Upload
ata-ebrahimi
View
244
Download
0
Tags:
Embed Size (px)
Citation preview
ONE-TIME PASSWORD By Ata Ebrahimi|www.AtaEbrahimi.com
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
ABSTRACT
This presentation describes a one-time password authentication system
(OTP). The system provides authentication for system access (login) and
other applications requiring authentication that is secure against
passive attacks based on replying captured reusable password.
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Security and Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
NEED
As organizations migrate more Business-to-Business (B2B) and Business-
to-Consumer (B2C) interactions online, the need to protect identities and
enable secure remote access has become critical. Traditional “static”
passwords are easily stolen, frequently lost and expensive for the
enterprise to manage.
NEED
B2B B2C
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
OVERVIEW
One form of attack on networked computing system is eavesdropping on
network connections to obtain authentication information such as the login
IDs and passwords of users. Ones this information is captured, it can be
used at a later time to gain access to the system.
OVERVIEW
One–time password systems are designed to counter this type of attack.
OVERVIEW
A One-Time Password (OTP) is a means of more simply and securely
proving the identity of a user. In a common implementation model, the
end-user carries an authentication device (called a token) that could be a
standalone device, such as a card or a fob that can be hung on a key chain.
OVERVIEW
OTP Provides
Simple and Secure System Access
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
METHODS OF GENERATING
Time-synchronized Mathematical Algorithm
TIME SYNCHRONIZED
Usually related to a piece of hardware called a Security Token
Inside the token is an accurate clock that has been synchronized with the clock on the proprietary Authentication Server
TIME SYNCHRONIZED
New passwords is based on the current time
In addition with previous password or a secret key.
MATHEMATICAL ALGORITHM
Previous Password-Based
A chain and must be used in a predefined order and each new OTP may be created from the past OTPs used
Challenge-Response Based (Event-Based)
Will require a user to provide a response to a challenge, A random number chosen by authentication server and/or a counter
PREVIOUS PASSWORD-BASED
Works by starting with an initial seed s, then generating passwords f(s), f(f(s)), f(f(f(s))), ... As many times as necessary
If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted
CHALLENGE RESPONSE-BASED (EVENT-BASED)
In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.
The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.
CHALLENGE RESPONSE-BASED (EVENT-BASED)
This can be done by inputting the value that the token has generated into the token itself
To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords
The computation does not usually involve the previous one-time password.
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
TIME SYNCHRONIZED ALGORITHM
TOTP
HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM
In cryptography, HMAC (Hash-based Message Authentication Code), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key.
HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM
Based on an increasing counter value and a static symmetric key known only to the token
Using HMAC-SHA-1 algorithm to create HOTP value
HOTP (K, C) = Truncate(HMAC-SHA-1 (K, C))
K = The Key, C = Counter
TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM
An extension of HMAC-based one-time password (HOTP) to support time-based moving factor
TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM
This variant of the HOTP algorithm specifies the calculation of a one-time password value, based on representation of counter as a time factor.
TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM
TOTP = HOTP(k, T)
T = Number of time steps between the initial counter time T0 and current system time
T = (Current System Time- T0) / X, Default Value of T0 = 0
X = Time steps in seconds
Default Value of X = 30
Basically we defined TOTP as :
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
PREVIOUS PASSWORD-BASED ALGORITHM
Lamport CINON PERM SAS SAS-2
LAMPORT ALGORITHM
The Registration Phase The Registration process is performed only once
The Authentication Phase The Authentication procedure is executed every time the user log in to the system
The Mechanism of Lamport’s algorithm consists of two phases :
LAMPORT REGISTRATION PHASE
LAMPORT ITH AUTHENTICATION PHASE
LAMPORT TYPE PROCEDURE
LAMPORT ALGORITHM
High hash overhead
Requirement of resetting the verifier (Password)
Lamport algorithm has two practical difficulties :
LAMPORT ALGORITHM
Lamport algorithm is a simple procedure, but the user must use a one-way hash function many times in every authentication session
Also user has to register after the M th authentication session
CINON (CHAIN ONE-WAY DATA VERIFICATION METHOD) ALGORITHM
High hash overhead and password resetting are solved
Using two variable random number which are changed at each authentication
Two random numbers are generated by the user and the user is required to memorize them
PERM (PRIVACY ENHANCED INFORMATION READING AND WRITING MANAGEMENT METHOD) ALGORITHM
Random number memorizing problem is solved
One random number is stored in the host and sent to the user at each authentication
Other random number is derived from this number by pre-determined increments
CINON AND PERM ALGORITHM
Security Flaw =
Replay Attack (Man in the Middle Attack)
SAS (SIMPLE AND SECURE) ALGORITHM
The SAS is the only one-time password authentication method which can change verifiers every session without limit.
SAS (SIMPLE AND SECURE) ALGORITHM
The Registration Phase The Registration process is performed only once
The Authentication Phase The Authentication procedure is executed every time the user log in to the system
The Mechanism of SAS algorithm consists of two phases :
SAS REGISTRATION PHASE
SAS ITH AUTHENTICATION PHASE
SAS PROCEDURE TYPE
SAS ALGORITHM
The SAS algorithm uses a one-way function five times.
This function has high overhead, because a one-way function apply hash functions or common-key cryptosystems.
The SAS and other methods are useless for low spec machine.
SAS-2 ALGORITHM
The SAS-2 algorithm can change verifiers every time and without limit
SAS-2 applies its function only three times by using two verifiers and another for masking
This reduces hash overhead by about 40% in comparison with SAS
A synchronous data communication procedure
SAS-2 ALGORITHM
The Mechanism of SAS-2 algorithm consists of two phases :
The Registration Phase The Registration process is performed only once
The Authentication Phase The Authentication procedure is executed every time the user log in to the system
SAS-2 REGISTRATION PHASE
SAS-2 ITH AUTHENTICATION PHASE
SAS-2 PROCEDURE TYPE
SAS-2 ALGORITHM USING CHALLENGE RESPONSE
If user cant’s store any data, the system can use the SAS-2 protocol using
challenge response method.
The user need not store the random number
Transmission iterations are increased
SAS-2 ALGORITHM USING CHALLENGE RESPONSE
The Mechanism of SAS-2 algorithm using challenge response consists of two phases :
The Registration Phase The Registration process is performed only once
The Authentication Phase The Authentication procedure is executed every time the user log in to the system
SAS-2 REGISTRATION PHASE USING CHALLENGE RESPONSE
SAS-2 ITH AUTHENTICATION PHASE USING CHALLENGE RESPONSE
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
MATHEMATICAL ALGORITHM PERFORMANCE ANALYSIS
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
METHODS OF DELIVERING
Paper SMS
Mobile Phone Token
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
TWO-FACTOR AUTHENTICATION
Instead of using only one type of authentication factor, such as only things a user knows (login IDs, passwords, secret images, shared secrets, solicited personal information, etc)
A second factor, something the user has or something the user is, must be supplied in order to authenticate
MULTI-FACTOR AUTHENTICATION
Two or more of the authentication factor required for being authenticated
Sometimes called strong authentication
An extension of two-factor authentication.
MULTI-FACTOR AUTHENTICATION
Something the user knows (password, PIN)
Something the user has (ATM card, smart card)
Something the user is (biometric characteristic, such as a fingerprint)
Existing authentication methodologies involve three basic “factors”:
MULTI-FACTOR AUTHENTICATION
One problem with multi-factor authentication generally is the lack of understanding of what constitutes "true" multi-factor authentication.
MULTI-FACTOR AUTHENTICATION
Supplying a username and password
Supplying additional information in the form of answers to challenge questions
Adding a visual image
MULTI-FACTOR AUTHENTICATION
True Multi-Factor Authentication :
User Knows User Has User Is
MULTI-FACTOR AUTHENTICATION
One-time password is certainly one of the simplest and most popular forms of two-factor authentication for securing network access.
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
DISCUSSION
AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
REFERENCES
• Takasuke TSUJI, “A One-Time Password Authentication Method”
• Faqs.org, “RFC 2289 – A One-Time Password System”
• Faqs.org, “TOTP: Time-Based One-Time Password”
• Faqs.org, “RFC 4226 – HOTP: HMAC-Based One Time Password”
• RSA Security, “Open Specifications Integrates One-Time Passwords with Enterprise Applications”
• Manjula Sandirigama, Akihiro shimizu, Matu-Tarow Noda, “Simple and Secure Password Authentication Protocol”
• wikipedia.org, “One-Time Password”
• wikipedia.org, “Challenge-Response Authentication”
• wikipedia.org, “Hash Chain”
• wikipedia.org, “HMAC”
• wikipedia.org, “Multi-Factor Authentication”
• wikipedia.org, “Two-Factor Authentication”
• wikipedia.org, “Security Token”
• wikipedia.org, “Man In The Middle Attack”