ONE-TIME PASSWORD By Ata Ebrahimi|www.AtaEbrahimi.com

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

ABSTRACT

This presentation describes a one-time password authentication system

(OTP). The system provides authentication for system access (login) and

other applications requiring authentication that is secure against

passive attacks based on replying captured reusable password.

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Security and Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

NEED

As organizations migrate more Business-to-Business (B2B) and Business-

to-Consumer (B2C) interactions online, the need to protect identities and

enable secure remote access has become critical. Traditional “static”

passwords are easily stolen, frequently lost and expensive for the

enterprise to manage.

NEED

B2B B2C

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

OVERVIEW

One form of attack on networked computing system is eavesdropping on

network connections to obtain authentication information such as the login

IDs and passwords of users. Ones this information is captured, it can be

used at a later time to gain access to the system.

OVERVIEW

One–time password systems are designed to counter this type of attack.

OVERVIEW

A One-Time Password (OTP) is a means of more simply and securely

proving the identity of a user. In a common implementation model, the

end-user carries an authentication device (called a token) that could be a

standalone device, such as a card or a fob that can be hung on a key chain.

OVERVIEW

OTP Provides

Simple and Secure System Access

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

METHODS OF GENERATING

Time-synchronized Mathematical Algorithm

TIME SYNCHRONIZED

Usually related to a piece of hardware called a Security Token

Inside the token is an accurate clock that has been synchronized with the clock on the proprietary Authentication Server

TIME SYNCHRONIZED

New passwords is based on the current time

In addition with previous password or a secret key.

MATHEMATICAL ALGORITHM

Previous Password-Based

A chain and must be used in a predefined order and each new OTP may be created from the past OTPs used

Challenge-Response Based (Event-Based)

Will require a user to provide a response to a challenge, A random number chosen by authentication server and/or a counter

PREVIOUS PASSWORD-BASED

Works by starting with an initial seed s, then generating passwords f(s), f(f(s)), f(f(f(s))), ... As many times as necessary

If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted

CHALLENGE RESPONSE-BASED (EVENT-BASED)

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.

CHALLENGE RESPONSE-BASED (EVENT-BASED)

This can be done by inputting the value that the token has generated into the token itself

To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords

The computation does not usually involve the previous one-time password.

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

TIME SYNCHRONIZED ALGORITHM

TOTP

HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM

In cryptography, HMAC (Hash-based Message Authentication Code), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key.

HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM

Based on an increasing counter value and a static symmetric key known only to the token

Using HMAC-SHA-1 algorithm to create HOTP value

HOTP (K, C) = Truncate(HMAC-SHA-1 (K, C))

K = The Key, C = Counter

TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM

An extension of HMAC-based one-time password (HOTP) to support time-based moving factor

TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM

This variant of the HOTP algorithm specifies the calculation of a one-time password value, based on representation of counter as a time factor.

TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM

TOTP = HOTP(k, T)

T = Number of time steps between the initial counter time T0 and current system time

T = (Current System Time- T0) / X, Default Value of T0 = 0

X = Time steps in seconds

Default Value of X = 30

Basically we defined TOTP as :

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

PREVIOUS PASSWORD-BASED ALGORITHM

Lamport CINON PERM SAS SAS-2

LAMPORT ALGORITHM

The Registration Phase The Registration process is performed only once

The Authentication Phase The Authentication procedure is executed every time the user log in to the system

The Mechanism of Lamport’s algorithm consists of two phases :

LAMPORT REGISTRATION PHASE

LAMPORT ITH AUTHENTICATION PHASE

LAMPORT TYPE PROCEDURE

LAMPORT ALGORITHM

High hash overhead

Requirement of resetting the verifier (Password)

Lamport algorithm has two practical difficulties :

LAMPORT ALGORITHM

Lamport algorithm is a simple procedure, but the user must use a one-way hash function many times in every authentication session

Also user has to register after the M th authentication session

CINON (CHAIN ONE-WAY DATA VERIFICATION METHOD) ALGORITHM

High hash overhead and password resetting are solved

Using two variable random number which are changed at each authentication

Two random numbers are generated by the user and the user is required to memorize them

PERM (PRIVACY ENHANCED INFORMATION READING AND WRITING MANAGEMENT METHOD) ALGORITHM

Random number memorizing problem is solved

One random number is stored in the host and sent to the user at each authentication

Other random number is derived from this number by pre-determined increments

CINON AND PERM ALGORITHM

Security Flaw =

Replay Attack (Man in the Middle Attack)

SAS (SIMPLE AND SECURE) ALGORITHM

The SAS is the only one-time password authentication method which can change verifiers every session without limit.

SAS (SIMPLE AND SECURE) ALGORITHM

The Registration Phase The Registration process is performed only once

The Authentication Phase The Authentication procedure is executed every time the user log in to the system

The Mechanism of SAS algorithm consists of two phases :

SAS REGISTRATION PHASE

SAS ITH AUTHENTICATION PHASE

SAS PROCEDURE TYPE

SAS ALGORITHM

The SAS algorithm uses a one-way function five times.

This function has high overhead, because a one-way function apply hash functions or common-key cryptosystems.

The SAS and other methods are useless for low spec machine.

SAS-2 ALGORITHM

The SAS-2 algorithm can change verifiers every time and without limit

SAS-2 applies its function only three times by using two verifiers and another for masking

This reduces hash overhead by about 40% in comparison with SAS

A synchronous data communication procedure

SAS-2 ALGORITHM

The Mechanism of SAS-2 algorithm consists of two phases :

The Registration Phase The Registration process is performed only once

The Authentication Phase The Authentication procedure is executed every time the user log in to the system

SAS-2 REGISTRATION PHASE

SAS-2 ITH AUTHENTICATION PHASE

SAS-2 PROCEDURE TYPE

SAS-2 ALGORITHM USING CHALLENGE RESPONSE

If user cant’s store any data, the system can use the SAS-2 protocol using

challenge response method.

The user need not store the random number

Transmission iterations are increased

SAS-2 ALGORITHM USING CHALLENGE RESPONSE

The Mechanism of SAS-2 algorithm using challenge response consists of two phases :

The Registration Phase The Registration process is performed only once

The Authentication Phase The Authentication procedure is executed every time the user log in to the system

SAS-2 REGISTRATION PHASE USING CHALLENGE RESPONSE

SAS-2 ITH AUTHENTICATION PHASE USING CHALLENGE RESPONSE

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

MATHEMATICAL ALGORITHM PERFORMANCE ANALYSIS

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

METHODS OF DELIVERING

Paper SMS

Mobile Phone Token

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

TWO-FACTOR AUTHENTICATION

Instead of using only one type of authentication factor, such as only things a user knows (login IDs, passwords, secret images, shared secrets, solicited personal information, etc)

A second factor, something the user has or something the user is, must be supplied in order to authenticate

MULTI-FACTOR AUTHENTICATION

Two or more of the authentication factor required for being authenticated

Sometimes called strong authentication

An extension of two-factor authentication.

MULTI-FACTOR AUTHENTICATION

Something the user knows (password, PIN)

Something the user has (ATM card, smart card)

Something the user is (biometric characteristic, such as a fingerprint)

Existing authentication methodologies involve three basic “factors”:

MULTI-FACTOR AUTHENTICATION

One problem with multi-factor authentication generally is the lack of understanding of what constitutes "true" multi-factor authentication.

MULTI-FACTOR AUTHENTICATION

Supplying a username and password

Supplying additional information in the form of answers to challenge questions

Adding a visual image

MULTI-FACTOR AUTHENTICATION

True Multi-Factor Authentication :

User Knows User Has User Is

MULTI-FACTOR AUTHENTICATION

One-time password is certainly one of the simplest and most popular forms of two-factor authentication for securing network access.

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

DISCUSSION

AGENDA

1. Abstract

2. Need

3. Overview

4. Method of Generating

5. Algorithm

6. Performance Analysis

7. Method of Delivering

8. N-Factor Authentication

9. Discussion

10. References

REFERENCES

• Takasuke TSUJI, “A One-Time Password Authentication Method”

• Faqs.org, “RFC 2289 – A One-Time Password System”

• Faqs.org, “TOTP: Time-Based One-Time Password”

• Faqs.org, “RFC 4226 – HOTP: HMAC-Based One Time Password”

• RSA Security, “Open Specifications Integrates One-Time Passwords with Enterprise Applications”

• Manjula Sandirigama, Akihiro shimizu, Matu-Tarow Noda, “Simple and Secure Password Authentication Protocol”

• wikipedia.org, “One-Time Password”

• wikipedia.org, “Challenge-Response Authentication”

• wikipedia.org, “Hash Chain”

• wikipedia.org, “HMAC”

• wikipedia.org, “Multi-Factor Authentication”

• wikipedia.org, “Two-Factor Authentication”

• wikipedia.org, “Security Token”

• wikipedia.org, “Man In The Middle Attack”