Scenario One-Time Passwords

Upon being very simple in the first scenario to authenticate at Server 1 as attacker, Client and Server 1 elaborate a more complex method now. Both agree upon a list of passwords that are to be dealt with step-by-step. Every time a client wants to authenticate he will send the current password to Server 1. This compares it with the corresponding entry on the list. If matched it accepts the client’s identity and he is authenticated. Accordingly, both delete the password from their lists.

Your task as attacker is, again, to find acceptance by Server 1 as Client. This time simple tapping will not help you further. Please take note of the hint that you are still in a position to intervene with the protocol procedure. If you fail to find a solution you can get one here.

One-time passwords are not as commonly used as normal passwords given that it requires great effort due to the necessary interchange of password lists. The most well-known example is TANs for online banking. For each transaction (for example a bank transfer) a TAN must be entered in addition to the PIN.

To Solution