An One Time Password (rfc2289) implementation for the Android.
It is used for logging into a (OTP enabled) system from an untrusted terminal by generating a password that is only valid for one login.
Logging in to a ssh server with OTP support, you will get an otp challenge after the loginname:
# ssh me@host.example.org otp-sha1 99 alpha1, Response:If you use the correct passphrase for this account, in this example:
AbCdEfGhIjKYou can login with the response:
MAY STAR TIN LYON VEDA STANEven if this password is sniffed by a keylogger, it is useless since the next login attempt would have the next challenge:
otp-sha1 98 alpha1, Response:with the response:
CUBA DOCK SALT PRO NOW AWRYAssuming that you keep the passphrase secret, so you should use a trusted calculator on an other trusted device (like your phone).
Passphrase: AbCdEfGhIjK
| challenge input | response output | encoding |
|---|---|---|
| 0 alpha1 | FULL PEW DOWN ONCE MORT ARC | MD5 |
| md5 1 alpha1 | FACT HOOF AT FIST SITE KENT | MD5 |
| otp-md5 99 alpha1 | BODE HOP JAKE STOW JUT RAP | MD5 |
| sha1 0 alpha1 | LEST OR HEEL SCOT ROB SUIT | SHA1 |
| otp-sha1 1 alpha1 | RITE TAKE GELD COST TUNE RECK | SHA1 |
It will not encrypt the content. So if you use OTP to login using a telnet daemon without SSL support, anything you do will still be sniffable (e.g. your password if you need that for sudo).
This application is licensed under the Free Beer License. Except opt.java.
Opiekey is based on jotp by Harry Mantakos. This version is modified to use the standard MessageDigest classes the Java Cryptography Architecture API (thus gaining SHA1 support), only otp.java remained some original code for transforming the 64bit passpword into the standard OTP dictionary words (the rest was dropped).