jotp: The Java OTP Calculator

Sorry, your browser doesn't do java.

Download jotp here.

For a page that just has the applet on it, and not the excess verbiage, look here.

What is this?

This is an OTP calculator. OTP is the One-Time Password system also known as S/Key (which is a trademark of Bellcore, so the name OTP is often used instead). OTP is a system for generating a series of one-time passwords, with which users can authenticate themselves to a remote system without the worry of that password being snooped and re-used to gain unauthorized access to that system by an intruder. Once a one-time password is successfully used, the system will expect a new one-time password the next time, so even though a one-time password can be snooped, it cannot be re-used.

An OTP one-time password is calculated by combining a seed with a secret password known only to the user, and then repeatedly applying either the MD4 or MD5 secure hash algorithms a number of times equal to the sequence number. Each time the user is authenticated, the sequence number expected by the system is decremented.

Should I Care?

Probably not so much any more. OTP was more relevant back in the dark ages, before SSH and SSL were as prevalent. It probably continues to have some applications. If you need MD4 or MD5 code for some other java-based app, there's code in here that you're welcome to steal.

How trusting are you?

I wouldn't recommend typing in your password to a java applet you found on some guy's web page. If you haven't examined the java code that implements this calculator, how do you know that it doesn't initiate a connection back to this web server and log your password? Java-capable web browsers generally allow connections back to the host from which the page was downloaded.

I assure you that I have no such intention, but paranoia would dictate that if you're actually going to use this, that you might consider grabbing the sources, giving them the once-over to look for suspicious activity (like network communication), compile the java source files yourself, and stick the resulting class files somewhere safe. Even if I'm not a bad guy, I can't guarantee that this applet wasn't corrupted by someone else after I put it here. You're welcome to use it straight from here, of course, but consider yourself officially cautioned.

Some OTP-relevant links:

The IETF OTP working group.

Note: Monopoly is apparently no longer a licensed trademark of the Tonka Corporation, but is now a trademark of the Hasbro Corporation.

Harry Mantakos / harry@meretrix.com