Saturday, November 8, 2008

The End of Annoying OTP's

If you're a student in CS at the Hebrew University of Jerusalem, you're familiar with OTP's (one time password) used to connect to the university servers from remote, submitting exercises, receiving grades and so on.

There are currently two ways to generate OTP's:
  • If you have a java-enabled phone (Nokia only) you can download an application called HOTP which will allow you to generate an OTP with each button click.
  • If you don't have a Nokia phone (like I do) you have to enter a website, fill your unix username and password and answer a CAPTCHA. Then SMS is sent to your cellphone, including 5 OTP's.
Needless to say, the latter option is really annoying, especially when you need to use the OTP 4-5 times in a row while submitting an exercise (connect to an FTP server, use SSH, enter the submission system and so on).

So I decided to create my own OTP client which will be able to generate OTP's locally. The main target was to create a program that will copy the next OTP to the clipboard, which will allow easy transportation of the 5-digit password.

I simulated a download of the HOTP program, and decompiled it (Jad rules). The code was scrambled, but I figured out by using the koders search engine that Java's bouncycastle package is used there. This package gives a lot of encryption services, and here they use the Rijndael (original AES) and the HMAC SHA-1 encryption in order to generate the OTP.

I won't go into further details. If you're really interested in how it works, you can go over the script's source - it's not that complicated.

Some installation details:
  • Very important note: if you're currently using the HOTP application, installing this script (requesting a new HOTP application download) will make your cellphone HOTP application broken. This is caused because the key counter is randomally selected each time an application is generated for download.
    If anyone of you sees this as an important issue, leave me a reply here or send me an email.
  • You'll need ActiveState Python (version 2.4 and up).
  • If you're using other operating system than Windows, you can still use the script, but the clipboard option will not work (only printing to stdout).
  • After installing python and downloading the script, run it without parameters and installation will begin.
  • For further options, use the --help or -h switch.
You can download NOTP from here.

Have a great semester :)