SlideShare a Scribd company logo

otp crid cards

B
Bayalagmaa Davaanyam

This document discusses using one-time password (OTP) grid cards for strong authentication in online applications in Mongolia. It proposes a system where OTPs are generated from grid cards containing numbers and letters. When logging in, a user must provide their password and the contents of a randomly selected cell from their unique grid card. Adding salt passwords and generating challenges from least-used cells increases security by preventing prediction of responses. The system aims to improve online banking security in Mongolia by providing multi-factor authentication without specialized hardware tokens.

Education
1 of 5
Download to read offline
ONLINE APPLICATIONS USING STRONG AUTHENTICATION WITH OTP GRID CARDS Bayalagmaa Davaanaym Department of Professional, Soyol Erdem University, Ulaanbaatar,48/88,Mongolia E-mail: bayalag2007@yahoo.com Abstract— Last days several technologies are considered grow-up enough to be a new tool for user authentication in the accessible network system. The One-Time Password (OTP) authentication protocol is an fugacious password that can be used as a multi-factor authentication method when secure authentication is needed an user by a server . Focusing on techniques that are used to carry out strong authentication for online application user identities and improve grid card security, this paper aims to obtain a wide range view of strong user authentication by examining its conceptions, implementation approaches, and challenges/additional concerns at the architectural section. It discusses effective solution approaches, overall architecture models, and developments. Authentication system over grid card allows you to change the consideration and define the entropy of a card and its strength. Grid cards also may be set to expire with greater recurrence that requiring the issuance of new cards — to increase security. Keywords—One time password, grid card authentication I. INTRODUCTION Passwords as a means of authentication have long reached their expiry date. Web-based user-authentication systems without compromising usability and ubiquity, when the Internet is accessed mostly through a browser that has limited access to the client environment and hardware devices. The major of typical solution reaches that are used today involve, in more generalized terms, various forms of enhanced shared-secret and multifactor authentication. Enhanced shared-secret authentication refers to extensions of conventional knowledge-based (single- factor) authentication—for example, additional passwords, site keys, preregistered graphical icons to support mutual authentication, challenge-response, randomized code selections that are based on input patterns, CAPTCHA, and so on. Multifactor authentication refers to a compound implementation of two or more classes of human- authentication factors: Something known to only the user—Knowledge-based (for example, password, pass phrase, shared secrets, account details and transaction history, PIN, CAPTCHA, and so on). Something held by only the user—Possession-based (for example, security token, smart card, shared soft tokens, mobile device, and so on). Something inherent to only the user—Biological or behavior biometric traits (for example, facial recognition, fingerprint, voice recognition, keystroke dynamics, signature, and so on). In practice, however, there is a wealth of implementations, methods, and permutations of them— all with varying trade-offs in terms of cost, complexity, usability, and security. It is standard practice to achieve strong authentication by requiring the communicating party to provide two different pieces of authentication of different types: in this case these are the user password (something known) and the one-time password (something possessed). In Mongolia, online banking and online services are increasing. Online banking (or Internet banking) that allows customers to conduct financial transactions on a secure website. However, with increased convenience, the threats of online banking fraud have also become a greater concern. Customer confidence and loyalty to a bank with online banking services depend greatly on the protection against banking fraud and identity theft. TABLE I. MONGOLIAN MAJOR ONLINE BANKS PASSWORD COMPARISON Banks Name Protection passwords type OTP (HW) PKI (HW) Graphica l passwor ds Passwor d TDB * KHAN BANK * TURIIN BANK * *
Banks Name Protection passwords type OTP (HW) PKI (HW) Graphica l passwor ds Passwor d GOLOMT BANK * HAS BANK * From Table 1, we can see that major Mongolian banks secure their customers with single password authentication. But Most of the banks are single password authentication is still in use, it by itself is not considered secure enough for online banking in Mongolia. Goal of this paper that introduce a OTP grid card system using salt passwords and improve an online applications secure in Mongolia. The grid card is functionally equivalent to the electronic tokens commonly used for applications such as online banking. Chapter 2 of this study explains the grid card authentication related study, and chapter 3 presents a password key creation method through extraction of grid card with OTP. Grid card authentication is strong authentication function, it can create temporary one time password keys. Chapter 4 carries out a simulation adopting the presented one time password key using grid card algorithm, and lastly, draws a conclusion. II. RELATED WORKS A. Grid card authentication The multi-factor authentication system requires a password, plus the grid that’s often printed on the back of a special card and salt. When a user logs in using their ID and password , they are prompted for a random cell in the grid. The user then enters the correct combination of numbers and letters in that cell and is granted access. Each grid card is unique and carries a serial number, so every user can be uniquely identified and authenticated. Each time a user is asked to authenticate they are presented with a different challenge requiring them to validate via a different set of grid coordinates. The coordinate request changes for each authentication challenge. In this scenario, the challenge presents the user with coordinates such as B2, F5 and J4. The user refers to their unique grid card to provide the information from the requested cells: 18, H1, X8. Challenge Generation Algorithms After enabling grid authentication, Authentication system allows you to choose between two challenge- generation algorithms. Random Challenge algorithm (default) picks cells randomly when creating a challenge. The process for creating a challenge does not depend on previous challenges. Random Challenge algorithm that choose DRBG. Deterministic Random Bit Generators (also known as Pseudo Random Number Generators – PRNGs) take input (a seed) from either the noise source(s) or the conditioning step and produce outputs of random values Least-Used Cells Challenge This algorithm uses one or more least-used cells (set in policy) in every challenge. By generating challenges using the least-used cells from a user’s grid, it becomes more difficult for an attacker who has previously viewed some successful authentications to correctly respond to the challenge. B. One Time Password One Time Password (OTP) is a password system where passwords can only be used once, and the user has to be authenticated with a new password key each time. It is a password key creation method that makes it extremely difficult to predict the next password key based on the current password. A new password key is created in its own device constantly after a set period of time and the user has to enter a new password every time he or she uses the system, so it prevents exposure of the user’s password due to hacking or the user’s mistake. OTP has much stronger security because the user has to enter a newly created password key even if his or password is exposed. Most OTPs’ password key creation algorithms are based on one-way functions. For example, S/Key systems (RFC1760) in almost all UNIX OS use such functions. The OTP is standardized by the IETF, and standardized again by verification related companies, and the RSA and OATH are carrying out the most competitive standardizations. III. CREATION OF PASWORD KEYS USING GRID CARD Normally when a user requests authentication, even after first contact, certain important services confirm passwords again. However, as explained above, the existing password system has many weaknesses, and a solution for this is one time password mechanism. The elements of one time password mechanism are a token included in a security/password algorithm or one time password key creating device, a authentication server and a authentication client. Since the one time password mechanism is a program, it is programmed to be random, but the randomness breaks after a certain period of time and passwords become predictable so one time password mechanisms have the disadvantage of having to exchange OTP modules after a certain period of time. In order to overcome such weaknesses, this study presents a method of creating one time password keys in OTP Clients using grid card characteristics. On characteristics of this study that should be focused on is that the OTP system is not positioned in the OTP Server. The password key creation process starts with a user logs in using their ID and password send to request to
server. Then next process shows the randomly prime number of coordinate challenge selecting and reply to client. The process of creating a combination of permutation using the selected prime number by order, and creation of coordinate challenge using S/Key authentication scheme. OTP password is a secret key that salt words and information in the corresponding cells from the unique grid card they possess. This secret key can either be provided by the user, or can be generated by a computer. In case we choose salt is a random string of data used to modify a password hash. Salt can be added to the hash to prevent a collision by uniquely identifying a user's password, even if another user in the system has selected the same password. Salt can also be added to make it more difficult for an attacker to break into a system by using password hash-matching strategies because adding salt to a password hash prevents an attacker from testing known dictionary words across the entire system. Figure1. Grid card authentication system with salt passwords IV. SECURITY ANALYSIS Grid authentication card security is determined by a number of factors. Card size is arguably the most important variable. Increasing the grid size (i.e., number of cells) and format (i.e., contents of the cell) exponentially increases the number of challenge responses available. Entropy is defined as the uncertainty involved in predicting the value of a random variable. In this case, it refers to the ability to predict the information contained on a grid card — both coordinates and characters. A larger grid card and additional cell contents increase the uncertainty of predicting the coordinates and characters on the card. In other words, more variables mean less chance of ―cracking‖ the grid. However, OTP security measures have not proven totally secure. Once grid cards and tokens appeared on the online banking landscape, it was not long before the banks started to see phishing scams targeting OTPs. Some banks do not limit reloading times it keep reloading until the eavesdropped pattern appears. If the grid card does not have many enough numbers, the card could be reproduced by eavesdropping for several times. And it can be successfully phished by entering all the numbers in grid card. Grid card adopts 8-10 random numbers even easier to phish. In these cases, phishing e-mails generally tried to trick the banking user by asking him to "authenticate" or "revalidate" his token or grid card by entering a long series of OTPs from the token or the entire contents of the grid card. So we add salt password so without a salt, a successful SQL injection (it is a code injection technique that exploits a security vulnerability in a website’s software to retrieve the database contents to the attacker) attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an
important component of overall web application security. The benefit provided by using a salted password is also making a lookup table assisted dictionary attack against the stored values impractical. Salt also makes brute-force attacks (the technique for checking all possible keys until the correct key is found in a database) for cracking large numbers of passwords much slower. Without salts, an attacker who is cracking many passwords at the same time only needs to hash (the random bit string) each password guess once, and compare it to all the hashes. Using Salt each password will likely have a different bit; so each guess would have to be hashed separately for each Salt, which is much slower since hashing is generally computationally expensive. Simple, easy-to-use authenticator for any industry, region or user population and proven authenticator as part of the software authentication platform . Cost-effective solution that is a fraction of the cost of traditional two-factor options. The coordinate request changes for each authentication challenge. V. CONCLUSION Online banking services were introduced by banks in 2002 and the number of service providers reached 9 commercial banks by the end of 2009. As of 2009, Online bank users numbered 3,566, representing 134,100 transactions and 3.3 billion MNT in value. Conducting financial transactions was made easy with online banking that allows customers to conduct financial transactions on a secure website. However, with increased convenience, the threats of online banking fraud have also become a greater concern. Customer confidence and loyalty to a bank with online banking services depend greatly on the protection against banking fraud and identity theft. The use of a secure website has become almost universally adopted. Though single password authentication is still in use, it by itself is not considered secure enough for online banking in Mongolia. Basically there are two different security methods in use for Mongolian online banking that is OTP token and Passwords. Many of the banks in the Mongolia, the task becomes inherently more expensive, especially when customers are not willing to pay for such tokens. A typical hardware token based on a 3-year period costs the bank almost US$ 60-$125 per customer (when fully implemented, cost of hardware device, servers, support, marketing, postage, etc.) This situation shows how customers depending upon single‐factor authentication (a password only) can be easily defeated by trusted insiders or simple passwords cracking. So this research area, introduces multifactor authentication methods and improves salt passwords with OTP systems based grid cards against fishing method that main disadvantage of OTP grid cards system. It can be strong secure in online systems and online banks. Further, make a practice with online service companies and destine to more real consequence. REFERENCES [1] THE S/KEYTM ONE-TIME PASSWORD SYSTEM‖Neil M. Haller,Bellcore http://www.cs.utk.edu/~dunigan/cs594-cns/skey.pdf. (references) [2] The N/R One Time Password System‖Vipul Goyal, Ajith Abraham, Sugata Sanyal and Sang Yong Han OSP Global, Mumbai, India. [3] ―One-Time Password Authentication Scheme Using Smart Cards Providing User ―YOON Eun-Jun ; YOO Kee-Young, Deparment of computer engineering,Kyunbook National University K. Elissa [4] http://en.wikipedia.org/wiki/Stream_cipher -incl: RC4, A5/1, A5/2. [5] ―Enhanced Authentication In Online Banking‖ Gregory D. Williamson GE Money – America’s Journal of Economic Crime Management 2006 [6] ―Security Analysis of Pseudo-Random Number Generators with Input‖ Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs [7] ― Securing E-Mail Communication Using Hybrid Cryptosystem on Android-based Mobile Devices‖Teddy Mantoro, Andri Zakariya [8] ―How to Make Secure Email Easier To Use‖ Simson L. Garfinkel Erik Nordlander Robert C. Miller MIT CSAILCambridge, MA {simsong,erikn,rcm}@mit.edu David Margrave Amazon.com Seattle, WA DavidMA@amazon.com Jeffrey I. Schiller MIT Network Services [9] NIST Special Publication 800-90A ―Recommendation for Random Number Generation Using Deterministic Random Bit Generators‖Elaine Barker and John Kelsey [10] A. Emigh. The crimeware landscape: Malware, phishing, identity theft and beyond. Technical report, Anti-Phishing Working Group Technical Report, 2006. [11] Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. Lecture Notes in Computer Science, 2259:1– 18, 2001. [12] I. Goldberg and D. Wagner. Randomness and the netscape browser. Dr. Dobb’s Journal of Software Tools, 21(1):66:68–70, 1996. [13] INTECO. Second wave of the study on information security and e-trust in spanish households. Technical report, INTECO, July 2007. [14] Andrew Kalafut, Abhinav Acharya, and Minaxi Gupta. A study of malware in peer-to-peer networks. In IMC ’06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 327–332, New York, NY, USA, 2006. ACM. [15] Tobias Klein. All your private keys are belong to us, 2006.
[16] Liam OMurchu. Banking in silence. Technical report, Symantec, 2008. [17] Matthew Pemble. Evolutionary trends in bank customer-targeted malware.Network Security, 2005(10):4–7, October 2005. [18] Symantec. Internet security threat report. Technical report, Symantec,2007

Recommended

Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cards
Bayalagmaa Davaanyam
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
IOSR Journals
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
E0962833
E0962833E0962833
E0962833
IOSR Journals
 
C0210014017
C0210014017C0210014017
C0210014017
researchinventy
 
Efficient Securing System Using Graphical Captcha
Efficient Securing System Using Graphical Captcha Efficient Securing System Using Graphical Captcha
Efficient Securing System Using Graphical Captcha
Sankar Anand
 

Recommended

Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cards
Bayalagmaa Davaanyam
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
IOSR Journals
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
E0962833
E0962833E0962833
E0962833
IOSR Journals
 
C0210014017
C0210014017C0210014017
C0210014017
researchinventy
 
Efficient Securing System Using Graphical Captcha
Efficient Securing System Using Graphical Captcha Efficient Securing System Using Graphical Captcha
Efficient Securing System Using Graphical Captcha
Sankar Anand
 
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONGENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
cscpconf
 
Effectiveness of various user authentication techniques
Effectiveness of various user authentication techniquesEffectiveness of various user authentication techniques
Effectiveness of various user authentication techniques
IAEME Publication
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222
Kailas Patil
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
banda5630
 
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyGraphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
IJSRD
 
ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011
prasanna9
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD Editor
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
Nitesh Kumar
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical password
VishnuVardhan mooli
 
Vshantaram
VshantaramVshantaram
Vshantaram
sparsh dwivedi
 
CARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASCARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PAS
International Journal of Technical Research & Application
 
Implementation of Knowledge Based Authentication System Using Persuasive Cued...
Implementation of Knowledge Based Authentication System Using Persuasive Cued...Implementation of Knowledge Based Authentication System Using Persuasive Cued...
Implementation of Knowledge Based Authentication System Using Persuasive Cued...
IOSR Journals
 
Secure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationSecure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual Authentication
TELKOMNIKA JOURNAL
 
Image-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesImage-Based Authentication from Confident Technologies
Image-Based Authentication from Confident Technologies
Confident Technologies
 
Graphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureGraphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signature
eSAT Journals
 
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONAN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
IJCNCJournal
 
76 s201923
76 s20192376 s201923
76 s201923
IJRAT
 
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
ijiert bestjournal
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphical
Kamal Spring
 
Empirical Study of a Key Authentication Scheme in Public Key Cryptography
Empirical Study of a Key Authentication Scheme in Public Key CryptographyEmpirical Study of a Key Authentication Scheme in Public Key Cryptography
Empirical Study of a Key Authentication Scheme in Public Key Cryptography
IJERA Editor
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
eSAT Journals
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authentications
eSAT Publishing House
 

More Related Content

What's hot

GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONGENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
cscpconf
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222
Kailas Patil
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
banda5630
 
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyGraphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
IJSRD
 
ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011
prasanna9
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD Editor
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
Nitesh Kumar
 
CARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASCARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PAS
International Journal of Technical Research & Application
 
Secure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationSecure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual Authentication
TELKOMNIKA JOURNAL
 
Graphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureGraphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signature
eSAT Journals
 
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
ijiert bestjournal
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphical
Kamal Spring
 

What's hot (19)

GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONGENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
 
Effectiveness of various user authentication techniques
Effectiveness of various user authentication techniquesEffectiveness of various user authentication techniques
Effectiveness of various user authentication techniques
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
 
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyGraphical Based Password for Android Phones using Keystroke Dynamics - A Survey
Graphical Based Password for Android Phones using Keystroke Dynamics - A Survey
 
ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
 
captcha as a graphical password
captcha as a graphical passwordcaptcha as a graphical password
captcha as a graphical password
 
Vshantaram
VshantaramVshantaram
Vshantaram
 
CARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PASCARP: AN IMAGE BASED SECURITY USING I-PAS
CARP: AN IMAGE BASED SECURITY USING I-PAS
 
Implementation of Knowledge Based Authentication System Using Persuasive Cued...
Implementation of Knowledge Based Authentication System Using Persuasive Cued...Implementation of Knowledge Based Authentication System Using Persuasive Cued...
Implementation of Knowledge Based Authentication System Using Persuasive Cued...
 
Secure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual AuthenticationSecure Code Generation for Multi-level Mutual Authentication
Secure Code Generation for Multi-level Mutual Authentication
 
Image-Based Authentication from Confident Technologies
Image-Based Authentication from Confident TechnologiesImage-Based Authentication from Confident Technologies
Image-Based Authentication from Confident Technologies
 
Graphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signatureGraphical password authentication using pccp with sound signature
Graphical password authentication using pccp with sound signature
 
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONAN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
 
76 s201923
76 s20192376 s201923
76 s201923
 
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
SHUFFLED INPUT GRAPHICAL PASSWORD AUTHENTICATION SCHEMES BUILT ON CAPTCHA TEC...
 
Shoulder surfing resistant graphical
Shoulder surfing resistant graphicalShoulder surfing resistant graphical
Shoulder surfing resistant graphical
 

Similar to otp crid cards

A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
eSAT Journals
 
An efficient implementation for key management technique using smart card and...
An efficient implementation for key management technique using smart card and...An efficient implementation for key management technique using smart card and...
An efficient implementation for key management technique using smart card and...
ijctcm
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secure
Uvaraj Shan
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
ijtsrd
 

Similar to otp crid cards (20)

Empirical Study of a Key Authentication Scheme in Public Key Cryptography
Empirical Study of a Key Authentication Scheme in Public Key CryptographyEmpirical Study of a Key Authentication Scheme in Public Key Cryptography
Empirical Study of a Key Authentication Scheme in Public Key Cryptography
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authentications
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time Password
 
An efficient implementation for key management technique using smart card and...
An efficient implementation for key management technique using smart card and...An efficient implementation for key management technique using smart card and...
An efficient implementation for key management technique using smart card and...
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
Enhanced Security Through Token
Enhanced Security Through TokenEnhanced Security Through Token
Enhanced Security Through Token
 
A Survey on “Pass sequence acting as OTP using Login Indicator preventing Sho...
A Survey on “Pass sequence acting as OTP using Login Indicator preventing Sho...A Survey on “Pass sequence acting as OTP using Login Indicator preventing Sho...
A Survey on “Pass sequence acting as OTP using Login Indicator preventing Sho...
 
Nt2580 Final Project Essay Examples
Nt2580 Final Project Essay ExamplesNt2580 Final Project Essay Examples
Nt2580 Final Project Essay Examples
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secure
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secure
 
C02
C02C02
C02
 
120 i143
120 i143120 i143
120 i143
 
Kx3518741881
Kx3518741881Kx3518741881
Kx3518741881
 
IRJET- Multi sharing Data using OTP
IRJET- Multi sharing Data using OTPIRJET- Multi sharing Data using OTP
IRJET- Multi sharing Data using OTP
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 

More from Bayalagmaa Davaanyam

9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд
Bayalagmaa Davaanyam
 
9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд
Bayalagmaa Davaanyam
 

More from Bayalagmaa Davaanyam (11)

Social sciences bayalagmaa
Social sciences bayalagmaaSocial sciences bayalagmaa
Social sciences bayalagmaa
 
Мэдээлэл технологи ашиглан лекцийн үр дүнг дээшлүүлэх асуудал
Мэдээлэл технологи ашиглан лекцийн үр дүнг дээшлүүлэх асуудалМэдээлэл технологи ашиглан лекцийн үр дүнг дээшлүүлэх асуудал
Мэдээлэл технологи ашиглан лекцийн үр дүнг дээшлүүлэх асуудал
 
Мод, графын ерөнхий зарчим
Мод, графын ерөнхий зарчимМод, графын ерөнхий зарчим
Мод, графын ерөнхий зарчим
 
Файлын оролт гаралт
Файлын оролт гаралтФайлын оролт гаралт
Файлын оролт гаралт
 
Hash function
Hash functionHash function
Hash function
 
C standard library
C standard libraryC standard library
C standard library
 
Preproc
PreprocPreproc
Preproc
 
Эрэмбэлэлт хайлтын аргууд
Эрэмбэлэлт хайлтын аргуудЭрэмбэлэлт хайлтын аргууд
Эрэмбэлэлт хайлтын аргууд
 
9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд
 
9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд
 
9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд9.эрэмбэлэлтийн аргууд
9.эрэмбэлэлтийн аргууд
 

Recently uploaded

Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Uttam Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 

otp crid cards

  • 1. ONLINE APPLICATIONS USING STRONG AUTHENTICATION WITH OTP GRID CARDS Bayalagmaa Davaanaym Department of Professional, Soyol Erdem University, Ulaanbaatar,48/88,Mongolia E-mail: bayalag2007@yahoo.com Abstract— Last days several technologies are considered grow-up enough to be a new tool for user authentication in the accessible network system. The One-Time Password (OTP) authentication protocol is an fugacious password that can be used as a multi-factor authentication method when secure authentication is needed an user by a server . Focusing on techniques that are used to carry out strong authentication for online application user identities and improve grid card security, this paper aims to obtain a wide range view of strong user authentication by examining its conceptions, implementation approaches, and challenges/additional concerns at the architectural section. It discusses effective solution approaches, overall architecture models, and developments. Authentication system over grid card allows you to change the consideration and define the entropy of a card and its strength. Grid cards also may be set to expire with greater recurrence that requiring the issuance of new cards — to increase security. Keywords—One time password, grid card authentication I. INTRODUCTION Passwords as a means of authentication have long reached their expiry date. Web-based user-authentication systems without compromising usability and ubiquity, when the Internet is accessed mostly through a browser that has limited access to the client environment and hardware devices. The major of typical solution reaches that are used today involve, in more generalized terms, various forms of enhanced shared-secret and multifactor authentication. Enhanced shared-secret authentication refers to extensions of conventional knowledge-based (single- factor) authentication—for example, additional passwords, site keys, preregistered graphical icons to support mutual authentication, challenge-response, randomized code selections that are based on input patterns, CAPTCHA, and so on. Multifactor authentication refers to a compound implementation of two or more classes of human- authentication factors: Something known to only the user—Knowledge-based (for example, password, pass phrase, shared secrets, account details and transaction history, PIN, CAPTCHA, and so on). Something held by only the user—Possession-based (for example, security token, smart card, shared soft tokens, mobile device, and so on). Something inherent to only the user—Biological or behavior biometric traits (for example, facial recognition, fingerprint, voice recognition, keystroke dynamics, signature, and so on). In practice, however, there is a wealth of implementations, methods, and permutations of them— all with varying trade-offs in terms of cost, complexity, usability, and security. It is standard practice to achieve strong authentication by requiring the communicating party to provide two different pieces of authentication of different types: in this case these are the user password (something known) and the one-time password (something possessed). In Mongolia, online banking and online services are increasing. Online banking (or Internet banking) that allows customers to conduct financial transactions on a secure website. However, with increased convenience, the threats of online banking fraud have also become a greater concern. Customer confidence and loyalty to a bank with online banking services depend greatly on the protection against banking fraud and identity theft. TABLE I. MONGOLIAN MAJOR ONLINE BANKS PASSWORD COMPARISON Banks Name Protection passwords type OTP (HW) PKI (HW) Graphica l passwor ds Passwor d TDB * KHAN BANK * TURIIN BANK * *
  • 2. Banks Name Protection passwords type OTP (HW) PKI (HW) Graphica l passwor ds Passwor d GOLOMT BANK * HAS BANK * From Table 1, we can see that major Mongolian banks secure their customers with single password authentication. But Most of the banks are single password authentication is still in use, it by itself is not considered secure enough for online banking in Mongolia. Goal of this paper that introduce a OTP grid card system using salt passwords and improve an online applications secure in Mongolia. The grid card is functionally equivalent to the electronic tokens commonly used for applications such as online banking. Chapter 2 of this study explains the grid card authentication related study, and chapter 3 presents a password key creation method through extraction of grid card with OTP. Grid card authentication is strong authentication function, it can create temporary one time password keys. Chapter 4 carries out a simulation adopting the presented one time password key using grid card algorithm, and lastly, draws a conclusion. II. RELATED WORKS A. Grid card authentication The multi-factor authentication system requires a password, plus the grid that’s often printed on the back of a special card and salt. When a user logs in using their ID and password , they are prompted for a random cell in the grid. The user then enters the correct combination of numbers and letters in that cell and is granted access. Each grid card is unique and carries a serial number, so every user can be uniquely identified and authenticated. Each time a user is asked to authenticate they are presented with a different challenge requiring them to validate via a different set of grid coordinates. The coordinate request changes for each authentication challenge. In this scenario, the challenge presents the user with coordinates such as B2, F5 and J4. The user refers to their unique grid card to provide the information from the requested cells: 18, H1, X8. Challenge Generation Algorithms After enabling grid authentication, Authentication system allows you to choose between two challenge- generation algorithms. Random Challenge algorithm (default) picks cells randomly when creating a challenge. The process for creating a challenge does not depend on previous challenges. Random Challenge algorithm that choose DRBG. Deterministic Random Bit Generators (also known as Pseudo Random Number Generators – PRNGs) take input (a seed) from either the noise source(s) or the conditioning step and produce outputs of random values Least-Used Cells Challenge This algorithm uses one or more least-used cells (set in policy) in every challenge. By generating challenges using the least-used cells from a user’s grid, it becomes more difficult for an attacker who has previously viewed some successful authentications to correctly respond to the challenge. B. One Time Password One Time Password (OTP) is a password system where passwords can only be used once, and the user has to be authenticated with a new password key each time. It is a password key creation method that makes it extremely difficult to predict the next password key based on the current password. A new password key is created in its own device constantly after a set period of time and the user has to enter a new password every time he or she uses the system, so it prevents exposure of the user’s password due to hacking or the user’s mistake. OTP has much stronger security because the user has to enter a newly created password key even if his or password is exposed. Most OTPs’ password key creation algorithms are based on one-way functions. For example, S/Key systems (RFC1760) in almost all UNIX OS use such functions. The OTP is standardized by the IETF, and standardized again by verification related companies, and the RSA and OATH are carrying out the most competitive standardizations. III. CREATION OF PASWORD KEYS USING GRID CARD Normally when a user requests authentication, even after first contact, certain important services confirm passwords again. However, as explained above, the existing password system has many weaknesses, and a solution for this is one time password mechanism. The elements of one time password mechanism are a token included in a security/password algorithm or one time password key creating device, a authentication server and a authentication client. Since the one time password mechanism is a program, it is programmed to be random, but the randomness breaks after a certain period of time and passwords become predictable so one time password mechanisms have the disadvantage of having to exchange OTP modules after a certain period of time. In order to overcome such weaknesses, this study presents a method of creating one time password keys in OTP Clients using grid card characteristics. On characteristics of this study that should be focused on is that the OTP system is not positioned in the OTP Server. The password key creation process starts with a user logs in using their ID and password send to request to
  • 3. server. Then next process shows the randomly prime number of coordinate challenge selecting and reply to client. The process of creating a combination of permutation using the selected prime number by order, and creation of coordinate challenge using S/Key authentication scheme. OTP password is a secret key that salt words and information in the corresponding cells from the unique grid card they possess. This secret key can either be provided by the user, or can be generated by a computer. In case we choose salt is a random string of data used to modify a password hash. Salt can be added to the hash to prevent a collision by uniquely identifying a user's password, even if another user in the system has selected the same password. Salt can also be added to make it more difficult for an attacker to break into a system by using password hash-matching strategies because adding salt to a password hash prevents an attacker from testing known dictionary words across the entire system. Figure1. Grid card authentication system with salt passwords IV. SECURITY ANALYSIS Grid authentication card security is determined by a number of factors. Card size is arguably the most important variable. Increasing the grid size (i.e., number of cells) and format (i.e., contents of the cell) exponentially increases the number of challenge responses available. Entropy is defined as the uncertainty involved in predicting the value of a random variable. In this case, it refers to the ability to predict the information contained on a grid card — both coordinates and characters. A larger grid card and additional cell contents increase the uncertainty of predicting the coordinates and characters on the card. In other words, more variables mean less chance of ―cracking‖ the grid. However, OTP security measures have not proven totally secure. Once grid cards and tokens appeared on the online banking landscape, it was not long before the banks started to see phishing scams targeting OTPs. Some banks do not limit reloading times it keep reloading until the eavesdropped pattern appears. If the grid card does not have many enough numbers, the card could be reproduced by eavesdropping for several times. And it can be successfully phished by entering all the numbers in grid card. Grid card adopts 8-10 random numbers even easier to phish. In these cases, phishing e-mails generally tried to trick the banking user by asking him to "authenticate" or "revalidate" his token or grid card by entering a long series of OTPs from the token or the entire contents of the grid card. So we add salt password so without a salt, a successful SQL injection (it is a code injection technique that exploits a security vulnerability in a website’s software to retrieve the database contents to the attacker) attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an
  • 4. important component of overall web application security. The benefit provided by using a salted password is also making a lookup table assisted dictionary attack against the stored values impractical. Salt also makes brute-force attacks (the technique for checking all possible keys until the correct key is found in a database) for cracking large numbers of passwords much slower. Without salts, an attacker who is cracking many passwords at the same time only needs to hash (the random bit string) each password guess once, and compare it to all the hashes. Using Salt each password will likely have a different bit; so each guess would have to be hashed separately for each Salt, which is much slower since hashing is generally computationally expensive. Simple, easy-to-use authenticator for any industry, region or user population and proven authenticator as part of the software authentication platform . Cost-effective solution that is a fraction of the cost of traditional two-factor options. The coordinate request changes for each authentication challenge. V. CONCLUSION Online banking services were introduced by banks in 2002 and the number of service providers reached 9 commercial banks by the end of 2009. As of 2009, Online bank users numbered 3,566, representing 134,100 transactions and 3.3 billion MNT in value. Conducting financial transactions was made easy with online banking that allows customers to conduct financial transactions on a secure website. However, with increased convenience, the threats of online banking fraud have also become a greater concern. Customer confidence and loyalty to a bank with online banking services depend greatly on the protection against banking fraud and identity theft. The use of a secure website has become almost universally adopted. Though single password authentication is still in use, it by itself is not considered secure enough for online banking in Mongolia. Basically there are two different security methods in use for Mongolian online banking that is OTP token and Passwords. Many of the banks in the Mongolia, the task becomes inherently more expensive, especially when customers are not willing to pay for such tokens. A typical hardware token based on a 3-year period costs the bank almost US$ 60-$125 per customer (when fully implemented, cost of hardware device, servers, support, marketing, postage, etc.) This situation shows how customers depending upon single‐factor authentication (a password only) can be easily defeated by trusted insiders or simple passwords cracking. So this research area, introduces multifactor authentication methods and improves salt passwords with OTP systems based grid cards against fishing method that main disadvantage of OTP grid cards system. It can be strong secure in online systems and online banks. Further, make a practice with online service companies and destine to more real consequence. REFERENCES [1] THE S/KEYTM ONE-TIME PASSWORD SYSTEM‖Neil M. Haller,Bellcore http://www.cs.utk.edu/~dunigan/cs594-cns/skey.pdf. (references) [2] The N/R One Time Password System‖Vipul Goyal, Ajith Abraham, Sugata Sanyal and Sang Yong Han OSP Global, Mumbai, India. [3] ―One-Time Password Authentication Scheme Using Smart Cards Providing User ―YOON Eun-Jun ; YOO Kee-Young, Deparment of computer engineering,Kyunbook National University K. Elissa [4] http://en.wikipedia.org/wiki/Stream_cipher -incl: RC4, A5/1, A5/2. [5] ―Enhanced Authentication In Online Banking‖ Gregory D. Williamson GE Money – America’s Journal of Economic Crime Management 2006 [6] ―Security Analysis of Pseudo-Random Number Generators with Input‖ Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs [7] ― Securing E-Mail Communication Using Hybrid Cryptosystem on Android-based Mobile Devices‖Teddy Mantoro, Andri Zakariya [8] ―How to Make Secure Email Easier To Use‖ Simson L. Garfinkel Erik Nordlander Robert C. Miller MIT CSAILCambridge, MA {simsong,erikn,rcm}@mit.edu David Margrave Amazon.com Seattle, WA DavidMA@amazon.com Jeffrey I. Schiller MIT Network Services [9] NIST Special Publication 800-90A ―Recommendation for Random Number Generation Using Deterministic Random Bit Generators‖Elaine Barker and John Kelsey [10] A. Emigh. The crimeware landscape: Malware, phishing, identity theft and beyond. Technical report, Anti-Phishing Working Group Technical Report, 2006. [11] Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. Lecture Notes in Computer Science, 2259:1– 18, 2001. [12] I. Goldberg and D. Wagner. Randomness and the netscape browser. Dr. Dobb’s Journal of Software Tools, 21(1):66:68–70, 1996. [13] INTECO. Second wave of the study on information security and e-trust in spanish households. Technical report, INTECO, July 2007. [14] Andrew Kalafut, Abhinav Acharya, and Minaxi Gupta. A study of malware in peer-to-peer networks. In IMC ’06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 327–332, New York, NY, USA, 2006. ACM. [15] Tobias Klein. All your private keys are belong to us, 2006.
  • 5. [16] Liam OMurchu. Banking in silence. Technical report, Symantec, 2008. [17] Matthew Pemble. Evolutionary trends in bank customer-targeted malware.Network Security, 2005(10):4–7, October 2005. [18] Symantec. Internet security threat report. Technical report, Symantec,2007