1. OTP may not be secure if you use small 'pads' or numbers (like less than 1000 chars). Weigh security against userfriendliness. PGP can compensate for too small info.
2. I don't think I have to mention that security is as strong as the weakest link, but just to be sure.
3. Chars are easy to convert to numbers, eg see CGIPack.
4. Or if you have 8 chars in the 0-255 ASCII range, just use pack/unpack once (quad integer, 64 bit platforms) or twice (long integer). If you have an 8-digit integer, short is enough.

Hope this helps,

Jeroen
"We are not alone"(FZ)

1. Hand the user a number
2. user types in number and his Password into a program
3. program concats number and password to form a string, then hashes it (MD5 or something better)
4. program converts resulting hash to decimal, and takes the lowest 'n' decimal digits to display (where 'n' is say 8-10)
5. user hands back decimal digits
6. server program does same calculation
7. if numbers match, you are probably ok ;)

Thank you for your replies! In case somebody needs some code to get started, here's mine. Please don't scream when you see my perl...

regards, jan

use Digest::MD5  qw(md5 md5_hex md5_base64);

srand();


$pass = "micz";
$random[0]=int(rand(9));
$random[1]=int(rand(9));
$random[2]=int(rand(9));
$random[3]=int(rand(9));

$num = $random[0].$random[1].$random[2].$random[3];

$concat = $num.$pass;
$hash = md5($concat);

$response[0] = ord(substr($hash, 2, 1));
$response[1] = ord(substr($hash, 7, 1));
$response[2] = ord(substr($hash, 7, 1));
$response[3] = ord(substr($hash, 9, 1));

$totalresponse = 
print "Our challenge is $random[0]-$random[1]-$random[2]-$random[3] (p
+sst, the password is $pass) \n";
print "The correct response is $response[0]-$response[1]-$response[2]-
+$response[3] \n";

exit;
[download]