one time password
Post on 15-Jan-2017
900 Views
Preview:
TRANSCRIPT
One time password
Mahdi Ataeyan
Website: www.ataeyan.com
Twitter: @kalpase
Please feel free to interrupt
me if you have questions!
Methods for authenticating people
What you know (password)
what you have (smart card)
what you are (biometric sensors)
Cracked
Stolen
Guessed
Lost
difficult to manage or unmanageable
static password
What is otp?
Why?
Cracked
Stolen
Guessed
Lost
manageable
bottleneck
Methods of generating the OTP
Time-synchronized
Mathematical algorithms
based on the previous password
based on a challenge
in other word
Time-based authentication
Event-based authentication
Challenge-response-based authentication
based on the previous password
s = seed
f(s) = hash function
f(f(f( .... f(s) .)))
f1000(s) is stored on the target system
p = f999(s) # user's first login password
f(p) = f1000(s) #server can authenticate password
The value stored in target replaced by p.
p = f998(s) #next login
f(p) = f999(s) #server can authenticate password
hash chain S/KEY
based on a challenge
non-cryptographic protocols
Password
CAPTCHAs
copy protection challenges.
Cryptographic techniques
Message authentication code
Challengeresponse authentication
Server sends a unique challenge value sc to the client
Client generates unique challenge value cc
Client computes cr = hash(cc + sc + secret)
Client sends cr and cc to the server
Server calculates the expected value of cr and ensures the client responded correctly
Server computes sr = hash(sc + cc + secret)
Server sends sr
Client calculates the expected value of sr and ensures the server responded correctly
sc is the server generated challenge cc is the client generated challenge cr is the client response sr is the server response
Examples of challenge-response algorithms
zero-knowledge password proof and key agreement systems (such as Secure Remote Password (SRP))
Challenge-Handshake Authentication Protocol (CHAP)
OCRA - OATH Challenge-Response Algorithm
Salted Challenge Response Authentication Mechanism (SCRAM)
ssh's challenge-response system based on RSA
Message authentication code
a short piece of information used to authenticate a messageTo provide integrity and authenticity assurances on the message
hash function
MD5 #HMAC-MD5
SHA-1 #HMAC-SHA1
IPsec and TLS protocols are used HMAC-SHA1 and HMAC-MD5.
Hash-based message authentication code
H is a cryptographic hash function,
K is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it is longer than that block size,
m is the message
opad is the outer padding (0x5c5c5c5c5c, one-block-long hexadecimal constant),
and ipad is the inner padding (0x3636363636, one-block-long hexadecimal constant).
HMAC-based One-time Password Algorithm
HOTP-Value = HOTP(K,C) mod 10d #number of digits
HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
HMAC(K,C) = SHA1(K 0x5c5c SHA1(K 0x3636 C))
K = secret key
C = counter
Truncate = a function that selects 4 bytes from the result of the HMAC in a defined manner.
Time-based One-time Password Algorithm
TC = (unixtime(now) - unixtime(T0)) / TST0 = start of an epochand
TS = counting in units of a time step
TOTP = HOTP(SecretKey, TC)
TOTP-Value = TOTP mod 10d #d = number of digits
The mask sets the most significant bit to 0, to prevent the number from being interpreted as negative. This guards against different implementations of the modulo operation by processors.[2]
Methods of delivering
Text messaging
Mobile phones
Proprietary tokens
Web-based methods
Hardcopy
Text messaging
Mobile phones
Proprietary tokens
Web-based methods
Hardcopy (TAN)
Transaction authentication number (TAN)
Classic TAN
Indexed TAN (iTAN)
Indexed TAN with CAPTCHA (iTANplus)
Mobile TAN (mTAN)
pushTAN
Two-factor authentication
What you know => user name and passwordWhat you have => one time password token
Multi-factor authentication
What you know => user name and passwordWhat you have => one time password tokenWhat you are
Authentication-as-a-service
Automates everything
Protects everything
Protects everyone
Easy migration
Saves money
top related