jotp: The Java OTP Calculator
Download jotp here.
For a page that just has the applet on it, and not the excess verbiage,
look here.
What is this?
This is an OTP calculator. OTP is the One-Time Password system also
known as S/Key (which is a trademark of Bellcore, so the name OTP is
often used instead). OTP is a system for generating
a series of one-time passwords, with which users can authenticate
themselves to a remote system without the worry of that password
being snooped and re-used to gain unauthorized access to that system
by an intruder.
Once a one-time password is successfully used, the system will expect
a new one-time password the next time, so even though a one-time
password can be snooped, it cannot be re-used.
An OTP one-time password is calculated by combining a seed
with a secret password known only to the user, and then
repeatedly applying either the MD4 or MD5 secure hash algorithms a
number of times equal to the sequence number. Each time
the user is authenticated, the sequence number expected by the
system is decremented.
Should I Care?
Probably not so much any more. OTP was more relevant back in the
dark ages, before SSH and SSL were as prevalent. It probably
continues to have some applications. If you need MD4 or MD5
code for some other java-based app, there's code in here
that you're welcome to steal.
How trusting are you?
I wouldn't recommend typing in your password to a java applet you
found on some guy's web page. If you haven't examined the java code
that implements this calculator, how do you know that it doesn't
initiate a connection back to this web server and log your password?
Java-capable web browsers generally allow connections back to the host
from which the page was downloaded.
I assure you that I have no such intention, but paranoia would dictate
that if you're actually going to use this, that you might consider
grabbing the sources, giving them the once-over
to look for suspicious activity (like network communication), compile
the java source files yourself, and stick the resulting class files
somewhere safe. Even if I'm not a bad guy, I can't guarantee that this
applet wasn't corrupted by someone else after I put it here. You're
welcome to use it straight from here, of course, but consider yourself
officially cautioned.
Some OTP-relevant links:
Note: Monopoly is apparently no longer a licensed trademark
of the Tonka Corporation, but is now a trademark of the Hasbro
Corporation.
Harry Mantakos /
harry@meretrix.com