One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager

One time passwords, or OTP, are used (as the name indicates) for a single session or transaction.  The plus side is a more secure deployment, the downside is two-fold—first, most solutions involve a ...
Published Feb 08, 2011
Version 1.0
adn
automation
BIG-IP
BIG-IP Access Policy Manager (APM)
dev
industry
management
monitoring
news
security
Evan's avatar
Evan
Icon for Nimbostratus rankNimbostratus
Apr 12, 2012
The TCL manual states that rand() and srand() are not cryptographically secure, and should not be used for OTP or secret key generation:

 

 

"The generator algorithm is a simple linear congruential generator that is not cryptographically secure. Each result from rand completely determines all future results from subsequent calls to rand, so rand should not be used to generate a sequence of secrets, such as one-time passwords. The seed of the generator is initialized from the internal clock of the machine or may be set with the srand function." http://www.tcl.tk/man/tcl8.4/TclCmd/expr.htmM38

 

 

The article below mentions both the AES::key option and also the CRYPTO::keygen function (in 11.1) as ways to generate a more random and secure value.

 

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/2161610/showtab/groupforums/Default.aspx2261273