Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

One-Time Password

This OTP presentation explains a whole overview of OTP, Method of Generating, Algorithm, Security and Performance Analysis, Method of Delivering, and N-Factor Authentication.

  • Login to see the comments

One-Time Password

  1. 1. ONE-TIME PASSWORD By Ata Ebrahimi|www.AtaEbrahimi.com
  2. 2. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  3. 3. ABSTRACT This presentation describes a one-time password authentication system (OTP). The system provides authentication for system access (login) and other applications requiring authentication that is secure against passive attacks based on replying captured reusable password.
  4. 4. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Security and Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  5. 5. NEED As organizations migrate more Business-to-Business (B2B) and Business- to-Consumer (B2C) interactions online, the need to protect identities and enable secure remote access has become critical. Traditional “static” passwords are easily stolen, frequently lost and expensive for the enterprise to manage.
  6. 6. NEED B2B B2C
  7. 7. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  8. 8. OVERVIEW One form of attack on networked computing system is eavesdropping on network connections to obtain authentication information such as the login IDs and passwords of users. Ones this information is captured, it can be used at a later time to gain access to the system.
  9. 9. OVERVIEW One–time password systems are designed to counter this type of attack.
  10. 10. OVERVIEW A One-Time Password (OTP) is a means of more simply and securely proving the identity of a user. In a common implementation model, the end-user carries an authentication device (called a token) that could be a standalone device, such as a card or a fob that can be hung on a key chain.
  11. 11. OVERVIEW OTP Provides Simple and Secure System Access
  12. 12. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  13. 13. METHODS OF GENERATING Time-synchronized Mathematical Algorithm
  14. 14. TIME SYNCHRONIZED Usually related to a piece of hardware called a Security Token Inside the token is an accurate clock that has been synchronized with the clock on the proprietary Authentication Server
  15. 15. TIME SYNCHRONIZED New passwords is based on the current time In addition with previous password or a secret key.
  16. 16. MATHEMATICAL ALGORITHM Previous Password-Based A chain and must be used in a predefined order and each new OTP may be created from the past OTPs used Challenge-Response Based (Event-Based) Will require a user to provide a response to a challenge, A random number chosen by authentication server and/or a counter
  17. 17. PREVIOUS PASSWORD-BASED Works by starting with an initial seed s, then generating passwords f(s), f(f(s)), f(f(f(s))), ... As many times as necessary If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted
  18. 18. CHALLENGE RESPONSE-BASED (EVENT-BASED) In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.
  19. 19. CHALLENGE RESPONSE-BASED (EVENT-BASED) This can be done by inputting the value that the token has generated into the token itself To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords The computation does not usually involve the previous one-time password.
  20. 20. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  21. 21. TIME SYNCHRONIZED ALGORITHM TOTP
  22. 22. HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM In cryptography, HMAC (Hash-based Message Authentication Code), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key.
  23. 23. HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM Based on an increasing counter value and a static symmetric key known only to the token Using HMAC-SHA-1 algorithm to create HOTP value HOTP (K, C) = Truncate(HMAC-SHA-1 (K, C)) K = The Key, C = Counter
  24. 24. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM An extension of HMAC-based one-time password (HOTP) to support time-based moving factor
  25. 25. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM This variant of the HOTP algorithm specifies the calculation of a one-time password value, based on representation of counter as a time factor.
  26. 26. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM TOTP = HOTP(k, T) T = Number of time steps between the initial counter time T0 and current system time T = (Current System Time- T0) / X, Default Value of T0 = 0 X = Time steps in seconds Default Value of X = 30 Basically we defined TOTP as :
  27. 27. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  28. 28. PREVIOUS PASSWORD-BASED ALGORITHM Lamport CINON PERM SAS SAS-2
  29. 29. LAMPORT ALGORITHM The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system The Mechanism of Lamport’s algorithm consists of two phases :
  30. 30. LAMPORT REGISTRATION PHASE
  31. 31. LAMPORT ITH AUTHENTICATION PHASE
  32. 32. LAMPORT TYPE PROCEDURE
  33. 33. LAMPORT ALGORITHM High hash overhead Requirement of resetting the verifier (Password) Lamport algorithm has two practical difficulties :
  34. 34. LAMPORT ALGORITHM Lamport algorithm is a simple procedure, but the user must use a one-way hash function many times in every authentication session Also user has to register after the M th authentication session
  35. 35. CINON (CHAIN ONE-WAY DATA VERIFICATION METHOD) ALGORITHM High hash overhead and password resetting are solved Using two variable random number which are changed at each authentication Two random numbers are generated by the user and the user is required to memorize them
  36. 36. PERM (PRIVACY ENHANCED INFORMATION READING AND WRITING MANAGEMENT METHOD) ALGORITHM Random number memorizing problem is solved One random number is stored in the host and sent to the user at each authentication Other random number is derived from this number by pre-determined increments
  37. 37. CINON AND PERM ALGORITHM Security Flaw = Replay Attack (Man in the Middle Attack)
  38. 38. SAS (SIMPLE AND SECURE) ALGORITHM The SAS is the only one-time password authentication method which can change verifiers every session without limit.
  39. 39. SAS (SIMPLE AND SECURE) ALGORITHM The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system The Mechanism of SAS algorithm consists of two phases :
  40. 40. SAS REGISTRATION PHASE
  41. 41. SAS ITH AUTHENTICATION PHASE
  42. 42. SAS PROCEDURE TYPE
  43. 43. SAS ALGORITHM The SAS algorithm uses a one-way function five times. This function has high overhead, because a one-way function apply hash functions or common-key cryptosystems. The SAS and other methods are useless for low spec machine.
  44. 44. SAS-2 ALGORITHM The SAS-2 algorithm can change verifiers every time and without limit SAS-2 applies its function only three times by using two verifiers and another for masking This reduces hash overhead by about 40% in comparison with SAS A synchronous data communication procedure
  45. 45. SAS-2 ALGORITHM The Mechanism of SAS-2 algorithm consists of two phases : The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system
  46. 46. SAS-2 REGISTRATION PHASE
  47. 47. SAS-2 ITH AUTHENTICATION PHASE
  48. 48. SAS-2 PROCEDURE TYPE
  49. 49. SAS-2 ALGORITHM USING CHALLENGE RESPONSE If user cant’s store any data, the system can use the SAS-2 protocol using challenge response method. The user need not store the random number Transmission iterations are increased
  50. 50. SAS-2 ALGORITHM USING CHALLENGE RESPONSE The Mechanism of SAS-2 algorithm using challenge response consists of two phases : The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system
  51. 51. SAS-2 REGISTRATION PHASE USING CHALLENGE RESPONSE
  52. 52. SAS-2 ITH AUTHENTICATION PHASE USING CHALLENGE RESPONSE
  53. 53. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  54. 54. MATHEMATICAL ALGORITHM PERFORMANCE ANALYSIS
  55. 55. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  56. 56. METHODS OF DELIVERING Paper SMS Mobile Phone Token
  57. 57. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  58. 58. TWO-FACTOR AUTHENTICATION Instead of using only one type of authentication factor, such as only things a user knows (login IDs, passwords, secret images, shared secrets, solicited personal information, etc) A second factor, something the user has or something the user is, must be supplied in order to authenticate
  59. 59. MULTI-FACTOR AUTHENTICATION Two or more of the authentication factor required for being authenticated Sometimes called strong authentication An extension of two-factor authentication.
  60. 60. MULTI-FACTOR AUTHENTICATION Something the user knows (password, PIN) Something the user has (ATM card, smart card) Something the user is (biometric characteristic, such as a fingerprint) Existing authentication methodologies involve three basic “factors”:
  61. 61. MULTI-FACTOR AUTHENTICATION One problem with multi-factor authentication generally is the lack of understanding of what constitutes "true" multi-factor authentication.
  62. 62. MULTI-FACTOR AUTHENTICATION Supplying a username and password Supplying additional information in the form of answers to challenge questions Adding a visual image
  63. 63. MULTI-FACTOR AUTHENTICATION True Multi-Factor Authentication : User KnowsUser Has User Is
  64. 64. MULTI-FACTOR AUTHENTICATION One-time password is certainly one of the simplest and most popular forms of two-factor authentication for securing network access.
  65. 65. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  66. 66. DISCUSSION
  67. 67. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  68. 68. REFERENCES • Takasuke TSUJI, “A One-Time Password Authentication Method” • Faqs.org, “RFC 2289 – A One-Time Password System” • Faqs.org, “TOTP: Time-Based One-Time Password” • Faqs.org, “RFC 4226 – HOTP: HMAC-Based One Time Password” • RSA Security, “Open Specifications Integrates One-Time Passwords with Enterprise Applications” • Manjula Sandirigama, Akihiro shimizu, Matu-Tarow Noda, “Simple and Secure Password Authentication Protocol” • wikipedia.org, “One-Time Password” • wikipedia.org, “Challenge-Response Authentication” • wikipedia.org, “Hash Chain” • wikipedia.org, “HMAC” • wikipedia.org, “Multi-Factor Authentication” • wikipedia.org, “Two-Factor Authentication” • wikipedia.org, “Security Token” • wikipedia.org, “Man In The Middle Attack”

×