

		Documentation for Pilot/OTP v1.7
		Copyright (C) 1997, Kenneth Albanowski
		
If you have been using a previous version of Pilot/OTP, please check
the changes listed at the bottom of this file.		
		
This program may be of use to you if you have UNIX servers (or similar
machines) that use "OTP" one-time-passwords, or if you use the "S/KEY"
system. ("S/KEY" is a trademark of Bellcore, and should not be used to refer
to this software.)

OTP is a system that allows you to log on to machines that require secret
passwords without ever needing to directly type in your password. If someone
is snooping on the terminal connection or, more prosaically, reading over
your shoulder, using an OTP system will allow you to log on to your computer
without them learning your secret password.

OTP is separated into a client and server halves. The server accepts the
passwords, and also generates a sequence number and a seed (or "key" or
"prompt"). The client takes the sequence number, the seed, and your secret
password, and generates a new password that is then used to log on to the
server. This new password is only ever used once, and it does not matter if
someone finds out what it was, through whatever means.

If you do not have an S/KEY or OTP server, this program will probably not be
of interest to you.

Pilot/OTP implements all of the OTP client spec, as documented in Internet
RFC 1938. The MD4, MD5, and SHA1 algorithms are supported.

To use Pilot/OTP, first download the software to your Pilot (under Windows,
run the Install Giraffe application, and point it to the "pilototp.prc"
file).

Then when you need to generate a password, start Pilot/OTP via the
Applications button, type or write in the sequence number and seed
(sometimes called a "key" or "prompt") that the server prompts you with,
made sure the correct algorithm is selected (If you are using an S/KEY
server, choose the MD4 algorithm unless informed otherwise), and click
"Generate". Now write or type your secret password and press OK. A progress
bar will pop up to show how long the calculation will take.

Eventually the original screen will return, and will now display the
single-use password. There is an option to display the password either as a
series of hex digits, or as a more convenient set of English words. A button
will let you clear the password display.

If you would like to save a password, you may select the "Save key" checkbox
within the password entry screen. After the password has been generated,
Pilot/OTP will prompt you for a name for this key. By default, the seed will
be used, but you may use any name you like. (Note that it is slightly more
secure to _not_ use the seed as the name.)

Each saved key will be visible in the popup list on the upper-right of the
main screen. Note that a key consists of the original password, seed, and
algorithm. The only value that can be changed is the sequence number.
Remember that if anyone gets access to your Pilot, they can generate any
sequence number for any stored keys! But they will not be able to get your
secret password.

Keys have an important side-benefit: the calculation time will be greatly
reduced. While the first calculation for creating a new key will take the
full amount of time, as will a few other calculations (at large intervals),
usually the times will be reduced to a matter of seconds.

Always remember that the Pilot is not a secure device. Even if you don't let
Pilot/OTP remember any keys, it may (although very unlikely) be possible to
retrieve information about your secret password with special equipment. This
applies (theoretically) to all passwords you have ever entered into the
device. In practice, nobody is going to be able to get your password without
quite an amount of work.

Note: I do not use OTP or S/KEY myself, and have not throroughly tested the
output. SHA1 output has not been independantly tested at all.

The program is copyrighted freeware. Unmodified distribution is fine, but it
may not be modified and then distributed, and no more then a nominal copying
fee can be charged for distribution. Please retain this document with the
program.

This software includes the RSA Data Security, Inc. MD4 Message-Digest
Algorithm and the RSA Data Security, Inc. MD5 Message-Digest Algorithm, as
well as the SHA-1 algorithm issued by the NIST, which is detailed in FIPS
publication 180-1.

No warrantee is provided for this program, expressed or implied. You use it
strictly at your own risk. I do not expect this program to damage your Pilot
or the information stored on it, but I cannot guarantee that it will not. If
you experience any trouble, please contact me.

To contact the author, e-mail <kjahds@kjahds.com>.

-----------------------

Changes:

 v1.1: modified MD5 calculation so it actually works. If you have v1.0
 installed, please remove it and install v1.1.

 v1.2: removed minimum length requirement for secret password, and added
 status display for lengthy calculations.

 v1.3: changed remembered password handling so that you cannot view or
 change a saved password, only "forget" it. The screen now blanks during
 password generation from the password entry screen to guard against
 shoulder surfing, and if the password has been remembed the password entry
 screen will not show at all when you calculate a new OTP.

 v1.4: Added SHA1 algorithm, and added tiered caching. (Great speed
 improvements if have it remember your password.) Removed lower-casing
 of seed.
 
 v1.5: Added multiple saved key support, with tiered caching for each key.
 
 v1.6: Fixed potential bug with oversized key popdown. No other changes.

 v1.7: Fixed compatability problem with PalmOS 2.0, and cleaned up various
 prompts. No algorithmic changes.

