LEP-Gen

Low-entropy password generator.

This is the help file for the LEP-Gen program. There are 3 generator variants:

Detailed help follows under the named section below.

S/KEY

  1. Select the Config tab.
  2. Choose hash function from choices: md4, md5 or sha1.
  3. Choose output format from choices: dictionary (meaning S/KEY 6-word dictionary), or hex (meaning the 64-bit output is given as a 16-byte string of hex or base-16 digits).
  4. Enter your passphrase, selecting the show checkbox if desired.
  5. Return to main S/KEY tab.
  6. Enter Seed and select Count by either typing in the challenge, or by spinning the widget's up-down arrows.
  7. Tap the Compute button to compute and display the response password. The count will automatically decrement (so that you may easily notice any failure or skipped password which might indicate a compromise).
Note that the display count will not correspond to the displayed password, but rather the next displayed password.

SecurID

  1. Select the Config tab.
  2. The 64-bit key is initially set to 0's. To change it, you may either enter a new key directly (selecting show to see it, if desired), or you may import a key from a token file. In the later case you must specify a valid serial number and token filename. Merely entering the data into these fields does not yet change the displayed code.
  3. Tapping either set or Import will attempt to process the key and change the sequence of displayed codes.
  4. You may wish to export a key into a token file as well by entering a serial number and an export token filename, and then tapping the Export button. It will try not to alter an existing file.
  5. Select the SecurID tab to see the displayed code.
Warning: I do not have access to an ACE server or its token data files, so I don't totally understand how they work. The existing import/export functionality is based on my own hackings of I.C. Wiener code.

t-Hash

t-Hash is a generic time hash which uses most of S/KEY's architecture to produce a low-entropy secret without the challenge phase. It employs the RFC2289 choice of hashes, 64-bit folding and the S/KEY dictionary, and fixes the count to zero (meaning one iteration of the hash and fold mechanism). The seed is just the number of seconds since the UNIX epoch represented in hex format. For practical purposes t-Hash is S/KEY with seed defined by: 

   tm = time(NULL) - (time(NULL) % 60); // round down time modulo 1 min
   sprintf(seed, "%08lX", tm);
In addition to S/KEY's hex and 6-word format, t-Hash offers a simple 8-digit format in which the i-th decimal digit is taken as i-th byte module 10. Warning: with the 8-digit format, there is an obvious loss of entropy from full 64-bits of RFC2289 S/KEY, down to about 27-bits. This is provided as an alternative to SecurID's 6-digits (= 20-bits), each of which betrays non-trivial information about the key.

To use t-Hash, follow these instructions.

  1. Select the Config tab.
  2. Choose hash function from choices: md4, md5 or sha1.
  3. Choose output format from choices: 8-digit (described above), dictionary (meaning S/KEY 6-word dictionary), or hex (meaning the 64-bit output is given as a 16-byte string of hex or base-16 digits).
  4. Enter your passphrase, selecting the show checkbox if desired.
  5. Tap on the set checkbox to process the passphrase and change the sequence of password codes.
  6. Return to main h-Hash tab to see the new codes.
Note: To validate passcodes, compile the stand-alone C++ module thash.cpp provided in the source distribution.
- John O. Pliam <pliam@atbash.com>