SkeyCalc 2.0.1
by Colin Henein
An RFC-2289 compliant OTP response generator (S/Key Calculator) for
Apple's MacOS X, MacOS X Server, OPENSTEP and NEXTSTEP.
Visit the SkeyCalc home page to download.
An RFC-2289 compliant OTP response generator (S/Key Calculator) for
Apple's MacOS X, MacOS X Server, OPENSTEP and NEXTSTEP.
Visit the SkeyCalc home page to download.
Welcome to SkeyCalc version 2.0.1.
The version 2 releases of SkeyCalc have been completely rewritten for native compatibility with MacOS X. SkeyCalc has been around since April 1997, when it was originally released as an application for NEXTSTEP 3.3.
As mentioned throughout the application, SkeyCalc is Postcard-Ware. This means that instead of paying for SkeyCalc, I only ask that you mail me a postcard! (Pretty easy, eh?) See the About SkeyCalc panel in the application for my address.
SkeyCalc is not an arithmetic calculator like your pocket calculator. Instead, SkeyCalc computes One-Time Passwords for use in logging in (or otherwise authenticating to) servers which implement S/Key or OTP access control. If you understand all this, then you may wish to skip over the next section which simply explains about how this system works, and why you'd want to use it.
This document contains the following sections:
In today's internet world, security and authentication are important considerations. Servers want to know that a user requesting login is a valid user, not a malicious one who is pretending to be someone else. Traditionally this authentication function has been performed by having the user identify themselves (by supplying a username) and then typing a password: a piece of information supposedly known only by the user.
One problem with this traditional authentication mechanism is that a malicious user on the internet can arrange to eavesdrop on the authentication. (Although the details are complex, you can think of this as the internet equivalent of tapping a telephone line.) By eavesdropping, the attacker can record both the username and password, as transmitted by the user across the network. At their convenience, the attacker can then use this stolen copy of the username and password to authenticate themselves to the server, effectively stealing the identity of the original user.
The OTP system was developed as an alternative to this traditional method of authenticating users. (OTP stands for one-time password and was originally called S/Key.) With an OTP system, the password transmitted across the internet is used only once. An eavesdropping attacker can read this password as it goes by on the internet, but the saved copy of this password is useless to them: it has already been used once, and so is no longer valid.
The way the system works is as follows: When the user connects to the server, and identifies themselves (generally by supplying a username) the server responds with an OTP challenge. In order to respond to this challenge with a one-time password, the user launches a program on their local computer called an OTP response generator, or sometimes an S/Key calculator. (This program, SkeyCalc, is an OTP response generator.)
The OTP response generator combines the challenge from the server, with the user's secret password. Since the challenge from the server is different every time login is requested, the combination of the challenge and password will result in a unique OTP response. This response is the one-time password.
The user then provides the one-time password to the server, which can then grant authentication, and allow the user to log in.
Since the user's password is only typed into the OTP response generator, and since that OTP response generator is on the local machine (not across the internet), the eavesdropper cannot see the user's secret password. Only the one-time password can be eavesdropped upon, and that password is useless as soon as it is accepted by the remote server.
So, in summary, the process of OTP login to a remote server is:
Installing SkeyCalc is simple.
Please note that after installation it is recommended that you switch on the 'Use better matching' preference if possible. See section 5.3, below.
If you have not yet opened the SkeyCalc archive, double click on the file you downloaded called SkeyCalc-2.0.1.dmg.gz, and then double-click on the SkeyCalc-2.0.1.dmg file (your web browser may already have done one of these steps.)
You should see a new disk image on your desktop called SkeyCalc-2.0.1. Open this disk image.
Drag the file SkeyCalc.app to an Applications folder on your system. Ideally you should install SkeyCalc in a system-wide applications directory (like the /Applications directory at the top of your hard disk). Note that you may need to be logged in as an administrative user in order to do this. If you install SkeyCalc in another application folder, users may not be able to launch SkeyCalc as a service, which is the preferred way to launch SkeyCalc.
If you cannot log in as an administrator, the next best place to install SkeyCalc is in a directory called Applications in the very top of your home directory. Create this directory if it doesn't exist. Only you will be able to run SkeyCalc as a service. Other users will have to install their own copies.
Note to advanced users: SkeyCalc can also be network-installed and should be placed in an application folder that is searched by the Finder, like a shared /Network/Applications.
Log out. (You must log out and log back in order to be able to run SkeyCalc as a service.)
Using SkeyCalc is simple.
When you receive an OTP challenge, select it with your mouse. It is not necessary to be too precise, SkeyCalc will function even if some other text is selected too... just make sure the whole challenge is selected.
Select Skey Response from the Services menu. On MacOS X, you will find the Services menu in the current application's application menu (the boldface one, just to the right of the Apple menu in the menu bar.)
When you select Skey Response, the SkeyCalc application will be launched. It will show the challenge in its interface, and the cursor will be positioned for you to type your password. Simply type your password, then click the Calc & Copy button, or press ENTER or RETURN on the keyboard. SkeyCalc will compute the OTP response, and copy it onto the pasteboard. Then SkeyCalc will quit.
Your original application should become active again. Now, simply select Paste from the Edit menu, and the response will be sent to your server. (You may need to press ENTER to actually send the text.)
Important Tip: if SkeyCalc seems to be selecting incorrect text as the challenge, see the Use Better Matching preference in section 5, below.
Here is a quick summary of how to use SkeyCalc.
New in this version of SkeyCalc, there are 3 preferences. They can be set on the Preferences panel, which can be opened from the SkeyCalc menu (the Edit menu, on MacOS X Server).
It is recommended that you switch on the 'Use better matching' preference if possible.
Generally speaking, SkeyCalc quits after it performs a calculation for you, unless there is an error in the calculation. I have no idea why you would want to alter this, but you can. Turning this off will cause SkeyCalc to keep running after a calculation. It will still respond to new service requests. This preference is on by default.
SkeyCalc auto-detects the encryption algorithm requested by standards-conforming OTP challenges. It also contains a button that lets you manually set the encryption algorithm to be used. If there is a conflict between what the user requests and what the challenge requests, this preference is used to decide what will happen. If set (the default) the challenge's algorithm will be used. If off, the user's preference will be used.
Most users should be able to switch this preference on, and should do so. If you turn it on and things stop working, then switch it back off again. This preference is not selected by default because it will make a minority of users unable to use SkeyCalc, as explained in the next paragraph:
When launched as a service, SkeyCalc searches through the selected text looking for an OTP challenge. Most challenges resemble: 111 fu2234. Note the letters (fu) in the second part of the challenge. In the OTP standard, these letters are technically optional. Since the letters are often present, however, you can turn this preference on to allow SkeyCalc to make use of them in pinpointing OTP challenges in selected text. In other words, when this preference is set, SkeyCalc requires the letters. This will make SkeyCalc unusable by you if your server doesn't send letters in challenges. When unset, SkeyCalc will allow a challenge consisting exclusively of numbers.
The reason to switch this preference on is that SkeyCalc may mistake other pairs of numbers for the challenge, which would not be good. If your challenges have both letters AND numbers (after the otp-xxx part, if any) then switch this preference on.
There are three planned enhancements on the horizon at the moment. How fast they get implemented will depend (in part) on user demand.
This has been on the `would be nice' list since version 1.0. The standard (RFC-2289) highly recommends that all standards-conforming generators support the sha1 method of digesting, as well as md4 and md5. I have never, however, received a request for this, and in my experience there are no significant sha1 challenging OTP servers out there.
I would be pleased to add sha1 support, but I'm not going to spend the time implementing it, or tracking down an open-source implementation unless there is some demand. So... let me know if you want this!
RFC-2243 provides for a mechanism for OTP generators and servers to allow users to change passwords securely, and DURING a login. This looks like a good idea to me, but again I do not know if there is any call for this.
I would be pleased to implement the extended-response support that is required for this, but I'm not going to spend the time implementing it unless there is some demand. So... let me know if you could actually use this!
Recent releases of the MacOS, including MacOS X, support the MacOS Keychain. This system amounts to a scheme to store your passwords on your hard disk for you. I don't approve of this kind of thing, but SkeyCalc is exactly the kind of application which should support the keychain.
Accordingly, I plan to support the keychain in a future release of SkeyCalc. If anyone has a really burning desire for this, let me know and I'll look into it sooner than later. For those who are interested: I'll likely base server identification on the seed portion of the challenge.
Like everyone else in this world I have a tight schedule. I am
pleased to consider feature enhancements and requests, which should be
delivered to me by email at
SkeyCalc v2.0.1 is copyrighted software. ©1997-2002 and onwards by Colin Henein. All rights are reserved by Colin Henein. You are using this program under the terms of a license. The full terms and conditions of the license, and complete copyright information is available in the About SkeyCalc panel inside the program. This panel is viewable from the SkeyCalc menu while SkeyCalc is running.