Successfully reported this slideshow.
Your SlideShare is downloading. ×

One Time Password

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Otp
Otp
Loading in …3
×

Check these out next

1 of 32 Ad

One Time Password

Download to read offline

This presentation explains a brief history of One Time Password (OTP).
One Time Password is a password that is valid for only one login session.

This presentation explains a brief history of One Time Password (OTP).
One Time Password is a password that is valid for only one login session.

Advertisement
Advertisement

More Related Content

Similar to One Time Password (20)

Advertisement
Advertisement

One Time Password

  1. 1. One time password Mahdi Ataeyan Website: www.ataeyan.com Twitter: @kalpase
  2. 2. Please feel free to interrupt  me if you have questions!
  3. 3.  Methods for authenticating people ● What you know (password) ● what you have (smart card) ● what you are (biometric sensors)
  4. 4. ● Cracked ● Stolen ● Guessed ● Lost ● difficult to manage or unmanageable static password
  5. 5. What is otp?
  6. 6. Why? ● Cracked ● Stolen ● Guessed ● Lost ● manageable
  7. 7. bottleneck
  8. 8. Methods of generating the OTP ● Time­synchronized  ● Mathematical algorithms ➢ based on the previous password ➢ based on a challenge
  9. 9. in other word ● Time­based authentication ● Event­based authentication ● Challenge­response­based  authentication
  10. 10. based on the previous password ● s = seed ● f(s) = hash function ● f(f(f( .... f(s) .…))) ● f1000 (s) is stored on the target system ● p = f999 (s)      # user's first login password ● f(p) = f1000 (s) #server can authenticate password ● The value stored in target replaced by p. ●  p = f998 (s)    #next login ● f(p) = f999 (s) #server can authenticate password
  11. 11. based on a challenge ● non­cryptographic protocols ➢Password ➢CAPTCHAs ➢copy protection challenges. • Cryptographic techniques ➢Message authentication code
  12. 12. Challenge–response authentication ●     Server sends a unique challenge value sc to the client ●     Client generates unique challenge value cc ●     Client computes cr = hash(cc + sc + secret) ●     Client sends cr and cc to the server ●     Server calculates the expected value of cr and ensures the client  responded correctly ●     Server computes sr = hash(sc + cc + secret) ●     Server sends sr ●     Client calculates the expected value of sr and ensures the server  responded correctly
  13. 13. Examples of  challenge­response  algorithms ● zero­knowledge password proof and key agreement systems  (such as Secure Remote Password (SRP)) ● Challenge­Handshake Authentication Protocol (CHAP) ● OCRA ­ OATH Challenge­Response Algorithm ● Salted Challenge Response Authentication Mechanism  (SCRAM) ● ssh's challenge­response system based on RSA
  14. 14. Message authentication code
  15. 15. ● hash function ➢ MD5      #HMAC­MD5  ➢ SHA­1   #HMAC­SHA1 ● IPsec and TLS protocols are used HMAC­SHA1  and HMAC­MD5. Hash­based message  authentication code
  16. 16. ● H is a cryptographic hash function, ● K is a secret key padded to the right with extra zeroes to the  input block size of the hash function, or the hash of the  original key if it is longer than that block size, ● m is the message ●     opad is the outer padding (0x5c5c5c…5c5c, one­block­ long hexadecimal constant), ●     and ipad is the inner padding (0x363636…3636, one­ block­long hexadecimal constant). 
  17. 17. HMAC­based One­time Password  Algorithm ● HOTP­Value = HOTP(K,C) mod 10d    #number of digits ● HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF ● HMAC(K,C) = SHA1(K   0x5c5c…   SHA1(K   0x3636…   C))⊕ ∥ ⊕ ∥ ● K =  secret key ● C =  counter ● Truncate = a function that selects 4 bytes from the result of the  HMAC in a defined manner.
  18. 18. Time­based One­time Password  Algorithm ● TC = (unixtime(now) ­ unixtime(T0)) / TS – T0 = start of an epochand  – TS = counting in units of a time step ● TOTP = HOTP(SecretKey, TC) ● TOTP­Value = TOTP mod 10d # d = number of  digits
  19. 19. Methods of delivering ● Text messaging ● Mobile phones ● Proprietary tokens ● Web­based methods ● Hardcopy
  20. 20. Text messaging
  21. 21. Mobile phones
  22. 22. Proprietary tokens
  23. 23. Web­based methods
  24. 24. Hardcopy (TAN)
  25. 25. Transaction authentication number  (TAN) ● Classic TAN ● Indexed TAN (iTAN) ● Indexed TAN with CAPTCHA (iTANplus) ● Mobile TAN (mTAN) ● pushTAN
  26. 26. Two­factor authentication
  27. 27. Multi­factor authentication
  28. 28. Authentication­as­a­service ● Automates everything ● Protects everything ● Protects everyone ● Easy migration ● Saves money

Editor's Notes

  • hash chain
    S/KEY
  • sc is the server generated challenge
    cc is the client generated challenge
    cr is the client response
    sr is the server response
  • a short piece of information used to authenticate a message
    To provide integrity and authenticity assurances on the message
  • The mask sets the most significant bit to 0, to prevent the number from being interpreted as negative. This guards against different implementations of the modulo operation by processors.[2]
  • What you know => user name and password
    What you have => one time password token
  • What you know => user name and password
    What you have => one time password token
    What you are

×