GRC | Perfect Paper Passwords

Design & Operation

GRC's "Perfect Paper Passwords" (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual "passcodes" contained on PPP's "passcards" serve as the second factor ("something you have") of a secure multi-factor authentication system.

Note that using PPP passcodes for authentication without also requiring a separate secret password would not be secure due to the danger that the PPP passcard could be compromised. For two-factor authentication to enhance security, both assertions "something only you know" and "something only you have" must remain valid.
These PPP pages describe, discuss and display the "PPP Standard" passcode system of 4-character passcodes created from a 64-character alphabet. However, the technology is able to operate with any other user-supplied alphabet and with passcode lengths ranging from 2 to 16 characters per passcode.

As shown by our PPP demo page, the "paper" of the Perfect Paper Passwords system is the user's own. The system operates by allowing Internet users to securely print their own paper passcards any time (and at any convenient size) they wish. By enforcing secure (SSL) web browser connections, GRC's PPP printing facility securely delivers user-printable web pages with images of credit card size "passcards", each containing seven columns by ten rows of unique, single-use 4-character passcodes.

A user wishing to prove his identity to a remote Internet service, with which he has previously established an account, does so when prompted by entering the next passcode in the sequence printed on his current passcard:

Individual passcodes are used and consumed in linear, left-to-right reading sequence, across and down. Since no passcode will ever be reused, the user is free to cross it off his list of remaining passcodes.

The set of 64 characters used by the (default configuration) PPP system results in 16,777,216 possible combinations of four characters. Even though each "passcode" is conveniently short, they provide more security than 6-digit hardware tokens that offer (only) one million possible numbers.

After the user has initiated a logon procedure by providing their username (used to lookup their account information, including their PPP Sequence Key and the location of the next passcode), the authenticating service will prompt the user for their account's secret passphrase and for the next expected passcode. To prevent account name guessing, a secure system will always request the account's passphrase and passcode even if the username is unknown or invalid.

As shown on the sample passcard image above and on the diagram below, the remote service will prompt the user for the next passcode by providing the passcard number (as printed in the upper right corner of each card) and the row and column of the next passcode:

This prompting in no way reduces the security of the system. And since no passcode or passcard will ever be reused, the user may elect to permanently cross off the most recently used passcode so that they will be able to more easily locate the next one. This also serves as a convenient visual reminder of the possible need to print and/or begin carrying the next card in the sequence as the current card's codes are consumed.

That's really all there is to it. The system offers easily understood straightforward simplicity at essentially zero cost (compared with hardware token solutions) and no batteries to consume and replace, while delivering bulletproof security in an easy-to-use one-time password authentication system.

Additional features of the system:

Because no passcode is ever reused, and because there are (in the default configuration) 16,777,216 possible passcodes, no one "snooping" on a PPP authenticated logon can obtain information useful for logging on again through any sort of "replay attack". The remote service always requires the next passcode, not any code that has ever been used before.
If a printed passcode is illegible for any reason, the user may ask the service to skip that code, prompting them for the next one. This, in no way, reduces the security of the system. One or two passcodes may be skipped over for any reason — but only in a forward direction.
If a user believes that their current passcard, or any future passcards they may have already printed, may have been compromised by someone obtaining and copying them, or if a passcard is damaged or spoiled in some way rendering it illegible, after being authenticated the user may ask the remote service to skip ahead to whatever passcard they desire. This instantly moves them into a never before visited range of passcodes, obsoleting all previous passcodes and cards and re-establishing absolute security.
If a user wishes to begin again with passcard #1, they may ask the remote service to generate a new, secret, 256-bit "Sequence Key" which will create a new and completely unique series of passcards and passcodes, allowing them to begin with a new passcard #1.
Invulnerable to weak logon passphrases: Even if a user were to choose a weak "static" passphrase to accompany their username at logon, the use of PPP for second-factor "something you have" (passcard) authentication will prevent the user's weak password from being exploited.
Users may use PPP to print passcards larger or smaller than the default (font size 14) "credit card" size for enhanced legibility and convenience.
Although users do not need to worry excessively about securely disposing of used passcards (since any PPP passcodes, once used, have been permanently consumed and nothing will ever make them valid again), it would always be prudent to securely destroy used cards. The only known attack on this system is "brute force" determination of the 256-bit sequence key from a known series of passcodes. The number of possible sequence keys (115, 792, 089, 237, 316, 195, 423, 570, 985, 008, 687, 907, 853, 269, 984, 665, 640, 564, 039, 457, 584, 007, 913, 129, 639, 936) has been chosen to make even this attack virtually impossible and completely infeasible.

The Perfect Paper Passwords system was originally developed for GRC's internal use to enable GRC staff to securely authenticate themselves to GRC's private corporate management services when they were roaming away from home. PPP has turned out to be so convenient and secure that it will also be incorporated into GRC's forthcoming CryptoLink™ product as one of several highly secure remote authentication methods.

You Are Invited to Freely Download and
Use the Complete PPP CryptoSystem

Since the widespread availability of easy-to-use secure authentication is good for everyone, we are fully documenting and disclosing the operation of the system.

We also provide the system's entire operating CryptoSystem in the form of a 15 Kbyte Microsoft Windows dynamic link library (.dll) and a standalone 12 Kbyte command-line executable (.exe). The ppp.dll can be called by any language platform and the ppp.exe can be executed as a "shell process."

It is our hope that the free availability of this mature, safe, secure and simple authentication system will promote the system's widespread adoption. (Please see this page for details.)

System Overview

At its core, the Perfect Paper Passwords CryptoSystem is simply a cryptographically strong, keyed, pseudo-random sequence generator. It employs an overly-long key length, of 256 bits, to create a phenomenally large number of unique passcode sequences — approximately 10⁷⁷ (see below for the exact number). And each individually unique passcode sequence is also extremely long, cycling through approximately 3.4×10³⁸ passcodes before beginning to repeat. In other words, this system is effectively inexhaustible.

The PPP system cryptographically derives a successive 128-bit pseudo-random number for each passcode. From this number it "extracts" characters by successively dividing the large 128-bit number by the character set size and using the remainder to select the character. (This character extraction process is described and analyzed thoroughly on the Statistical Analysis page.)

Each division remainder is used to choose one of the following 64 characters displayed and printed using the bold "Courier New" typeface:

! # % + 2 3 4 5 6 7 8 9 : = ? @
A B C D E F G H J K L M N P R S
T U V W X Y Z a b c d e f g h i
j k m n o p q r s t u v w x y z

This set of characters was carefully chosen to eliminate visually confusing or ambiguous characters. Numeric 0 and 1 are removed, as are uppercase alphabetic 'I', 'O' 'Q' and lowercase 'l'. The HTML-unsafe special characters '&', '<' and '>' were also eliminated.

Also note that the PPP specification requires the PPP character set to be "ASCII sorted" to improve interoperability among PPP implementations. Therefore, any user-supplied character set will always be sorted into low-to-high ASCII order (as shown above) before being used.

Short, Four Character Passcodes

The default PPP system configuration uses short and convenient alphanumeric passcodes of just four characters each:

y:VX vkAV i5UR ye3? DSA8 ZDa9 s3?A
#m29 k75+ HU#o CTVg ==Bn +5qj UW5C
PTX8 8Ahc shVe Jrww E8mc Wp%b 7SYt

But even with its short passcodes, PPP's design yields significantly more security than popular systems using longer numeric-only passcodes.

PPP passcodes are more than 16.77 times more secure:

These popular 6-digit authentication tokens can display one million possible numbers from "000000" to "999999". But the PPP system generates 16,777,216 possible 4-character passcodes. Isn't one million possible codes enough? Sure, probably. But a system offering nearly 17 million possible passcodes provides additional security. (And a piece of paper has no battery to run-down.)

A 64-character alphabet was chosen because it is sufficiently large to allow each character to convey 6-bits of information (2⁶ = 64) while being small enough to allow the exclusion of visually ambiguous or confusing characters. The resulting short passcodes are fun to use and easy to "get right" when reading from a printed PPP passcard.

PPP users authenticate themselves to a PPP-equipped Internet service simply by demonstrating that they know the next passcode in their own unique and personal passcode sequence. And the only way they could know the next passcode — short of a one in nearly 17 million chance of guessing — is to refer to a passcard that the authenticating service previously provided for printing.

Cryptographic Complexity

Cryptographic systems like PPP operate with very large numbers represented by a large number of binary 0 and 1 bits. The only known "attack" on a cryptographic system without any known weaknesses is to try every possible combination of bits in the hope of stumbling upon the one correct combination of all those bits. More bits means more combinations of those bits, which in turn means a lower chance that the one correct combination of bits might be found by sheer chance, accident, or through patient trial and error.

As was mentioned above, the exact number of possible individual and unique passcode sequences is 2²⁵⁶ since that's the exact number of possible combinations that 256 bits may have. Since visualizing powers of 2 is difficult, here's that number shown in much more familiar decimal notation:

115, 792, 089, 237, 316, 195, 423, 570, 985, 008, 687, 907, 853,
269, 984, 665, 640, 564, 039, 457, 584, 007, 913, 129, 639, 936

When you establish an account with a PPP-based authentication service, you will be randomly assigned one unique passcode sequence from among that many possible sequences. You will never know which one you've been assigned, nor will anyone who might be trying to guess your next passcode. Even if someone has seen all of your prior passcodes or has access to all of your previous passcards, they still won't have any idea what's coming next.

Only your printout of your individual passcard
allows you to know which passcode comes next.

We also mentioned above that each user's unique passcode sequence is extremely long. Exactly how long? There are this many passcodes:

340, 282, 366, 920, 938, 463, 463, 374, 607, 431, 768, 211, 456

Consequently, jumping ahead, skipping passcodes, and retiring entire passcards early represents no problem for the PPP system. There's no danger that you'll exhaust your personal and private passcode sequence.

As you can see, for the sake of security the PPP system was designed to use lots of bits. In fact, it uses a great many more than are probably necessary to provide "adequate" security. But "adequate" security was not the goal in designing this system. The goal was overkill security, and overkill security is what PPP delivers. At the same time, the large number of bits used to create PPP's overkill security is entirely hidden from PPP's users. So even though PPP delivers world-class overkill security, the system is easy to use and has many significant advantages over weaker solutions.

The PPP Algorithm page describes the exact operation of the PPP CryptoSystem in sufficient detail to allow anyone to implement it themselves.