Editing One-time password (section)

=== Hash chains ===
{{Main article|Hash chain}}

Each new OTP may be created from the past OTPs used. An example of this type of algorithm, credited to [[Leslie Lamport]], uses a [[one-way function]] (call it <math>f</math>). This one-time password system works as follows:

# A [[random seed|seed]] (starting value) <math>s</math> is chosen. 
# A [[hash function]] <math>f(s)</math> is applied repeatedly (for example, 1000 times) to the seed, giving a value of: <math>f(f(f(\ldots f(s) \ldots )))</math>. This value, which we will call <math>f^{1000}(s)</math> is stored on the target system.
# The user's first login uses a password <math>p</math> derived by applying <math>f</math> 999 times to the seed, that is, <math>f^{999}(s)</math>. The target system can authenticate that this is the correct password, because <math>f(p)</math> is <math>f^{1000}(s)</math>, which is the value stored. The value stored is then replaced by <math>p</math> and the user is allowed to log in.
# The next login, must be accompanied by <math>f^{998}(s)</math>. Again, this can be validated because hashing it gives <math>f^{999}(s)</math> which is <math>p</math>, the value stored after the previous login. Again, the new value replaces <math>p</math> and the user is authenticated. 
# This can be repeated another 997 times, each time the password will be <math>f</math> applied one fewer time, and is validated by checking that when hashed, it gives the value stored during the previous login. Hash functions are designed to be extremely hard to reverse, therefore an attacker would need to know the initial seed <math>s</math> to calculate the possible passwords, while the computer system can confirm the password on any given occasion is valid by checking that, when hashed, it gives the value previously used for login. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for <math>s</math> is exhausted.
# Although the server's counter value is only incremented after a successful OTP authentication, the counter on the token is incremented every time a new password is requested by the user. Because of this, the counter values on the server and on the token might be out of synchronization. It is recommended to set a look-ahead parameter <math>x</math> on the server, which defines the size of the look-ahead window.  In case of an accidental password generation by the user, the server will still authenticate the client, because it can recalculate the next <math>x</math> OTP-server values, and check them against the received password from the client.<ref name=":rfc4226">[https://datatracker.ietf.org/doc/html/rfc4226#section-7.4 IETF Tools]. RFC 4226 - Section 7.4: Resynchronization of the Counter</ref>

To get the next password in the series from the previous passwords, one needs to find a way of calculating the [[inverse function]] <math>f^{-1}</math>. Since <math>f</math> was chosen to be one-way, this is extremely difficult to do.  If <math>f</math> is a [[cryptographic hash function]], which is generally the case, it is assumed to be a [[computationally intractable]] task. An intruder who happens to see a one-time password may have access for one time period or login, but it becomes useless once that period expires. The [[S/KEY]] one-time password system and its derivative OTP are based on Lamport's scheme.