This document discusses one-time password (OTP) authentication. It describes how OTPs provide two-factor authentication by requiring a password and a unique, time-based code. It outlines Open Authentication (OATH) standards for OTP algorithms like HOTP, TOTP, and OCRA. The document also summarizes different OTP authentication devices like tokens and soft tokens, comparing their security levels and generation mechanisms.
2. OTP Overview
• Like a password, OTP can be used to authenticate the user
to obtain access to a network.
• OTP can be used alone or along with a password for
authentication. Typically, OTP is used for two-factor
authentication (2FA).
• For example, in large organizations, VPN access often
requires the use of user-name, password, and OTP for
remote user two-factor authentication.
• Enhanced security is provided when an OTP is used for
authentication, because a user must enter a different OTP
each time to be authenticated to and authorized from a
validation server.
3. Open AuTHentication (OATH)
• OATH is an industry-wide collaboration to develop open-reference
architecture for strong authentication. OATH
consortium has developed a set of open royalty-free
algorithms for one-time passwords.
• Any OATH-compliant client device can interoperate with an
OTP algorithm-enabled OTP validation server.
• OATH Website: www.openauthentication.org
4. OATH Standards-Based OTP Authentication
- the HMAC-based One-Time Password (HOTP) algorithm to
generate an OTP using a shared secret and sequence counter;
- the Time-based One-Time Password (TOTP) algorithm to
generate an OTP using a shared secret and derived time
reference;
- the Challenge-Response-based One-Time Password (OCRA)
algorithm to generate an OTP using a shared secret and the
response of a challenge
5. Initial Goals of the Open Authentication
• To establish an open reference architecture for strong
authentication, by leveraging existing open standards
• To propagate device credentials, strong authentication
algorithms and authentication software to many network end-points
• To propagate low-cost, multi-function authentication devices
(e.g. tokens and smart cards).
10. Five Key Points of Network Security
Authentication
Network
Security
Authorization
The base of network security
Secrecy
Insure data
integrity and
accuracy
Use some special
parameters to
indicate the
accessing right
Make only the
authorized user can
access the sensitive
information, thus
ensuring the
communication
security to the great
extends
Integrity
Non-repudiation
Undeniable to data
transferring and
receiving for an
authenticated user
11. Five Key Points of Network Security
If cannot confirm the user identity:
Failed to make
proper
authorization
Make
encryption
ineffective
Make transaction
data meaningless
Network Security is under threat
12.
13. Shortages of Static Password
Mostly be guessed without effort
Usually be used all the time without
change
Too difficult to remember all
passwords in distributed usage
No.2
No.3
No.4
User input password easily to be
stolen
No.1
14.
15. Two Factor Password Composition
Username: Feitian
Password: ftsafe + 555532
2Factor Password = PIN + Dynamic OTP
Initialized as
UTC time
(Time-based)
Dynamic OTP:
change every
60 seconds
The full set of two factor password consists of the PIN
(customer setup in the first usage) and the dynamic
One-Time password generated each time.
16. Dynamic OTP Authentication Principle
+
+
Customer
+
+
Account
1
Account
1
PIN PIN
Algorithm
Timer/Event
Seed
Same Account
Same PIN
Same OTP
555532
Same Algorithm
Same Seed
Same Event Counter / Timer
Authenti-cation
Server
Algorithm
Timer/Event
Seed
17. Time/Event Synchronous OTP Principle
Sequence/Timer
of the logon user
Pre-stored
Seed
Expected OTP
Authentication
server
Sequence / Timer
of the generated
OTP
Validate Customer Token
Symmetric
Algorithm
Generated OTP
Symmetric
Algorithm
Pre-stored Seed
19. Comparison of
three types OTP Technology
•Simple, Usable,
Manageable, Less
occupied network
resource
• Less security than
challenge response
• Central
management system,
needless to
frequently
synchronize
• High security,
multipurpose
• Complicate
operation, much
occupied network
resources
• Adapted to high
security required
system
Time
Synchronous
Event
Synchronous
Challenge
Response
• Simple, Usable,
Manageable
• Less security than
challenge response
way, having security
risk in case the token
is stolen.
• Need batch
processing system to
make batch
authentication
21. OTP C100 Introduction
Event Synchronous
Simple to Use
Enhanced Security
More Stable Low Cost
OTP C100
Each one-time password is generated by applying the OATH
HOTP cryptographic function to the fixed seed code and a
sequence number incremented with each button click.
22. OTP C200 Introduction
OTP C200
Time Synchronous
Simple to Use
Enhanced Security
More Stable Low Cost
Each one-time password is generated by applying the
OATH TOTP cryptographic function to the fixed seed code
and current time to UTC epoch.
23. OTP C300 Introduction
Challenge-Response
PIN protected OTP
OTP C300
High Functionality
More Safe
Each one-time password is generated by applying the
OATH OCRA cryptographic function to the fixed seed code
and corresponding response calculation with the external
challenge.
24. Security Performance
Dynamic OTP Generation
Mechanism
Take the Open AuTHentication (OATH)
standard algorithm, including the
event-synchronous HOTP, time-synchronous
TOTP, and the
challenge-response based OCRA etc.
For example the TOTP is like:
TOTP = Truncate (HMAC-SHA-1(K, T))
Here in the formula,
• K is the OTP seed secret, and
• T is the number of time steps between the
initial counter value T0 and the current UTC
time
The Arithmetic Flowchart of dynamic
OTP generation is showing on the right
->
25. Software OTP description
Soft OTP Token
The desktop software utility used to
generate dynamic OTP.
Current Soft OTP contains HOTP and
TOTP two types, based on the different
seed type.
Soft OTP is specially designed for
internal testing, but the official release.
Soft OTP has lower security.
26. Mobile OTP Description
Mobile OTP
Java application running on the mobile
to generate the dynamic OTP
Current Mobile OTP adapts to the PDA
phones with Java support.
The security of Mobile OTP depends on
the PDA phones directly, it has lower
security comparing to the OTP hardware
token.
27. SMS OTP Description
The generated OTP will be
sent in SMS way to the
user mobile.
The system should contain
dynamic OTP generator and
device for sending SMS like
the SMS gateway etc
No.1 No.2
No.3 No.4
All user need is the mobile
phone to receive the SMS
with dynamic OTP at a time.
Suited to be used as the
auxiliary function of
hardware OTP token. Not
for individual use.
28. Homework
• HOTP Server
•TOTP Server
•OCRA Server
•HOTP Client (PC)
•TOTP Client (PC)
•OCRA Client (PC)
•HOTP Client (Mobile Device)
•TOTP Client (Mobile Device)
•OCRA Client (Mobile Device)