Mobile One Time Passwords

Mobile-OTP v.1.06

strong, two-factor authentication with mobile phones 		SourceForge.net Logo
last update of this site: March 3rd, 2008

NEW (2008-03-03): Added an icon to the MIDlet jar-file
NEW (2008-02-10): How to install the MIDlet over the air (OTA) to your phone in Downloads section
NEW (2007-02-24): New project website on extending and improving Mobile-OTP: www.freeauth.org
NEW (2007-02-24): New PAM module v0.2 in Add-Ons section
NEW (2007-02-07): mOTP+: Advanced Mobile-OTP MIDlet available in Links section (Thanks to Duane from www.cacert.org)
NEW (2006-07-14): Mobile-OTP for BlackBerry handhelds available in Downloads section
NEW (2004-06-16): New token version 1.06 with corrections of text placement on higher resolution displays. No need to upgrade, if lines do not overlap on your phone.
NEW (2004-02-04): Mobile-OTP for Nokia IP Firewalls available in Add-Ons section
NEW (2003-12-15): stand-alone Mobile-OTP PAM module in Add-Ons section

Index

  1. Index
  2. Introduction
  3. Downloads
  4. Installation
  5. FAQ
  6. Limitations
  7. Add-Ons
  8. Links
  9. Email Contact

Introduction

Using static passwords for authentication, as it is commonly done, has quite a few security drawbacks: passwords can be guessed, forgotten, written down and stolen, eavesdropped or deliberately being told to other people.
A better, more secure way of authentication is the so called "two-factor" or "strong authentication" based on one time passwords. Instead of authenticating with a simple password, each user carries a device ("token") to generate passwords that are valid only one time. Commercially available tokens look like pocket calculators or key fobs with a display and a keypad. To generate a one time password, the user has to enter his personal PIN into the device. So the authentication is based on two factors: the token device and a PIN ("something you have and something you know"). This is obviously more secure than just a password, as an attacker needs to get hold of both the PIN as well as the token device. In addition, eavesdropping on a password that is valid only one time, is of no use to the attacker.
On the other hand, the drawback of strong authentication is, that every user has to be provided with a token device. This can be quite expensive. Fortunately mobile phones that are capable of running java applets are becoming more and more widely spread. It stands to reason to use your mobile phone as an authentication token ...

Mobile-OTP is a free "strong authentication" solution for java capable mobile devices like phones or PDAs. The solution is based on time synchronous one time passwords. It consists of a client component (a J2ME MIDlet) and a server component (a unix shell script). The server component can easily be plugged into free RADIUS servers like XTRadius to authenticate users at routers, firewalls, web servers, access points, unix machines, etc.
The shell script should run without modification on any BSD-Unix or Linux. The java MIDlet should be compatible to any java enabled mobile phone (Nokia, Siemens, Motorola, Sony, BlackBerry, etc.).
The MIDlet, server-script and RADIUS server are freely available under the terms of GPL.

How it's done

The MIDlet generates one time passwords by hashing the following data with MD5:
  1. the current epoch-time in a 10 second granularity
  2. the 4-digit PIN that a user enters
  3. a 16-hex-digit secret that has been created when the device was initialized
When entering a PIN, the MIDlet displays the first 6 digits of the MD5-hash. This is the one time password. The password can be verified by the server, as the server also knows the current time, Init-Secret and PIN of the user. To compensate time differences, the server will accept passwords from 3 minutes in the past to 3 minutes in the future. In addition, different time offsets can be specified for each user on the token and/or the server. Each password will be accepted only once. After 8 successive failed authentication attempts a user gets locked out.
Authentication is based on two factors: a PIN known by the user and the Init-Secret stored on the mobile device.

Downloads

On the client side you will need the java MIDlet:

  • Version 1.06: MobileOTP.jar and MobileOTP.jad (for BlackBerry handhelds: MobileOTP.cod and MobileOTP.cso)

    On the server side you will need the shell script:

  • Version 1.04: otpverify.sh.

    You should also download the RADIUS server found at XTRadius.

    OTA install

    Just open http://motp.sf.net/MobileOTP.jad in your phone's WAP-browser.

    The MIDlet is also available for direct download at www.getjar.com.
    Just enter 2990 at their WAP-Download-Page.

    Source

    You can also compile the java MIDlet yourself. Here is the source: MobileOTP.java. You will also need the MD5 implementation in java by Santeri Paavolainen MD5.java.

    Installation

    This section describes the installation and configuration of the MIDlet and the server. Installation of the MIDlet is straight forward. Installation of the server takes a little bit more time but can be done in under an hour.

    Client-Installation (token)

    Load the MIDlet on the devices you plan to use. Installation of the .jar and .jad file is vendor specific. Usually java enabled phones come with some kind of application installer for PCs that allows to install MIDlets over IrDA or serial cable.
    When the MIDlet is installed, run it. You can enter PINs to generate one time passwords, but to use them you will need to initialize the device first and write the Init-Secret into the appropriate user-record on the authentication server.
    To initialize the token, press #**#. Enter an arbitrary sequence of 20 keys as a random seed. The Init-Secret that will be shown is not to be written down anywhere else but the server itself. You cannot display it again. If you press #**# any time later, the initialization string will change, i.e. the device will be re-initialized. The initialization of a device should always be done by the administrator of the authentication server, not the user himself. A user does not need to know the Init-Secret.

    Server-Installation (authentication server)

    To install and configure your authentication server, take the following steps:
    1. Copy the otpverify.sh-script to /usr/local/bin and make it executable by chmod'ing it to +x
    2. The script needs to have read/write access rights on /var/motp. Running it as root will make sure of this.
    3. try to run it. It should report: USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset
    4. run it again, this time supplying 5 arguments: otpverify.sh 1 2 3 4 5
      it should return: FAIL
    5. initialize a token. Write down the Init-Secret. Generate a one time password by entering 5555 on the token. Try to verify this password by running "otpverify.sh testuser {password} {Init-Secret} 5555 0"
    6. The script should return "ACCEPT". If it returns "FAIL", the clocks of server and token might differ. Take a look at the FAQ section.
    7. As soon as you successfully authenticated a user, you should continue by installing the XTRadius-server. Keep to the instructions provided at XTRadius.
    8. After the installation of the RADIUS server there are only 4 configuration-files to modify in /etc/raddb
    9. Add a new dictionary file to /etc/raddb. It is called dictionary.motp and contains three new RADIUS-attributes: Secret, PIN and Offset. You can download the file here.
    10. Add a line "$INCLUDE dictionary.motp" to /etc/raddb/dictionary, so that the new dictionary file will be loaded at server start up.
    11. Add 3 macros to /etc/raddb/execparams or replace it by this file.
    12. To create a /etc/raddb/users file containing your users, stick to this sample file: users. You can add further RADIUS attributes to each user entry, of course.
    13. You are all set. Start the RADIUS server in debug-mode (radiusd -sxxy) and test the authentication with the "radtest" client provided with the RADIUS server.

    FAQ

    How to test if authentication works?

    Before including the otpverify.sh-script into the RADIUS server, test it on the command-line:

    1. Make sure that the otpverify.sh-script has read/write-access to /var/motp
    2. Initialize a token by pressing "#**#"
    3. Write down the generated Init-Secret, e.g. 7ac61d4736f51a2b
    4. Generate a one time password by entering a PIN, e.g. PIN=5555, result: af6543
    5. Verify the one time password with the otpverify.sh-script: "otpverify.sh test af6543 7ac61d4736f51a2b 5555 0"
    6. The script should return "ACCEPT". If it returns "FAIL" there might be a time difference between the token and the server. See How to synchronize server clock and token clock?
    7. After successful authentication, try to authenticate with the same OTP again. It should fail, as a lock-file named "af65a3" has been touched in /var/motp/cache

    How to synchronize server clock and token clock?

    Both server and token base their time calculations on the unix epoch time (which is based on UTC), so theoretically any token should be always in sync with the server. Unfortunately some mobile phone devices do not know which time zone they are in, so there might be in fact a difference of several hours between server and token clock.

    To find out the offset between a token and the server, do the following:

    1. Access the "Info"-screen on the token, write down the 9-digit number under "Epoch-Time"
    2. Enter "date +%s" on the server to display the current time in epoch notation. Write down the first 9 digits of the output.
    3. Subtract both values. The result is the offset in 10s of seconds, i.e. an hour would be 360, two hours 720, etc.
    4. The offset has to be configured in the "users" file of the RADIUS server for the specific user (Offset-Attribute).
    5. Since version 1.05 there is the ability to alternatively set the time zone on the token itself as an offset in hours from UTC. So a user traveling to New York City would set the time zone on his Nokia phone to UTC-5 and change it back to UTC+1 when coming back to Berlin. The Offset configured for this user on the RADIUS server would be 0 at all times.
    6. You can verify authentication on the command-line by "otpverify.sh test {OTP} {Init-Secret} {PIN} {offset}"

    How to trouble-shoot authentication on the RADIUS server?

    After configuring the RADIUS server for external authentication through the otpverify.sh-script, you can start the RADIUS server in debug-mode by entering "radiusd -sxxy" and try to authenticate users. Use the "radtest" program for local debugging, that comes with the XTRadius distribution.

    1. If authentication fails with a script-return-code of "1", make sure that PIN, Init-Secret and offset are correct. It is most likely that you have to configure an offset other than "0" for this user. See How to synchronize server clock and token clock? for details.
    2. If the script returns "3", the account of this user has been locked as there have been 8 or more failed authentication attempts by this user. Delete the corresponding file in /var/motp/users to unlock the user account again.
    3. A return code of "4" says that the otpverify.sh-script has not been called with 5 arguments. Check the configuration of the external authentication in the "users"-file of the RADIUS server.
    4. A return code of "5" states that the specified password has already been used. Generate a new one time password and try to authenticate again.
    5. A return code of "6" indicates that you do not have "md5" or "md5sum" installed on your system.
    6. A return code of "7" is returned if the otpverify.sh cannot access the /var/motp directory to write a file.

    Limitations

    The following limitations apply to Mobile-OTP. Not all of them are Mobile-OTP specific but are also inherent to commercial solutions.
    1. PINs and Init-Secrets are stored in clear text on the RADIUS server. It is hence obligatory to keep the server save from unwanted access. This also applies to the log file of the RADIUS server /var/log/radius.log, that can contain authentication data.
    2. Mobile-OTP is based on a function of PIN x Init-Secret —> OTP. It is obvious, that anyone who has access to the Init-Secret and the PIN can authenticate with it. Neither PIN nor Init-Secret nor a thousand known one time passwords alone will let an attacker find both Init-Secret and PIN. If an attacker gains knowledge of either PIN or Init-Secret and one or more one time passwords, this information can be used in a brute-force attack that might be successful. As Mobile-OTP is an open software, there is no way around that. Increasing the number of digits in the PIN (a 16 digit Init-Secret is quite safe) would make a brute-force attack more difficult, but it would be unconvenient for users to remember and type in a 10 digit PIN.
    3. For devices that do not take time zones and daylight-savings-time into account when doing their epoch-time calculations, it might be necessary to manually adjust the Offset-attribute in the user record on the RADIUS server or alternatively one the token itself. For devices that are aware of time zones and daylight-saving-times, server-clock and token-clock should always be in sync.

    Add-Ons

  • Mobile-OTP PAM module

    Sebastian Korff wrote a PAM module for Linux and Solaris that can be used for login authentication locally without a RADIUS server. You do not even need otpverify.sh. The package includes the complete server components. You can download it here (new version Feb 07).

  • Mobile-OTP PAM module for Nokia IPSO

    Mobile-OTP is also available as a pre-compiled PAM-module for Nokia's IPSO operating system. Download the Nokia package here motp-0.2.tgz. It can be installed with 'newpkg' as any other Nokia package. Configuration can be done through the IPSO web interface Voyager!

    • Links

  • mOTP+ - Advanced Mobile-OTP MIDlet, hints and tips on www.freeauth.org

  • XTRadius - Free RADIUS Server with pluggable authentication
  • login_radius - RADIUS authentication for OpenBSD
  • mod_auth_radius - The RADIUS authentication module for the Apache web server
  • pam_radius_auth - The PAM RADIUS authentication module

    Email Contact

    For comments and suggestions send email to mobile-otp @web.de