One time password

Mahdi Ataeyan

Website: www.ataeyan.com

Twitter: @kalpase

Please feel free to interrupt
me if you have questions!

Methods for authenticating people

What you know (password)

what you have (smart card)

what you are (biometric sensors)

Cracked

Stolen

Guessed

Lost

difficult to manage or unmanageable

static password

What is otp?

Why?

Cracked

Stolen

Guessed

Lost

manageable

bottleneck

Methods of generating the OTP

Time-synchronized

Mathematical algorithms

based on the previous password

based on a challenge

in other word

Time-based authentication

Event-based authentication

Challenge-response-based authentication

based on the previous password

s = seed

f(s) = hash function

f(f(f( .... f(s) .)))

f1000(s) is stored on the target system

p = f999(s) # user's first login password

f(p) = f1000(s) #server can authenticate password

The value stored in target replaced by p.

p = f998(s) #next login

f(p) = f999(s) #server can authenticate password

hash chain S/KEY

based on a challenge

non-cryptographic protocols

Password

CAPTCHAs

copy protection challenges.

Cryptographic techniques

Message authentication code

Challengeresponse authentication

Server sends a unique challenge value sc to the client

Client generates unique challenge value cc

Client computes cr = hash(cc + sc + secret)

Client sends cr and cc to the server

Server calculates the expected value of cr and ensures the client responded correctly

Server computes sr = hash(sc + cc + secret)

Server sends sr

Client calculates the expected value of sr and ensures the server responded correctly

sc is the server generated challenge cc is the client generated challenge cr is the client response sr is the server response

Examples of challenge-response algorithms

zero-knowledge password proof and key agreement systems (such as Secure Remote Password (SRP))

Challenge-Handshake Authentication Protocol (CHAP)

OCRA - OATH Challenge-Response Algorithm

Salted Challenge Response Authentication Mechanism (SCRAM)

ssh's challenge-response system based on RSA

Message authentication code

a short piece of information used to authenticate a messageTo provide integrity and authenticity assurances on the message

hash function

MD5 #HMAC-MD5

SHA-1 #HMAC-SHA1

IPsec and TLS protocols are used HMAC-SHA1 and HMAC-MD5.

Hash-based message authentication code

H is a cryptographic hash function,

K is a secret key padded to the right with extra zeroes to the input block size of the hash function, or the hash of the original key if it is longer than that block size,

m is the message

opad is the outer padding (0x5c5c5c5c5c, one-block-long hexadecimal constant),

and ipad is the inner padding (0x3636363636, one-block-long hexadecimal constant).

HMAC-based One-time Password Algorithm

HOTP-Value = HOTP(K,C) mod 10d #number of digits

HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF

HMAC(K,C) = SHA1(K 0x5c5c SHA1(K 0x3636 C))

K = secret key

C = counter

Truncate = a function that selects 4 bytes from the result of the HMAC in a defined manner.

Time-based One-time Password Algorithm

TC = (unixtime(now) - unixtime(T0)) / TST0 = start of an epochand

TS = counting in units of a time step

TOTP = HOTP(SecretKey, TC)

TOTP-Value = TOTP mod 10d #d = number of digits

The mask sets the most significant bit to 0, to prevent the number from being interpreted as negative. This guards against different implementations of the modulo operation by processors.[2]

Methods of delivering

Text messaging

Mobile phones

Proprietary tokens

Web-based methods

Hardcopy

Text messaging

Mobile phones

Proprietary tokens

Web-based methods

Hardcopy (TAN)

Transaction authentication number (TAN)

Classic TAN

Indexed TAN (iTAN)

Indexed TAN with CAPTCHA (iTANplus)

Mobile TAN (mTAN)

pushTAN

Two-factor authentication

What you know => user name and passwordWhat you have => one time password token

Multi-factor authentication

What you know => user name and passwordWhat you have => one time password tokenWhat you are

Authentication-as-a-service

Automates everything

Protects everything

Protects everyone

Easy migration

Saves money