httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: secure transfer using skey
Date Fri, 01 Sep 1995 22:15:52 GMT
> > Basically, skey involves giving challenges which result in a 
> > one-time-password, so if I'm not missing something obvious, clients
> > and servers can just pass these challenges back a forth inside HTTP
> > headers, and send the rest of the information encrypted using the
> > one-time-password.
> > 
> > the passwords never get transmitted over the net, only the challenges
> > and encrypted data.
> 	This is not quite the way S-Key works from my reading, but
> 	"close enough". 

I relalise it's not the way S-Key works, but it can be used in this way
for secure http.

> 	It seems to me, though, that each user would have to have
> 	a relationship with each server, since the SKey "initial passwd"
> 	has to be given to the server "off-line" (this is how the 

This is the snag as far as I can tell. But we're all used to having
pin numbers sent to us by snail mail or using the phone to initialise

> 	Another issue is how a client can generate a sequence of
> 	one-time passwords that would be known to a server (since you'd
> 	certainly not want to prompt the user to enter the intermediate
> 	phrase for every hyperlink).

The client can prompt for the secret password once, then use it locally
to compute a (series of) one-time-password to unlock the data.. subject
to the usual timeouts that are useful in these cases.


View raw message