One Time Password

•Download as ODP, PDF•

6 likes•2,963 views

This presentation explains a brief history of One Time Password (OTP). One Time Password is a password that is valid for only one login session.

Technology

One time password
Mahdi Ataeyan
Website: www.ataeyan.com
Twitter: @kalpase

Please feel free to interrupt
me if you have questions!

Methods for authenticating people
● What you know (password)
● what you have (smart card)
● what you are (biometric sensors)

● Cracked
● Stolen
● Guessed
● Lost
● difficult to manage or unmanageable
static password

Why?
● Cracked
● Stolen
● Guessed
● Lost
● manageable

Methods of generating the OTP
● Timesynchronized
● Mathematical algorithms
➢ based on the previous password
➢ based on a challenge

in other word
● Timebased authentication
● Eventbased authentication
● Challengeresponsebased authentication

based on the previous password
● s = seed
● f(s) = hash function
● f(f(f( .... f(s) .…)))
● f1000
(s) is stored on the target system
● p = f999
(s) # user's first login password
● f(p) = f1000
(s) #server can authenticate password
● The value stored in target replaced by p.
● p = f998
(s) #next login
● f(p) = f999
(s) #server can authenticate password

based on a challenge
● noncryptographic protocols
➢Password
➢CAPTCHAs
➢copy protection challenges.
• Cryptographic techniques
➢Message authentication code

Challenge–response authentication
●     Server sends a unique challenge value sc to the client
●     Client generates unique challenge value cc
●     Client computes cr = hash(cc + sc + secret)
●     Client sends cr and cc to the server
●     Server calculates the expected value of cr and ensures the client
responded correctly
●     Server computes sr = hash(sc + cc + secret)
●     Server sends sr
●     Client calculates the expected value of sr and ensures the server
responded correctly

Examples of challengeresponse
algorithms
● zeroknowledge password proof and key agreement systems
(such as Secure Remote Password (SRP))
● ChallengeHandshake Authentication Protocol (CHAP)
● OCRA OATH ChallengeResponse Algorithm
● Salted Challenge Response Authentication Mechanism
(SCRAM)
● ssh's challengeresponse system based on RSA

● hash function
➢ MD5 #HMACMD5
➢ SHA1 #HMACSHA1
● IPsec and TLS protocols are used HMACSHA1
and HMACMD5.
Hashbased message
authentication code

● H is a cryptographic hash function,
● K is a secret key padded to the right with extra zeroes to the
input block size of the hash function, or the hash of the
original key if it is longer than that block size,
● m is the message
● opad is the outer padding (0x5c5c5c…5c5c, oneblock
long hexadecimal constant),
● and ipad is the inner padding (0x363636…3636, one
blocklong hexadecimal constant).

HMACbased Onetime Password
Algorithm
● HOTPValue = HOTP(K,C) mod 10d
#number of digits
● HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
● HMAC(K,C) = SHA1(K 0x5c5c… SHA1(K 0x3636… C))⊕ ∥ ⊕ ∥
● K =  secret key
● C =  counter
● Truncate = a function that selects 4 bytes from the result of the
HMAC in a defined manner.

Timebased Onetime Password
Algorithm
● TC = (unixtime(now) unixtime(T0)) / TS
– T0 = start of an epochand
– TS = counting in units of a time step
● TOTP = HOTP(SecretKey, TC)
● TOTPValue = TOTP mod 10d #
d = number of
digits

Methods of delivering
● Text messaging
● Mobile phones
● Proprietary tokens
● Webbased methods
● Hardcopy

Transaction authentication number
(TAN)
● Classic TAN
● Indexed TAN (iTAN)
● Indexed TAN with CAPTCHA (iTANplus)
● Mobile TAN (mTAN)
● pushTAN

Authenticationasaservice
● Automates everything
● Protects everything
● Protects everyone
● Easy migration
● Saves money

Recently uploaded

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

At its core, the challenge of managing Human Resources data is an integration challenge: estimates range from 2-3 HR systems in use at a typical SMB, up to a few dozen systems implemented amongst enterprise HR departments, and these systems seldom integrate seamlessly between themselves. Providing a multi-tenant, cloud-native solution to integrate these hundreds of HR-related systems, normalize their disparate data models and then render that consolidated information for stakeholder decision making has been a substantial undertaking, but one significantly eased by leveraging Ballerina. In this session, we’ll cover: The overall software architecture for VHR’s Cloud Data Platform Critical decision points leading to adoption of Ballerina for the CDP Ballerina’s role in multiple evolutionary steps to the current architecture Roadmap for the CDP architecture and plans for Ballerina WSO2’s partnership in bringing continual success for the CD

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform

WSO2

In the dynamic field of DevOps, the quest for efficiency and productivity is endless. This talk introduces a revolutionary toolkit: Large Language Models (LLMs), including ChatGPT, Gemini, and Claude, extending far beyond traditional coding assistance. We'll explore how LLMs can automate not just code generation, but also transform day-to-day operations such as crafting compelling cover letters for TPS reports, streamlining client communications, and architecting innovative DevOps solutions. Attendees will learn effective prompting strategies and examine real-life use cases, demonstrating LLMs' potential to redefine productivity in the DevOps landscape. Join us to discover how to harness the power of LLMs for a comprehensive productivity boost across your DevOps activities.

ChatGPT and Beyond - Elevating DevOps Productivity

VictorSzoltysek

Key topics covered: - Understanding the basics of IAM and its significance in the modern enterprise. IAM in a platformless environment - Tackling real-world issues like prioritizing frictionless yet secure user access, securing high-value APIs, integrating to business, compliance, and adapting to cloud native environments with scalable solutions - Practical demonstrations of how WSO2 products can be instrumental in deploying efficient IAM solutions - Preparing for upcoming trends and innovations in identity management

Navigating Identity and Access Management in the Modern Enterprise

WSO2

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

In the ever-evolving landscape of data management, Zero-ETL is an approach that is reshaping how businesses handle and integrate their data. This webinar explores Zero-ETL, a paradigm shift from the traditional Extract, Transform, Load (ETL) process, offering a more streamlined, efficient, and real-time data integration method. We will begin with an introduction to the concept of Zero-ETL, including how it allows direct access to data in its native environment and real-time data transformation, providing up-to-date information with significantly reduced data redundancy. Next, we'll take you through several demonstrations showing how Zero-ETL can deliver real-time data and enable the free movement of data between systems. We will also discuss the various tools that support all aspects of Zero-ETL, providing attendees with an understanding of how they can adopt this innovative approach in their organizations. Lastly, the session will conclude with an interactive Q&A segment, allowing participants to gain deeper insights into how Zero-ETL can be tailored to their specific business needs and how they can get started today. Join us to discover how Zero-ETL can elevate your organization's data strategy.

The Zero-ETL Approach: Enhancing Data Agility and Insight

Safe Software

Architecting Cloud Native Applications

WSO2

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Explore the latest trends and insights on JavaScript usage with Pixlogix's informative blog. Discover key statistics and facts about JavaScript's role in web development, its popularity among developers, and its impact on modern websites. Stay updated with the evolving landscape of JavaScript frameworks and libraries, and learn how they're shaping the future of web development. Gain valuable insights to enhance your JavaScript skills and stay ahead in the digital realm.

JavaScript Usage Statistics 2024 - The Ultimate Guide

Pixlogix Infotech

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....

rightmanforbloodline

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

Samir Dash

Recently uploaded (20)

Understanding the FAA Part 107 License ..

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform

ChatGPT and Beyond - Elevating DevOps Productivity

Navigating Identity and Access Management in the Modern Enterprise

WSO2's API Vision: Unifying Control, Empowering Developers

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

The Zero-ETL Approach: Enhancing Data Agility and Insight

Architecting Cloud Native Applications

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

JavaScript Usage Statistics 2024 - The Ultimate Guide

Design and Development of a Provenance Capture Platform for Data Science

JohnPollard-hybrid-app-RailsConf2024.pptx

Six Myths about Ontologies: The Basics of Formal Ontology

TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

AI in Action: Real World Use Cases by Anitaraj

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)

One Time Password

1. One time password Mahdi Ataeyan Website: www.ataeyan.com Twitter: @kalpase

2. Please feel free to interrupt me if you have questions!

3. Methods for authenticating people ● What you know (password) ● what you have (smart card) ● what you are (biometric sensors)

4. ● Cracked ● Stolen ● Guessed ● Lost ● difficult to manage or unmanageable static password

5. What is otp?

6. Why? ● Cracked ● Stolen ● Guessed ● Lost ● manageable

7. bottleneck

8. Methods of generating the OTP ● Timesynchronized ● Mathematical algorithms ➢ based on the previous password ➢ based on a challenge

9. in other word ● Timebased authentication ● Eventbased authentication ● Challengeresponsebased authentication

10. based on the previous password ● s = seed ● f(s) = hash function ● f(f(f( .... f(s) .…))) ● f1000 (s) is stored on the target system ● p = f999 (s) # user's first login password ● f(p) = f1000 (s) #server can authenticate password ● The value stored in target replaced by p. ● p = f998 (s) #next login ● f(p) = f999 (s) #server can authenticate password

11.

12.

13. based on a challenge ● noncryptographic protocols ➢Password ➢CAPTCHAs ➢copy protection challenges. • Cryptographic techniques ➢Message authentication code

14. Challenge–response authentication ● Server sends a unique challenge value sc to the client ● Client generates unique challenge value cc ● Client computes cr = hash(cc + sc + secret) ● Client sends cr and cc to the server ● Server calculates the expected value of cr and ensures the client responded correctly ● Server computes sr = hash(sc + cc + secret) ● Server sends sr ● Client calculates the expected value of sr and ensures the server responded correctly

15. Examples of challengeresponse algorithms ● zeroknowledge password proof and key agreement systems (such as Secure Remote Password (SRP)) ● ChallengeHandshake Authentication Protocol (CHAP) ● OCRA OATH ChallengeResponse Algorithm ● Salted Challenge Response Authentication Mechanism (SCRAM) ● ssh's challengeresponse system based on RSA

16. Message authentication code

17. ● hash function ➢ MD5 #HMACMD5 ➢ SHA1 #HMACSHA1 ● IPsec and TLS protocols are used HMACSHA1 and HMACMD5. Hashbased message authentication code

18. ● H is a cryptographic hash function, ● K is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it is longer than that block size, ● m is the message ● opad is the outer padding (0x5c5c5c…5c5c, oneblock long hexadecimal constant), ● and ipad is the inner padding (0x363636…3636, one blocklong hexadecimal constant).

19.

20. HMACbased Onetime Password Algorithm ● HOTPValue = HOTP(K,C) mod 10d #number of digits ● HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF ● HMAC(K,C) = SHA1(K 0x5c5c… SHA1(K 0x3636… C))⊕ ∥ ⊕ ∥ ● K = secret key ● C = counter ● Truncate = a function that selects 4 bytes from the result of the HMAC in a defined manner.

21. Timebased Onetime Password Algorithm ● TC = (unixtime(now) unixtime(T0)) / TS – T0 = start of an epochand – TS = counting in units of a time step ● TOTP = HOTP(SecretKey, TC) ● TOTPValue = TOTP mod 10d # d = number of digits

22. Methods of delivering ● Text messaging ● Mobile phones ● Proprietary tokens ● Webbased methods ● Hardcopy

23. Text messaging

24. Mobile phones

25. Proprietary tokens

26. Webbased methods

27. Hardcopy (TAN)

28. Transaction authentication number (TAN) ● Classic TAN ● Indexed TAN (iTAN) ● Indexed TAN with CAPTCHA (iTANplus) ● Mobile TAN (mTAN) ● pushTAN

29. Twofactor authentication

30. Multifactor authentication

31. Authenticationasaservice ● Automates everything ● Protects everything ● Protects everyone ● Easy migration ● Saves money

Editor's Notes

hash chain S/KEY
sc is the server generated challenge cc is the client generated challenge cr is the client response sr is the server response
a short piece of information used to authenticate a message To provide integrity and authenticity assurances on the message
The mask sets the most significant bit to 0, to prevent the number from being interpreted as negative. This guards against different implementations of the modulo operation by processors.[2]
What you know =&gt; user name and password What you have =&gt; one time password token
What you know =&gt; user name and password What you have =&gt; one time password token What you are

One Time Password

Recommended

Recommended

More Related Content

More from mahdi ataeyan

More from mahdi ataeyan (7)

Recently uploaded

Recently uploaded (20)

One Time Password

Editor's Notes