KEY(1) UNIX System V (20 July 1993) KEY(1)
NAME
S/key - A procedure to use one time passwords for accessing
computer systems.
DESCRIPTION
S/key is a procedure for using one time password to
authenticate access to computer systems. It uses 64 bits of
information transformed by the MD4 algorithm. The user
supplies the 64 bits in the form of 6 English words that are
generated by a secure computer. E.g. a pocket sized smart
card or a PC/Macintosh, or a machine at work and printed on
a sheet of paper. Example use of the S/key program key
Usage example:
>key 99 th91334
Enter password: <your secret password is entered here>
OMEN US HORN OMIT BACK AHOY
>
The programs that are part of the S/Key system are keyinit,
key, keyinfo, keysu, and keyauth. Keyinit is used to get
your ID set up, key is used to get the onetime password each
time, keyinfo is used to extract information from the S/Key
database and the rest are system routines. Use keyinit -s (
for secure option) if you are doing the set up over insecure
communications lines.
When you do "keyinit" you inform the system of your secret
password. Running "key" then generates the one-time
passwords, and also requires your secret password. If
however, you misspell your password while running "key", you
will get a list of passwords that will not work, and no
indication about the problem.
Password reference numbers count backward from 99. If you
don't know this, the syntax for "key" will be confusing.
When typing in your one-time password to gain access,
backspace (^H) can be used to make corrections. You can
enter the passwords using small letters, even though the
"key" program gives them in caps. When you run "key -n 10
`keyinfo` | lpr", and you do not find your printout at the
printer, or in the bin of your login, or in the bin of your
last name, or on the floor or any place else, you have a
problem. Someone has accidentally or purposefully acquired
a list of one-time passwords and your login (on the cover
sheet) which give them access to your account. The only
remedy is to run "keyinit" again but you do NOT have to
change your secret password since the system will change the
initial "key" for you. Now the missing information is
useless.
Page 1 (printed 2/3/99)
KEY(1) UNIX System V (20 July 1993) KEY(1)
It would be nice if the system had a way for you to advance
(i.e. decrement) the counter in the database, so you could
invalidate all the passwords you printed but this is not
possible because of the algorithm.
Note the notion that one could remember a list of lists of 6
quasi-english words without writing them down is ridiculous.
However, sending them to a printer without immediately
retrieving the output is a big security hole.
Macintosh and a general purpose PC use are available.
SEE ALSO
keyinit(1), keysu(1), keyauth(1), key(1), keyinfo(1)
AUTHOR
Command by Phil Karn, Neil M. Haller, John S. Walden
CONTACT
staff@thumper.bellcore.com
Page 2 (printed 2/3/99)