SlideShare une entreprise Scribd logo

One-Time Password

Ata Ebrahimi
Ata Ebrahimi

This OTP presentation explains a whole overview of OTP, Method of Generating, Algorithm, Security and Performance Analysis, Method of Delivering, and N-Factor Authentication.

Technologie
1  sur  68
Télécharger pour lire hors ligne
ONE-TIME PASSWORD By Ata Ebrahimi|www.AtaEbrahimi.com
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
ABSTRACT This presentation describes a one-time password authentication system (OTP). The system provides authentication for system access (login) and other applications requiring authentication that is secure against passive attacks based on replying captured reusable password.
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Security and Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
NEED As organizations migrate more Business-to-Business (B2B) and Business- to-Consumer (B2C) interactions online, the need to protect identities and enable secure remote access has become critical. Traditional “static” passwords are easily stolen, frequently lost and expensive for the enterprise to manage.
NEED B2B B2C
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
OVERVIEW One form of attack on networked computing system is eavesdropping on network connections to obtain authentication information such as the login IDs and passwords of users. Ones this information is captured, it can be used at a later time to gain access to the system.
OVERVIEW One–time password systems are designed to counter this type of attack.
OVERVIEW A One-Time Password (OTP) is a means of more simply and securely proving the identity of a user. In a common implementation model, the end-user carries an authentication device (called a token) that could be a standalone device, such as a card or a fob that can be hung on a key chain.
OVERVIEW OTP Provides Simple and Secure System Access
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
METHODS OF GENERATING Time-synchronized Mathematical Algorithm
TIME SYNCHRONIZED Usually related to a piece of hardware called a Security Token Inside the token is an accurate clock that has been synchronized with the clock on the proprietary Authentication Server
TIME SYNCHRONIZED New passwords is based on the current time In addition with previous password or a secret key.
MATHEMATICAL ALGORITHM Previous Password-Based A chain and must be used in a predefined order and each new OTP may be created from the past OTPs used Challenge-Response Based (Event-Based) Will require a user to provide a response to a challenge, A random number chosen by authentication server and/or a counter
PREVIOUS PASSWORD-BASED Works by starting with an initial seed s, then generating passwords f(s), f(f(s)), f(f(f(s))), ... As many times as necessary If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted
CHALLENGE RESPONSE-BASED (EVENT-BASED) In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.
CHALLENGE RESPONSE-BASED (EVENT-BASED) This can be done by inputting the value that the token has generated into the token itself To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords The computation does not usually involve the previous one-time password.
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
TIME SYNCHRONIZED ALGORITHM TOTP
HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM In cryptography, HMAC (Hash-based Message Authentication Code), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key.
HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM Based on an increasing counter value and a static symmetric key known only to the token Using HMAC-SHA-1 algorithm to create HOTP value HOTP (K, C) = Truncate(HMAC-SHA-1 (K, C)) K = The Key, C = Counter
TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM An extension of HMAC-based one-time password (HOTP) to support time-based moving factor
TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM This variant of the HOTP algorithm specifies the calculation of a one-time password value, based on representation of counter as a time factor.
TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM TOTP = HOTP(k, T) T = Number of time steps between the initial counter time T0 and current system time T = (Current System Time- T0) / X, Default Value of T0 = 0 X = Time steps in seconds Default Value of X = 30 Basically we defined TOTP as :
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
PREVIOUS PASSWORD-BASED ALGORITHM Lamport CINON PERM SAS SAS-2
LAMPORT ALGORITHM The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system The Mechanism of Lamport’s algorithm consists of two phases :
LAMPORT REGISTRATION PHASE
LAMPORT ITH AUTHENTICATION PHASE
LAMPORT TYPE PROCEDURE
LAMPORT ALGORITHM High hash overhead Requirement of resetting the verifier (Password) Lamport algorithm has two practical difficulties :
LAMPORT ALGORITHM Lamport algorithm is a simple procedure, but the user must use a one-way hash function many times in every authentication session Also user has to register after the M th authentication session
CINON (CHAIN ONE-WAY DATA VERIFICATION METHOD) ALGORITHM High hash overhead and password resetting are solved Using two variable random number which are changed at each authentication Two random numbers are generated by the user and the user is required to memorize them
PERM (PRIVACY ENHANCED INFORMATION READING AND WRITING MANAGEMENT METHOD) ALGORITHM Random number memorizing problem is solved One random number is stored in the host and sent to the user at each authentication Other random number is derived from this number by pre-determined increments
CINON AND PERM ALGORITHM Security Flaw = Replay Attack (Man in the Middle Attack)
SAS (SIMPLE AND SECURE) ALGORITHM The SAS is the only one-time password authentication method which can change verifiers every session without limit.
SAS (SIMPLE AND SECURE) ALGORITHM The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system The Mechanism of SAS algorithm consists of two phases :
SAS REGISTRATION PHASE
SAS ITH AUTHENTICATION PHASE
SAS PROCEDURE TYPE
SAS ALGORITHM The SAS algorithm uses a one-way function five times. This function has high overhead, because a one-way function apply hash functions or common-key cryptosystems. The SAS and other methods are useless for low spec machine.
SAS-2 ALGORITHM The SAS-2 algorithm can change verifiers every time and without limit SAS-2 applies its function only three times by using two verifiers and another for masking This reduces hash overhead by about 40% in comparison with SAS A synchronous data communication procedure
SAS-2 ALGORITHM The Mechanism of SAS-2 algorithm consists of two phases : The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system
SAS-2 REGISTRATION PHASE
SAS-2 ITH AUTHENTICATION PHASE
SAS-2 PROCEDURE TYPE
SAS-2 ALGORITHM USING CHALLENGE RESPONSE If user cant’s store any data, the system can use the SAS-2 protocol using challenge response method. The user need not store the random number Transmission iterations are increased
SAS-2 ALGORITHM USING CHALLENGE RESPONSE The Mechanism of SAS-2 algorithm using challenge response consists of two phases : The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system
SAS-2 REGISTRATION PHASE USING CHALLENGE RESPONSE
SAS-2 ITH AUTHENTICATION PHASE USING CHALLENGE RESPONSE
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
MATHEMATICAL ALGORITHM PERFORMANCE ANALYSIS
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
METHODS OF DELIVERING Paper SMS Mobile Phone Token
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
TWO-FACTOR AUTHENTICATION Instead of using only one type of authentication factor, such as only things a user knows (login IDs, passwords, secret images, shared secrets, solicited personal information, etc) A second factor, something the user has or something the user is, must be supplied in order to authenticate
MULTI-FACTOR AUTHENTICATION Two or more of the authentication factor required for being authenticated Sometimes called strong authentication An extension of two-factor authentication.
MULTI-FACTOR AUTHENTICATION Something the user knows (password, PIN) Something the user has (ATM card, smart card) Something the user is (biometric characteristic, such as a fingerprint) Existing authentication methodologies involve three basic “factors”:
MULTI-FACTOR AUTHENTICATION One problem with multi-factor authentication generally is the lack of understanding of what constitutes "true" multi-factor authentication.
MULTI-FACTOR AUTHENTICATION Supplying a username and password Supplying additional information in the form of answers to challenge questions Adding a visual image
MULTI-FACTOR AUTHENTICATION True Multi-Factor Authentication : User KnowsUser Has User Is
MULTI-FACTOR AUTHENTICATION One-time password is certainly one of the simplest and most popular forms of two-factor authentication for securing network access.
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
DISCUSSION
AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
REFERENCES • Takasuke TSUJI, “A One-Time Password Authentication Method” • Faqs.org, “RFC 2289 – A One-Time Password System” • Faqs.org, “TOTP: Time-Based One-Time Password” • Faqs.org, “RFC 4226 – HOTP: HMAC-Based One Time Password” • RSA Security, “Open Specifications Integrates One-Time Passwords with Enterprise Applications” • Manjula Sandirigama, Akihiro shimizu, Matu-Tarow Noda, “Simple and Secure Password Authentication Protocol” • wikipedia.org, “One-Time Password” • wikipedia.org, “Challenge-Response Authentication” • wikipedia.org, “Hash Chain” • wikipedia.org, “HMAC” • wikipedia.org, “Multi-Factor Authentication” • wikipedia.org, “Two-Factor Authentication” • wikipedia.org, “Security Token” • wikipedia.org, “Man In The Middle Attack”

Recommandé

One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication system
Swetha Kogatam
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
Anjali Agrawal
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipher
Niloy Biswas
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
Soham Kansodaria
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
Mohsin Ali
 

Recommandé

One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication system
Swetha Kogatam
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
Anjali Agrawal
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipher
Niloy Biswas
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
Soham Kansodaria
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
Mohsin Ali
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing final
Santanu Das Saan
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
babak danyal
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
Rohit Soni
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
Jamil Ali Ahmed
 
HMAC authentication
HMAC authenticationHMAC authentication
HMAC authentication
Siu Tin
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
Omar Ghazi
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
Cryptography full report
Cryptography full reportCryptography full report
Cryptography full report
harpoo123143
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemes
ravik09783
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
Arun ACE
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
Vishakha Agarwal
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
Akhil Nadh PC
 
Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking Systems
Positive Hack Days
 
One Time Password
One Time PasswordOne Time Password
One Time Password
mahdi ataeyan
 

Contenu connexe

Tendances

Cryptography full report
Cryptography full reportCryptography full report
Cryptography full report
harpoo123143
 

Tendances (20)

18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Kerberos
KerberosKerberos
Kerberos
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing final
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
HMAC authentication
HMAC authenticationHMAC authentication
HMAC authentication
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Cryptography full report
Cryptography full reportCryptography full report
Cryptography full report
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
Digital signature schemes
Digital signature schemesDigital signature schemes
Digital signature schemes
 
Information Security & Cryptography
Information Security & CryptographyInformation Security & Cryptography
Information Security & Cryptography
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
 

En vedette

Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking Systems
Positive Hack Days
 

En vedette (6)

Typical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking SystemsTypical Vulnerabilities of E-Banking Systems
Typical Vulnerabilities of E-Banking Systems
 
One Time Password
One Time PasswordOne Time Password
One Time Password
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption Technique
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 
Otp
OtpOtp
Otp
 

Similaire à One-Time Password

Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic SystemTimely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Accumulo Summit
 
stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...
stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...
stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...
NETWAYS
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
How to reduce expenses on monitoring
How to reduce expenses on monitoringHow to reduce expenses on monitoring
How to reduce expenses on monitoring
RomanKhavronenko
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 
Indusrty Experience with the IBM Active Middleware Technology (AMiT)
Indusrty Experience with the IBM Active Middleware Technology (AMiT)Indusrty Experience with the IBM Active Middleware Technology (AMiT)
Indusrty Experience with the IBM Active Middleware Technology (AMiT)
Ella Rabinovich
 

Similaire à One-Time Password (20)

10 1 otp all
10 1 otp all10 1 otp all
10 1 otp all
 
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic SystemTimely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
Timely Year Two: Lessons Learned Building a Scalable Metrics Analytic System
 
otp crid cards
otp crid cardsotp crid cards
otp crid cards
 
stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...
stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...
stackconf 2023 | How to reduce expenses on monitoring with VictoriaMetrics by...
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
How to reduce expenses on monitoring
How to reduce expenses on monitoringHow to reduce expenses on monitoring
How to reduce expenses on monitoring
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esb
 
ATAGTR2017 An Innovative Take on Versa Test
ATAGTR2017 An Innovative Take on Versa TestATAGTR2017 An Innovative Take on Versa Test
ATAGTR2017 An Innovative Take on Versa Test
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
C132733
C132733C132733
C132733
 
Indusrty Experience with the IBM Active Middleware Technology (AMiT)
Indusrty Experience with the IBM Active Middleware Technology (AMiT)Indusrty Experience with the IBM Active Middleware Technology (AMiT)
Indusrty Experience with the IBM Active Middleware Technology (AMiT)
 
Versa cloud slide-deck-03-security-aspects
Versa cloud slide-deck-03-security-aspectsVersa cloud slide-deck-03-security-aspects
Versa cloud slide-deck-03-security-aspects
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
Nt2580 Final Project Essay Examples
Nt2580 Final Project Essay ExamplesNt2580 Final Project Essay Examples
Nt2580 Final Project Essay Examples
 
Mule security
Mule securityMule security
Mule security
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Dernier (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

One-Time Password

  • 1. ONE-TIME PASSWORD By Ata Ebrahimi|www.AtaEbrahimi.com
  • 2. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 3. ABSTRACT This presentation describes a one-time password authentication system (OTP). The system provides authentication for system access (login) and other applications requiring authentication that is secure against passive attacks based on replying captured reusable password.
  • 4. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Security and Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 5. NEED As organizations migrate more Business-to-Business (B2B) and Business- to-Consumer (B2C) interactions online, the need to protect identities and enable secure remote access has become critical. Traditional “static” passwords are easily stolen, frequently lost and expensive for the enterprise to manage.
  • 7. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 8. OVERVIEW One form of attack on networked computing system is eavesdropping on network connections to obtain authentication information such as the login IDs and passwords of users. Ones this information is captured, it can be used at a later time to gain access to the system.
  • 9. OVERVIEW One–time password systems are designed to counter this type of attack.
  • 10. OVERVIEW A One-Time Password (OTP) is a means of more simply and securely proving the identity of a user. In a common implementation model, the end-user carries an authentication device (called a token) that could be a standalone device, such as a card or a fob that can be hung on a key chain.
  • 11. OVERVIEW OTP Provides Simple and Secure System Access
  • 12. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 13. METHODS OF GENERATING Time-synchronized Mathematical Algorithm
  • 14. TIME SYNCHRONIZED Usually related to a piece of hardware called a Security Token Inside the token is an accurate clock that has been synchronized with the clock on the proprietary Authentication Server
  • 15. TIME SYNCHRONIZED New passwords is based on the current time In addition with previous password or a secret key.
  • 16. MATHEMATICAL ALGORITHM Previous Password-Based A chain and must be used in a predefined order and each new OTP may be created from the past OTPs used Challenge-Response Based (Event-Based) Will require a user to provide a response to a challenge, A random number chosen by authentication server and/or a counter
  • 17. PREVIOUS PASSWORD-BASED Works by starting with an initial seed s, then generating passwords f(s), f(f(s)), f(f(f(s))), ... As many times as necessary If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted
  • 18. CHALLENGE RESPONSE-BASED (EVENT-BASED) In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.
  • 19. CHALLENGE RESPONSE-BASED (EVENT-BASED) This can be done by inputting the value that the token has generated into the token itself To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords The computation does not usually involve the previous one-time password.
  • 20. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 22. HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM In cryptography, HMAC (Hash-based Message Authentication Code), is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret key.
  • 23. HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM Based on an increasing counter value and a static symmetric key known only to the token Using HMAC-SHA-1 algorithm to create HOTP value HOTP (K, C) = Truncate(HMAC-SHA-1 (K, C)) K = The Key, C = Counter
  • 24. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM An extension of HMAC-based one-time password (HOTP) to support time-based moving factor
  • 25. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM This variant of the HOTP algorithm specifies the calculation of a one-time password value, based on representation of counter as a time factor.
  • 26. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM TOTP = HOTP(k, T) T = Number of time steps between the initial counter time T0 and current system time T = (Current System Time- T0) / X, Default Value of T0 = 0 X = Time steps in seconds Default Value of X = 30 Basically we defined TOTP as :
  • 27. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 29. LAMPORT ALGORITHM The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system The Mechanism of Lamport’s algorithm consists of two phases :
  • 33. LAMPORT ALGORITHM High hash overhead Requirement of resetting the verifier (Password) Lamport algorithm has two practical difficulties :
  • 34. LAMPORT ALGORITHM Lamport algorithm is a simple procedure, but the user must use a one-way hash function many times in every authentication session Also user has to register after the M th authentication session
  • 35. CINON (CHAIN ONE-WAY DATA VERIFICATION METHOD) ALGORITHM High hash overhead and password resetting are solved Using two variable random number which are changed at each authentication Two random numbers are generated by the user and the user is required to memorize them
  • 36. PERM (PRIVACY ENHANCED INFORMATION READING AND WRITING MANAGEMENT METHOD) ALGORITHM Random number memorizing problem is solved One random number is stored in the host and sent to the user at each authentication Other random number is derived from this number by pre-determined increments
  • 37. CINON AND PERM ALGORITHM Security Flaw = Replay Attack (Man in the Middle Attack)
  • 38. SAS (SIMPLE AND SECURE) ALGORITHM The SAS is the only one-time password authentication method which can change verifiers every session without limit.
  • 39. SAS (SIMPLE AND SECURE) ALGORITHM The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system The Mechanism of SAS algorithm consists of two phases :
  • 43. SAS ALGORITHM The SAS algorithm uses a one-way function five times. This function has high overhead, because a one-way function apply hash functions or common-key cryptosystems. The SAS and other methods are useless for low spec machine.
  • 44. SAS-2 ALGORITHM The SAS-2 algorithm can change verifiers every time and without limit SAS-2 applies its function only three times by using two verifiers and another for masking This reduces hash overhead by about 40% in comparison with SAS A synchronous data communication procedure
  • 45. SAS-2 ALGORITHM The Mechanism of SAS-2 algorithm consists of two phases : The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system
  • 49. SAS-2 ALGORITHM USING CHALLENGE RESPONSE If user cant’s store any data, the system can use the SAS-2 protocol using challenge response method. The user need not store the random number Transmission iterations are increased
  • 50. SAS-2 ALGORITHM USING CHALLENGE RESPONSE The Mechanism of SAS-2 algorithm using challenge response consists of two phases : The Registration Phase The Registration process is performed only once The Authentication Phase The Authentication procedure is executed every time the user log in to the system
  • 51. SAS-2 REGISTRATION PHASE USING CHALLENGE RESPONSE
  • 52. SAS-2 ITH AUTHENTICATION PHASE USING CHALLENGE RESPONSE
  • 53. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 55. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 56. METHODS OF DELIVERING Paper SMS Mobile Phone Token
  • 57. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 58. TWO-FACTOR AUTHENTICATION Instead of using only one type of authentication factor, such as only things a user knows (login IDs, passwords, secret images, shared secrets, solicited personal information, etc) A second factor, something the user has or something the user is, must be supplied in order to authenticate
  • 59. MULTI-FACTOR AUTHENTICATION Two or more of the authentication factor required for being authenticated Sometimes called strong authentication An extension of two-factor authentication.
  • 60. MULTI-FACTOR AUTHENTICATION Something the user knows (password, PIN) Something the user has (ATM card, smart card) Something the user is (biometric characteristic, such as a fingerprint) Existing authentication methodologies involve three basic “factors”:
  • 61. MULTI-FACTOR AUTHENTICATION One problem with multi-factor authentication generally is the lack of understanding of what constitutes "true" multi-factor authentication.
  • 62. MULTI-FACTOR AUTHENTICATION Supplying a username and password Supplying additional information in the form of answers to challenge questions Adding a visual image
  • 63. MULTI-FACTOR AUTHENTICATION True Multi-Factor Authentication : User KnowsUser Has User Is
  • 64. MULTI-FACTOR AUTHENTICATION One-time password is certainly one of the simplest and most popular forms of two-factor authentication for securing network access.
  • 65. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 67. AGENDA 1. Abstract 2. Need 3. Overview 4. Method of Generating 5. Algorithm 6. Performance Analysis 7. Method of Delivering 8. N-Factor Authentication 9. Discussion 10. References
  • 68. REFERENCES • Takasuke TSUJI, “A One-Time Password Authentication Method” • Faqs.org, “RFC 2289 – A One-Time Password System” • Faqs.org, “TOTP: Time-Based One-Time Password” • Faqs.org, “RFC 4226 – HOTP: HMAC-Based One Time Password” • RSA Security, “Open Specifications Integrates One-Time Passwords with Enterprise Applications” • Manjula Sandirigama, Akihiro shimizu, Matu-Tarow Noda, “Simple and Secure Password Authentication Protocol” • wikipedia.org, “One-Time Password” • wikipedia.org, “Challenge-Response Authentication” • wikipedia.org, “Hash Chain” • wikipedia.org, “HMAC” • wikipedia.org, “Multi-Factor Authentication” • wikipedia.org, “Two-Factor Authentication” • wikipedia.org, “Security Token” • wikipedia.org, “Man In The Middle Attack”