otp-based two-factor authentication using mobile phones
TRANSCRIPT
OTP-Based Two-Factor Authentication Using Mobile Phones
Mohamed Hamdy Eldefrawy1, Khaled Alghathbar1, 2, Muhammad Khurram Khan1 1Center of Excellence in Information Assurance (CoEIA), King Saud University, Saudi Arabia,
2Information Systems Department, College of Computer and Information Sciences, King Saud University, Saudi Arabia.
[email protected], [email protected], 2, [email protected]
Abstract—Two-factor authentication (2FA) provides improved protection, since users are prompted to provide something they know and something they have. This method delivers a higher level of authentication assurance, which is essential for online banking security. Many banking systems have satisfied the 2FA requirements by sending a One Time Password (OTP), something possessed, through an SMS to the user’s phone device. Unfortunately, international roaming and SMS costs and delays put restrictions on this system reliability. This paper presents a novel two-factor authentication scheme whereby a user’s device produces multiples OTPs from an initial seed using the proposed production scheme. The initial seed is produced by the communications partners’ unique parameters. Applying the many from one function to a certain seed removes the requirement of sending SMS-based OTPs to users, and reduces the restrictions caused by the SMS system.
Keywords-one time password; nested hashing chain; two-factor authentication; online banking authentication.
I. INTRODUCTION Online banking requires strong user authentication. User
authentication is often achieved by utilizing a two-factor authentication technique based on something the user knows, i.e., a static password, and something the user has, i.e., an OTP. The major advantage of involving a mobile phone is that most users already have mobile phones, and therefore no extra hardware token needs to be bought, deployed, or supported. The traditional system [1] works by sending an OTP over an SMS to a user who wants to make an online transaction. However, this two-factor authentication system suffers from the following shortcomings:
A. SMS Cost During every login request or transaction process, it is
necessary to send an SMS-OTP from the bank to the user. This, in turn, will be costly to the bank with the consideration of statistics of bank’s transactions [2], [3].
B. SMS Lateness
The SMS transmission delay represents one of the major limitations of the traditional system [3].
C. International Roaming Travelling overseas creates restrictions on the SMS
services. Turning off the roaming service will prevent the bank from sending the SMS-OTP, which in turn, stops the user from resuming any further processes.
D. SMS Security
It can be said that while designing the GSM system, it had all security measures in mind, but as time passed and algorithms were cracked by the hackers [4], SMS-OTP based systems were not kept secure.
Accordingly, new solutions for mobile telephony subscribers have been proposed. One of these utilizes backward hash chains to generate an OTP for authentication purposes. This solution, however, generally requires intensive computation by the client’s device, which typically has limited computational resources. Additionally, there is a restriction in the length of the chain. Another solution suggests the utilization of signature chains to address the chain length restriction by involving public key techniques. This technique, however, also increases computation costs. Moreover, time-synchronized OTP systems, which are typically based on an internal clock synchronized with a main server, are not applicable for mobile phones. In addition, due to the general nature of mobile phones (e.g., out of network, etc.); such synchronization cannot typically be guaranteed.
To overcome the restrictions discussed above, this paper will discuss OTP production in the forward direction. This production will completely eliminate the mentioned limitations. Our idea is to produce multiple OTPs from an initial seed in a parallel process with the service provider itself, e.g., an online bank, by utilizing two different types of hash functions, which come with a nested chain. The resulting chain provides forwardness and infiniteness.
The rest of this paper is organized as follows: Section 2 discusses the related work, Section 3 proposes our new algorithm, Section 4 analyzes the security attributes, Section 5 assesses our scheme’s performance, and finally Section 6 concludes the paper.
II. RELATED WORK The idea of an OTP was first suggested by Leslie
Lamport [5] in the early 1980s. The OTP principle emphasizes that each time the user tries to log on, the algorithm produces pseudorandom output, thus improving the security. Thus, to avoid replay attack vulnerability, an OTP is a password that is only valid for a single login session or transaction.
2011 Eighth International Conference on Information Technology: New Generations
978-0-7695-4367-3/11 $26.00 © 2011 IEEE
DOI 10.1109/ITNG.2011.64
327
A. The S/Key™ OTP System The S/KEY™ [6] one-time password authentication
system uses a computation to generate a finite sequence of single-use passwords from a single secret “seed.” The security is entirely based on this seed, which is known only to the user. The single-use passwords are related in a way that makes it computationally intractable to compute any password from the preceding sequence. This involves applying hash function ( )h ⋅ for N times to a seed “ s ” to form a hash chain of length N:
1 2 1( ), ( ), , ( ), ( )N Nh s h s h s h s−… (1)
At the t th authentication host sends a challenge to the user:
( )Challenge t N t= − (2)
Then the user calculates the t th OTP according to this challenge,
( ) ( )N ttOTP s h s−= , (3)
and the host authenticates the user by checking that the following equality holds:
( )( ) ( )1N tth OTP s h s− += , (4)
where the value ( )1N th s− + is already saved in the host system’s password file from the previous 1t − th authentication. After any successful authentication, the system password file is updated with the OTP that was saved before the host system’s final hash execution as
( ).N th s− In this case then, the host increments t by one and sends a new challenge to the user for the next authentication.
This scheme is constrained to a certain number of authentications N, so that after reaching N authentications, a process restart is required. In addition, it has vulnerability because an opponent, impersonating the host, can send a challenge with a small value to the user, who responds with the hash chain initial values, which allow the intruder to calculate further OTPs [7]. This attack can be referred to as a small challenge attack. In addition, the user computational requirements are high during the calculations for the chain’s initial values, which make the system unsuitable for devices with limited resources, i.e., mobile phones.
B. Bicakci et al.’s Scheme The infinite length hash chains (ILHC) proposed by [8]
use a public-key algorithm, A, to produce a forward and infinite one-way function (OWF.) This OWF is the OTP production core. Bicakci et al. proposed a protocol using RSA [9], where d is the private key and e is the public key. The OTP originating from initial input “ s ” using the RSA public-key algorithm for the t th authentication is:
( ) ( ),ttOTP s A s d= , (5)
and the verification of the t th OTP is done by decrypting( )tOTP s using e,
( )( ) ( )1, .t tA OTP s e OTP s−= (6) Increasing the number of cascaded exponentiations
increases the computational complexity, making this algorithm very difficult to implement in limited computation devices e.g., mobile phones.
C. RSA SecurID Authenticator RSA SecurID® utilizes a token [10], which could be
hardware or software, with a main server synchronized internal clock. Each token is uploaded with a unique seed, which is used to generate a pseudo-random number. An OTP is generated using this token every 60 seconds as an output of a mathematical operation considering the current time stamp and the loaded seed. The same synchronized process occurs at the server side in a parallel way. Each user uses the produced OTP along with his corresponding PIN, only known to him, to authenticate himself to the server side. Due to the general nature of mobile phones, such synchronization cannot typically be guaranteed.
III. OUR APPROACH We have extended Lamport’s idea with some
modifications in order to produce infiniteness and forwardness, avoiding the use of public key cryptography. The shortcoming of those two parameters, infiniteness and forwardness, cause the several vulnerabilities shown with respect to the related work. Thus, we need to integrate Lamport’s scheme using two different one-way hash functions, ( )Ah ⋅ and ( )Bh ⋅ , one for the seed updating and the other for the OTP generation, as shown in Fig. 1.
( ) ( )( ):1 , :1
, y xB A x y
OTP x y h h seed→∞ →∞
=
(7)
In addition, we have the ability to implement this approach in a 3D fashion by utilizing three different hash functions, ( )Ah ⋅ , ( )Bh ⋅ , and ( )Ch ⋅ , as shown in Fig. 2.
(a)
( )Ah ⋅( )Bh ⋅
ints s= ( )1Ah s ( ) ( )2 x
A Ah s h s…
( )( )1 2(2,1) B AOTP h h s=
( )( )2 2
(2, 2) B AOTP h h s=
( )( )2(2, ) yB AOTP y h h s=
328
(b)
Figure 1. One time password generation considering a nested hash chain of two different hashes, ( )Ah ⋅ and ( )Bh ⋅ .
Figure 2. One time password generation considering a nested hash chain of three different hashes, ( )Ah ⋅ , ( )Bh ⋅ , and ( )Ch ⋅ .
A. Registration Phase The user gets the two different hash functions, ( )Ah ⋅ and ( )Bh ⋅ , and an initial seed, “ ints ,” established on his mobile
phone. To ensure that the information is completely shared with the service provider, the seed is produced by the shared and unique parameters of the host and user, e.g., the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and registration date.
B. Login and Authentication Phase This section will discuss the login and authentication
process between the user and service provider. The steps below are shown in Fig. 3. The user logs in to the service provider’s website, e.g.,
an online bank, requesting access. As a response to this access request, a secure session is established, i.e., an SSL session, allowing the user to enter his authentication privileges, i.e., user name and password, the first factor of authentication, what the user knows. Also the user provides the server with his OTP’s current status. The current status allows the server to synchronize his seed with the client’s current seed to get the same seed value on both sides before sending a challenge.
The server randomly challenges the user with new indexes. The user enters those indexes, in his OTP generator to get the corresponding OTP.
The user responds with this corresponding OTP. The server compares the received OTP with the calculated one.
According to the server check, done in the previous step, the server will transfer an authorization execution or a communication termination.
Figure 3. The framework operation for the user side OTP generation by the utilization of two different hash functions.
C. Numerical Illustration Through the registration process, the user gets two
different hash functions, e.g., ( )Ah ⋅ , which could be SHA-1 [11], and ( )Bh ⋅ , which could be MD5 [11], along with an initial seed, “ ints ,” as the concatenation of the IMEI, IMSI, and registration time, which could be “12345678912345612 34567891234507012010200259” assuming IMEI is “12345 6789123456,” IMSI is “12345678912345,” and the registration time is “7/1/2010 20:02:59.”
After logging into the service provider’s website using a different and static username and password, the first factor of authentication, the server asks the user for the OTP’s current status. If the user has generated numerous OTPs without using them, he might have reached an OTP status of, for example, “17.” The user will submit his current status to the server to allow the server to calculate the current seed ( )17 122084864803077378592486728crt A ints h s= = 5680707842195071405780 , which means that the server has
hB4 IhA
5 Hs e e dLM hB4 IhA
8 Hs e e dLM
hB1 IhA
3 Hs e e dLMhB
2 IhA7 Hs e e dLM
hB8 IhA
6 Hs e e dLMhB
7 IhA10Hs e e dLM
hB9 IhA
4 Hs e e dLMhB
7 IhA2 Hs e e dLM
hB2 IhA
1 Hs e e dLM hB2 IhA
9 Hs e e dLM2 4 6 8 10
2
4
6
8
hA
hB
0
24
68
hA2
4
6
8
10
hB
0
2
4
6
8
hC
1
2
3
4
329
calculated seventeen cascaded hashes of its initial seed “ ints ,” using the SHA-1 algorithm, to be synchronized with the client.
After that the server sends a random challenge value of new indexes, e.g., , 3, 4x y = , which means the user has to calculate his session OTP using this formula:
( )( )4 3B A crtOTP h h s= 686060611779191885233638136020=
16333158 . The server has to calculate the same value in a parallel process, and as soon as the client responds, the server will match the two values to give either a yes or no. In this illustration, we did not cover the conversion from digits, the hashing output, to characters, the password format, considering the human interface. The second hash function Bh allowed us to go in the forward direction by protecting the produced chain by Ah . Also as indicated in (7) it is not admissible for nor x y to be equal to 0
IV. SECURITY ANALYSIS The proposed scheme can resist an off-line guessing
attack because it uses strong passwords produced from strong hash functions. Moreover, replaying reusable passwords is restricted by encoding passwords to be used one time. However, it is necessary to prevent another token from becoming an OTP generator for the same user [12]. A manual process should handle this situation. In this section, we will briefly give a security assessment of our proposed scheme.
A. Pre-Play Attack Unless the challenge is protected, a type of “suppress-
replay attack,” known as a “pre-play attack,” becomes possible [13]. Consider that an intruder, who is able to predict the next challenge, wishes to impersonate the user to the service provider. The intruder takes the service provider role, by impersonating it to the user, and asks the user to authenticate itself. The intruder chooses the next challenge that will be chosen by the service provider when authenticating the user. The challenge’s response sent by the user is memorized by the intruder. Then, at some future time, the intruder can impersonate the user to the service provider, using this memorized response. Our proposal allows the service provider to challenge the user with unpredictable uniformly distributed values of and x y . If we suppose that and x y can take one value of forward m values, the probability of successfully guessing a challenge will be the joint probability of and x y , which is equal to
21 m . We can refer to this property as the ability to resist predictable attacks. This means that the next challenge is not predictable.
Furthermore, the produced OTPs cannot help the intruder to calculate further OTPs or to get current or initial
seeds, because the intruder will be faced with the necessity of breaking the second hash function, ( )Bh ⋅ .
B. Forgery Attack To mount a forgery attack on the proposed scheme, an
adversary must generate an OTP corresponding to a given challenge. Since the adversary doesn’t know ints , he can’t correctly update the session OTP for acceptance by the host. Hence, the proposed scheme can resist the forgery attack. It is also necessary to have tight control over the transition from an old OTP generator to a new one [12], [14], [15].
C. Insider Attack If a host insider tries to impersonate the user to access
other hosts using the shared OTPs between them, s/he will not be able to do so because the cooperation of the OTPs’ seed fabrication between this user and the different hosts is strong. This seed is produced by the shared and unique parameters of each host and each user.
Furthermore, as the OTP production, using two different types of strong hashes, ( ) and ( )A Bh h⋅ ⋅ , is strong, the host insider can’t derive these OTPs by performing an off-line guessing attack on what he has received.
D. Small Challenge Attack Attacks based on sending small challenges by intruders
who impersonate the communication host only affect the backward hash chains’ OTPs. Our scheme uses forward hashing techniques, which eliminates this type of attack completely.
E. Reparability If the user finds or suspects that his seed has been
compromised, e.g., token theft, he can re-register with the host and agree upon new seeds, but this must be done manually.
V. PERFORMANCE ASSESSMENT The performance evaluation considers the computational
cost from the user side. Considering the t th authentication login time, the utilization of the S/KEY™ [6] will cost the user a number of N t− hash operations, where N is the defined chain length. Bicakci’s scheme [8] has the lowest number of steps, utilizing just one chain step; the price of this benefit is the use of public key cryptography to produce the signature chain. However time based algorithms have to guarantee a main server synchronized internal clock. Our approach costs the user x y+ hash operations, which is very cheap compared with the number of N t− hashes. Our approach doesn’t involve public key techniques, and has no need of utilizing time synchronization.
VI. CONCLUSIONS A new two-factor OTP-based authentication scheme has
been proposed using mobile phones as they are becoming
330
more and more powerful devices. This new algorithm provides forward and infinite OTP generation using two nested hash functions. We have illustrated our approach to an online authentication process. This scheme achieves better characteristics than the other schemes discussed above. Our proposal is not limited to a certain number of authentications, unlike the previously-mentioned OTP hashing-based schemes [5], [6], and does not involve computationally expensive techniques to provide the infiniteness like [8]. Our algorithm doesn’t require a token embedded server synchronized clock like [10]. Our approach eliminates the problems with utilizing OTPs with an SMS, consisting of the SMS cost and delay, along with international roaming restrictions like [1]. A detailed security analysis was also performed that covered many of the common types of attacks. The two factor authentication property has been achieved without restrictions.
REFERENCES [1] S. Hallsteinsen, I. Jorstad, D-V., Thanh, “Using the mobile phone as a
security token for unified authentication”, Systems and Networks Communication. In: International Conference on Systems and Networks Communications, 2007, pp. 68-74.
[2] T. Laukkanen, S. Sinkkonen, M. Kivijarvi, P. Laukkanen, “Management of Mobile Business”, ICMB 2007, International Conference on the Digital Object Identifier, 2007, pp.42-42.
[3] H. Wang, “Research and Design on Identity Authentication System in Mobile-Commerce”, In: Beijing Jiaotong University, 2007, pp. 18-50.
[4] S.M. Siddique, M. Amir, “GSM Security Issues and Challenges Software Engineering”, Artificial Intelligence, Networking and Parallel/Distributed Computing, 2006. SNPD 2006. 7th ACIS International Conference on Digital Object Identifier, pp. 413-418.
[5] L. Lamport, “Password Authentication with Insecure Communication”, In: Comm. ACM, vol. 24, No 11, 1981, pp. 770-772.
[6] N. Haller, “The S/KEY One–Time Password System. In: Proceedings of the ISOC Symposium on Network and Distributed System Security”, 1994, pp. 151-157.
[7] A. Chefranov, “One–Time Password Authentication with Infinite Hash Chains. Novel Algorithms and Techniques”, In: Tele-communications, Automation and Industrial Electronics, 2008, pp. 283-286.
[8] K. Bicakci N. Baykal, “Infinite length hash chains and their applications” In: Proceedings of 1st IEEE Int. Workshops on Enabling Technologies: Infrastructure for Collaborating Enterprises WETICE’02, 2002, pp. 57-61.
[9] R. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public–key cryptosystems”, In: Communications of the ACM, 1978.
[10] http://www.rsa.com/node.aspx?id=1156. [Accessed: October 04, 2010].
[11] A. Menezes, P. Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, Inc. 1997
[12] L. Raddum, Nestås, K. Hole, “Security Analysis of Mobile Phones Used as OTP Generators”, In: IFIP International Federation for Information Processing. 2010, pp. 324-331.
[13] C. Mitchell, L. Chen, “Comments on the S/KEY user authentication scheme”, In: ACM Operating System Review, vol. 30, No. 4, 1996, pp. 12-16.
[14] M. Khan, “Fingerprint Biometric–based Self and Deniable Authentication Schemes for the Electronic World”, In: IETE Technical Review, vol. 26, No. 3, 2009, pp. 191-195.
[15] M.H. Eldefrawy, M.K., Khan, K. Alghathbar, E.-S. Cho “Broadcast Authentication for Wireless Sensor Networks Using Nested Hashing and the Chinese Remainder Theorem”, Sensors, 10(9): 2010, pp. 8683-8695.
[16] V. Goyal, A. Abraham, S. Sanyal, S. Han, “The N/R one time password system” In Proceedings of International Conference on Information Technology: Coding and Computing (ITCC’05), vol. 1 2005, pp. 733-738.
[17] T. Yeh, H. Shen, J. Hwang, “A secure one–time password authentication scheme using smart cards”, In: IEICE Trans. In: Commun, vol. E85-B, No. 11, 2002, pp. 2515-2518.
[18] D. Yum, P. Lee, “Cryptanalysis of Yeh–Shen–Hwang’s one–time password authentication scheme” , IEICE Trans. Commun, vol. E88–B, No. 4, 2005, pp. 1647-1648.
331