The EAP Protected One-Time Password Protocol (EAP-POTP)
Voir toute la rfc dans une seule page
Page : 26 / 82
Télécharger le PDF
Auteur(s) :
M. Nystroem
Classé sous :
Otp,
Extensible authentication protocol
RFC 4793 EAP-POTP February 2007
In an EAP response, this bit indicates that the provided OTP has
been calculated using a provided challenge and the token state.
The C bit MUST be set in a response if and only if the EAP-Request
that triggered the response contained an OTP TLV with the C bit
set and a challenge.
N
In an EAP-Request, the N bit, when set, indicates that the OTP to
calculate SHALL be based on the next token "state", and not the
current one. As an example, for a time-based token, this means
the next time slot. For an event-based token, this could mean the
next counter value, if counter values are used. This bit will
normally not be set in initial EAP-Request messages, but may be
set in subsequent ones. Further, the N bit carries no meaning in
an EAP-Request if a challenge is present and the C bit is not set,
and SHALL be set to 0, in this case. If a request that has the N
bit set also contains a challenge, but does not have the C bit
set, the peer SHALL regard the request as invalid, and return an
empty POTP-X EAP-Response message. Note that setting the N bit in
an EAP-Request will normally advance the internal state of the
token.
In an EAP-Response, the N bit, when set, indicates that the OTP
was calculated based on the next token "state" (as explained
above), and not the current one. The N bit MUST be set in a
response if and only if the EAP-Request that triggered the
response contained an OTP TLV with the N bit set.
T
The T bit only carries meaning for OTP methods normally
incorporating a user PIN in the OTP computation.
In an EAP-Request, the T bit, when set, indicates that the OTP to
calculate MUST NOT include a user PIN.
In an EAP-Response, the T bit, when set, indicates that the OTP
was calculated without the use of a user PIN. The T bit MUST be
set in a response if and only if the EAP-Request that triggered
the response contained an OTP TLV with the T bit set. Note that
client policy may prohibit PIN-less calculations; in these cases,
the client MAY respond with an empty POTP-X EAP response message.
Nystroem Informational [Page 26]