÃÄÑÁÖ¾î¾ß ÇÑ´Ù.

• userÀÇ OTP´Â ³ëÆ®ºÏÀ̳ª palm-topµîÀ» Æ÷ÇÔÇÏ´Â ´Ù¾çÇÑ ±âÁ¾ÀÇ pc¿¡¼­ ¼öÇàµÇ¾îÁø´Ù. ¶Ç´Â Ç÷ÎÇÇ µð½ºÅ©¿¡ ÀúÀåµÇ¾îÁö°í ¼öÇàµÇ¾îÁú¼ö ÀÖ´Ù. ¶Ç´Â ¹Ì¸® °è»êÀ» ÇÏ¿© ÇÁ¸°Æ®¸¦ ÇÏ¿© »ç¿ëÇÒ¼ö ÀÖ´Ù.

  ¿¹¸¦ µé¾î ÀÌ·± token card°¡ ÀÖÀ»¼ö ÀÖ´Ù.

• What is OPIE( OneTime Password in Everything ) ?
  OPIE ¹öÀü 2.32À» ±â¹ÝÀ¸·Î ±¸ÇöÇß´Ù.
  OPIE ¿øŸÀÓ Æнº¿öµå ½Ã½ºÅÛÀº °ø°³¹öÀüÀ¸·Î Bellcore S/Key ½Ã½ºÅÛ°ú »óÈ£ ¿î¿ë¼ºÀÌ ÀÖÀ¸¸ç, RFC 1938¿¡¼­ ±â¼úÇÏ°í ÀÖ´Â ¿øŸÀÓ Æнº¿öµå ½Ã½ºÅÛÀ» ±¸ÇöÇÑ °ÍÀÌ´Ù.

• À̹®¼­ÀÇ ±âÁØÀº OPIE Software Distribution, Release 2.32ÀÇ ¹öÀüÀ» °¡Áö°í ´Ù·ç¾ú½À´Ï´Ù.
  test server´Â linux 6.0ÀÔ´Ï´Ù.

• How to 'Install' an OPIE server
  1. Read the OPIE README file

  2. OPIE system requirement

  • A UNIX-like operating system
  • An ANSI C compiler and run-time library
  • POSIX.1- and X/Open XPG-compliance(including termios)
  • The BSD sockets API
  • Approximately five megabytes of free disk space

  3. download the OPIE
  download source

  4. Unpack the software( ¾ÐÃàÇ®±â )

  %> gunzip opie-2.32.tar.gz
  %> tar xfv opie-2.32.tar
  

  5. Read INSTALL readme file( Á¦ ³ª¸§´ë·Î ¿ä¾àÇϸé )
  

  i) configureÀ» ½ÇÇà½ÃÅ´
  ii) MakefileÀ» ³ª¸§´ë·Î ÇÊ¿äÇÑ °ÍÀ» °íĨ´Ï´Ù. ( »ç½Ç ¾È°íÃĵµ ´ëÃæµÊ )
  iii) make¶ó°í Ä¡¸éµË´Ï´Ù( client¸¸ ±ò±âÀ§Çؼ­´Â make client, ¼­¹ö¸¸ ±ò±âÀ§Çؼ­´Â make server ¶ó°í Ä¡¼¼¿ä ) iv) make install( client´Â make client-install )

  6. file È®ÀÎ
  

  7. Install test

  ¿©±â¼­ otp-md5´Â md5¸¦ ¾´´Ù´Â À̾߱â°í, key´Â 497ÀÌ°í, seed´Â en3197ÀÌ´Ù

  8. Áö¿ì±â À§Çؼ­
  

  %>make uninstall

• How to login to an OPIE system
  1. óÀ½¿¡´Â admin¿¡°Ô passphrase¸¦ ¹°¾îºÁ¾ßÇÑ´Ù.

  2. passphrase ¸¸µé°í, ¹Ù²Ù±â

  %>INSTALLDIR/opiepasswd -f -c

  INSTALLDIR Àº opiepasswd ¶ó´Â ¸í·É¾î°¡ ÀÖ´Â ¸ðµç °æ·Î¸¦ ¸»ÇÑ´Ù.
  ¿¹¸¦ µé¸é, º¸Åë /usr/local/bin °¡ µÇ°Ú´Ù.

  -f : °­Á¦ÀûÀ¸·Î ¸¸µëÀ» ÀǹÌÇÑ´Ù.
  -c : console mode·Î ¸¸µé¾î¼­ secureÇÑ Á¢¼ÓÀÌ°Ô²û ¸¸µç´Ù.
  

• Key generator

  • In Linux

    'opiekey' ¸í·É¾î°¡ ÇØÁØ´Ù.

    ¿¹Á¦±×¸²
    

  • In Windows

    

• OPIE Command and man pages

  • In Linux

    opiegen :

    passphrase¸¦ °¡Áö°í key¸¦ generate½ÃÄÑÁÜ
    vici%> opiegen otp-md5 495 wi01309
    Secret Pass Phrase:
    GILL HUED GOES CHUM LIEU VAIN
    vici%>
    

    opieinfo :
    ´ÙÀ½ÀÇ sequence number¿Í seed °ªÀ» Ãâ·Â

    %> opieinfo
    495 wi01309
    

    º¸Åë,
    %> opiekey -n 42 `opieinfo`
    ÀÌ·± ½ÄÀ¸·Î ÀÌ¿ëÇϸé ÁÁ´Ù.

    Á¤º¸´Â /etc/opiekeys¿¡¼­ ¾ò¾î¿À´Â °ÍµéÀÌ´Ù.

    opiesu :
    su ¸í·É¾î ´ë½ÅÀ» ÇÏ´Â °ÍÀÌ´Ù.

    %> opiesu vici
    otp-md5 498 wi910502
    (OTP response required)
    vici's password: (echo on)
    vici's password: RARE GLEN HUGH BOYD NECK MOLL
    # ( root shell )

  • In Windows

    

V. Reference

• README , manual page
• www.consecol.org/~cmh/SkeyCalc/files/Readme.txt
• snafu.mit.edu/accounts/OTP.htm
• www.kisa.or.kr/technology/sub4/password.htm
• esperosun.chungnam.ac.kr/~shsong/my_paper/jcci_paper/paper.htm
• http://www.nas.nasa.gov/Groups/Security/OPIE/

VI. Download

• www.inner.net/pub/opie
  opie ÃÖ±Ù¹öÀü patch¿Í ±× ¿Ü¿¡ window¿¡¼­ ¾µ¼öÀÖ´Â key generate±îÁö ÀÖ½À´Ï´Ù.

• s/key¿¡ °üÇÑ Âü°í¹®Çå

What is ?

• Sniffing
  TCP/IP desine ÀÌ º¸¾ÈÀ» °í·ÁÇÏÁö ¾Ê¾Ò±â ¶§¹®¿¡ network»óÀÇ packetÀ» ¸ð¾Æ Àç¹è¿­½ÃÅ°¸é ¿ø·¡ÀÇ data¸¦ º¹Á¦ÇÒ¼ö ÀÖ´Ù.
• Spoofing
  network»ó¿¡¼­´Â »ó´ë¹æÀ» ¾î¶»°Ô ÀÎÁõÇÒ °ÍÀΰ¡°¡ Áß¿äÇÏ´Ù. º¸Åë password³ª IP , hostnameµî¿¡ ÀÇÇØ ÀÎÁõÀ» Çϴµ¥ ÀüÀÚ´Â sniffing¿¡ ÀÇÇØ ³ëÃâÀÌ °¡´ÉÇϸç ÈÄÀÚ´Â spoofing¿¡ ÀÇÇØ °ø°ÝÀÌ °¡´ÉÇÏ´Ù.
  • IP Spoofing : ÇØÄ¿ÀÇ host°¡ target host°¡ trustÇÏ´Â hostÀÎôÇϱâ
  • DNS spoofing : rlogin , rshÀ» »ç¿ëÇÏ°í DNS server¿¡ ¸¹Àº packetÀ» º¸³½´Ù. ±×·³ host´Â Àá½Ã ¸¶ºñ°¡ µÇ¸ç ±×Æ´À» Ÿ¼­ target host·Î ÇÏ¿©±Ý ÀÚ½ÅÀÇ host¸¦ ¹Ï´Â Á¤º¸¸¦ º¸³½´Ù.
  • IP hijacking : ÀÏ´Ü connectionÀÌ ÀϾ µÎ host°£¿¡ connectionÀ» º¯Á¶ÇÏ´Â °ÍÀ» ¸»ÇÔ