Documentation for Pilot/OTP v1.6 Copyright (C) 1996, Kenneth Albanowski If you have been using a previous version of Pilot/OTP, please check the changes listed at the bottom of this file. This program may be of use to you if you have UNIX servers (or similar machines) that use "OTP" one-time-passwords, or if you use the "S/KEY" system. ("S/KEY" is a trademark of Bellcore, and should not be used to refer to this software.) OTP is a system that allows you to log on to machines that require secret passwords without ever needing to directly type in your password. If someone is snooping on the terminal connection or, more prosaically, reading over your shoulder, using an OTP system will allow you to log on to your computer without them learning your secret password. OTP is separated into a client and server halves. The server accepts the passwords, and also generates a sequence number and a seed (or "key" or "prompt"). The client takes the sequence number, the seed, and your secret password, and generates a new password that is then used to log on to the server. This new password is only ever used once, and it does not matter if someone finds out what it was, through whatever means. If you do not have an S/KEY or OTP server, this program will probably not be of interest to you. Pilot/OTP implements all of the OTP client spec, as documented in Internet RFC 1938. The MD4, MD5, and SHA1 algorithms are supported. To use Pilot/OTP, first download the software to your Pilot (under Windows, run the Install Giraffe application, and point it to the "pilototp.prc" file). Then when you need to generate a password, start Pilot/OTP via the Applications button, type or write in the sequence number and seed (sometimes called a "key" or "prompt") that the server prompts you with, made sure the correct algorithm is selected (If you are using an S/KEY server, choose the MD4 algorithm unless informed otherwise), and click "Generate". Now write or type your secret password and press OK. A progress bar will pop up to show how long the calculation will take. Eventually the original screen will return, and will now display the single-use password. There is an option to display the password either as a series of hex digits, or as a more convenient set of English words. A button will let you clear the password display. If you would like to save a password, you may select the "Save key" checkbox within the password entry screen. After the password has been generated, Pilot/OTP will prompt you for a name for this key. By default, the seed will be used, but you may use any name you like. (Note that it is slightly more secure to _not_ use the seed as the name.) Each saved key will be visible in the popup list on the upper-right of the main screen. Note that a key consists of the original password, seed, and algorithm. The only value that can be changed is the sequence number. Remember that if anyone gets access to your Pilot, they can generate any sequence number for any stored keys! But they will not be able to get your secret password. Keys have an important side-benefit: the calculation time will be greatly reduced. While the first calculation for creating a new key will take the full amount of time, as will a few other calculations (at large intervals), usually the times will be reduced to a matter of seconds. Always remember that the Pilot is not a secure device. Even if you don't let Pilot/OTP remember any keys, it may (although very unlikely) be possible to retrieve information about your secret password with special equipment. This applies (theoretically) to all passwords you have ever entered into the device. In practice, nobody is going to be able to get your password without quite an amount of work. Note: I do not use OTP or S/KEY myself, and have not throroughly tested the output. SHA1 output has not been independantly tested at all. The program is copyrighted freeware. Unmodified distribution is fine, but it may not be modified and then distributed, and no more then a nominal copying fee can be charged for distribution. Please retain this document with the program. This software includes the RSA Data Security, Inc. MD4 Message-Digest Algorithm and the RSA Data Security, Inc. MD5 Message-Digest Algorithm, as well as the SHA-1 algorithm issued by the NIST, which is detailed in FIPS publication 180-1. No warrantee is provided for this program, expressed or implied. You use it strictly at your own risk. I do not expect this program to damage your Pilot or the information stored on it, but I cannot guarantee that it will not. If you experience any trouble, please contact me. To contact the author, e-mail . ----------------------- Changes: v1.1: modified MD5 calculation so it actually works. If you have v1.0 installed, please remove it and install v1.1. v1.2: removed minimum length requirement for secret password, and added status display for lengthy calculations. v1.3: changed remembered password handling so that you cannot view or change a saved password, only "forget" it. The screen now blanks during password generation from the password entry screen to guard against shoulder surfing, and if the password has been remembed the password entry screen will not show at all when you calculate a new OTP. v1.4: Added SHA1 algorithm, and added tiered caching. (Great speed improvements if have it remember your password.) Removed lower-casing of seed. v1.5: Added multiple saved key support, with tiered caching for each key. v1.6: Fixed potential bug with oversized key popdown. No other changes.