The S/Key Protocol


The user selects an S/Key password K and a maximum sequence number N. The system supplies a seed k. These are hashed together (specifically: k and K are concatenated, run through the MD4 cryptographic hash function, and shortened to 64 bits by xoring the two 64-bit halves) to form h. The system then computes the following sequence of passwords p0, ..., pN-1:

p0 = fN(h); p1 = fN-1(h); ...; pm = fN-m(h); ...; pN-1 = f(h).

Note that pi = fN-i(h), or pi = f(pi-1), for 0 <= i < N.

The system stores the current count m, the seed k, and the last validated password pm-1 in a file called skeykeys.

Validation Algorithm

In the following algorithm, localhost is the host which the user is logged in to and remotehost is the host that the user is trying to log in to from localhost. The S/Key mechanism is to be used.

  1. User supplies login name, which is sent to remotehost.
  2. The remotehost sends m and k to the localhost.
  3. User supplies his or her S/Key key K; from that, m, and k, the user (or the localsystem) computes h and the next password pm = fN-m(h). This is transmitted to remotehost.

  4. The remotehost uses the new password to compute f(pm) = f(fN-m(h)) = fN-m+1(h) = fN-(m-1)(h) = pm-1.
  5. If the computed password pm-1 is the same as the one stored in the skeykeys file, the user supplied the correct password, and the skeykeys file is updated. If not, the user did not supply the correct password, and the login is denied.

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 2/13/98