This OTP presentation explains a whole overview of OTP, Method of Generating, Algorithm, Security and Performance Analysis, Method of Delivering, and N-Factor Authentication.
2. AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
3. ABSTRACT
This presentation describes a one-time password authentication system
(OTP). The system provides authentication for system access (login) and
other applications requiring authentication that is secure against
passive attacks based on replying captured reusable password.
4. AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Security and Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
5. NEED
As organizations migrate more Business-to-Business (B2B) and Business-
to-Consumer (B2C) interactions online, the need to protect identities and
enable secure remote access has become critical. Traditional “static”
passwords are easily stolen, frequently lost and expensive for the
enterprise to manage.
7. AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
8. OVERVIEW
One form of attack on networked computing system is eavesdropping on
network connections to obtain authentication information such as the login
IDs and passwords of users. Ones this information is captured, it can be
used at a later time to gain access to the system.
10. OVERVIEW
A One-Time Password (OTP) is a means of more simply and securely
proving the identity of a user. In a common implementation model, the
end-user carries an authentication device (called a token) that could be a
standalone device, such as a card or a fob that can be hung on a key chain.
14. TIME SYNCHRONIZED
Usually related to a piece of hardware called a Security Token
Inside the token is an accurate clock that has been synchronized
with the clock on the proprietary Authentication Server
16. MATHEMATICAL ALGORITHM
Previous Password-Based
A chain and must be used in a predefined order and each new OTP may be created from
the past OTPs used
Challenge-Response Based (Event-Based)
Will require a user to provide a response to a challenge, A random number chosen by
authentication server and/or a counter
17. PREVIOUS PASSWORD-BASED
Works by starting with an initial seed s, then generating
passwords f(s), f(f(s)), f(f(f(s))), ... As many times as necessary
If an indefinite series of passwords is wanted, a new seed
value can be chosen after the set for s is exhausted
18. CHALLENGE RESPONSE-BASED (EVENT-BASED)
In computer security, challenge-response authentication is a family of
protocols in which one party presents a question ("challenge") and another
party must provide a valid answer ("response") to be authenticated.
The simplest example of a challenge-response protocol is password
authentication, where the challenge is asking for the password and the
valid response is the correct password.
19. CHALLENGE RESPONSE-BASED (EVENT-BASED)
This can be done by inputting the value that the token has generated into the
token itself
To avoid duplicates, an additional counter is usually involved, so if one happens to
get the same challenge twice, this still results in different one-time passwords
The computation does not usually involve the previous one-time password.
20. AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
22. HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM
In cryptography, HMAC (Hash-based Message Authentication
Code), is a specific construction for calculating a message
authentication code (MAC) involving a cryptographic hash
function in combination with a secret key.
23. HMAC-BASED ONE-TIME PASSWORD (HOTP) ALGORITHM
Based on an increasing counter value and a static symmetric
key known only to the token
Using HMAC-SHA-1 algorithm to create HOTP value
HOTP (K, C) = Truncate(HMAC-SHA-1 (K, C))
K = The Key, C = Counter
24. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM
An extension of HMAC-based one-time password
(HOTP) to support time-based moving factor
25. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM
This variant of the HOTP algorithm specifies the
calculation of a one-time password value, based
on representation of counter as a time factor.
26. TIME-BASED ONE-TIME PASSWORD (TOTP) ALGORITHM
TOTP = HOTP(k, T)
T = Number of time steps between the initial counter time T0 and current system time
T = (Current System Time- T0) / X, Default Value of T0 = 0
X = Time steps in seconds
Default Value of X = 30
Basically we defined TOTP as :
27. AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
29. LAMPORT ALGORITHM
The Registration Phase
The Registration process is performed only once
The Authentication Phase
The Authentication procedure is executed every time the user log in to the system
The Mechanism of Lamport’s algorithm consists of two phases :
33. LAMPORT ALGORITHM
High hash overhead
Requirement of resetting the verifier (Password)
Lamport algorithm has two practical difficulties :
34. LAMPORT ALGORITHM
Lamport algorithm is a simple procedure, but the user must use a
one-way hash function many times in every authentication session
Also user has to register after the M th authentication session
35. CINON (CHAIN ONE-WAY DATA VERIFICATION METHOD) ALGORITHM
High hash overhead and password resetting are solved
Using two variable random number which are changed
at each authentication
Two random numbers are generated by the user and
the user is required to memorize them
36. PERM (PRIVACY ENHANCED INFORMATION READING AND WRITING MANAGEMENT METHOD) ALGORITHM
Random number memorizing problem is solved
One random number is stored in the host and sent to the
user at each authentication
Other random number is derived from this number by
pre-determined increments
37. CINON AND PERM ALGORITHM
Security Flaw =
Replay Attack (Man in the Middle Attack)
38. SAS (SIMPLE AND SECURE) ALGORITHM
The SAS is the only one-time password
authentication method which can change
verifiers every session without limit.
39. SAS (SIMPLE AND SECURE) ALGORITHM
The Registration Phase
The Registration process is performed only once
The Authentication Phase
The Authentication procedure is executed every time the user log in to the system
The Mechanism of SAS algorithm consists of two phases :
43. SAS ALGORITHM
The SAS algorithm uses a one-way function five times.
This function has high overhead, because a one-way function apply hash
functions or common-key cryptosystems.
The SAS and other methods are useless for low spec machine.
44. SAS-2 ALGORITHM
The SAS-2 algorithm can change verifiers every time and without limit
SAS-2 applies its function only three times by using two verifiers and another for masking
This reduces hash overhead by about 40% in comparison with SAS
A synchronous data communication procedure
45. SAS-2 ALGORITHM
The Mechanism of SAS-2 algorithm consists of two phases :
The Registration Phase
The Registration process is performed only once
The Authentication Phase
The Authentication procedure is executed every time the user log in to the system
49. SAS-2 ALGORITHM USING CHALLENGE RESPONSE
If user cant’s store any data, the system can use the SAS-2 protocol using
challenge response method.
The user need not store the random number
Transmission iterations are increased
50. SAS-2 ALGORITHM USING CHALLENGE RESPONSE
The Mechanism of SAS-2 algorithm using challenge response consists of two phases :
The Registration Phase
The Registration process is performed only once
The Authentication Phase
The Authentication procedure is executed every time the user log in to the system
57. AGENDA
1. Abstract
2. Need
3. Overview
4. Method of Generating
5. Algorithm
6. Performance Analysis
7. Method of Delivering
8. N-Factor Authentication
9. Discussion
10. References
58. TWO-FACTOR AUTHENTICATION
Instead of using only one type of authentication factor, such as
only things a user knows (login IDs, passwords, secret images,
shared secrets, solicited personal information, etc)
A second factor, something the user has or something the user
is, must be supplied in order to authenticate
59. MULTI-FACTOR AUTHENTICATION
Two or more of the authentication factor required for being authenticated
Sometimes called strong authentication
An extension of two-factor authentication.
60. MULTI-FACTOR AUTHENTICATION
Something the user knows (password, PIN)
Something the user has (ATM card, smart card)
Something the user is (biometric characteristic, such as a fingerprint)
Existing authentication methodologies involve three basic “factors”:
61. MULTI-FACTOR AUTHENTICATION
One problem with multi-factor authentication
generally is the lack of understanding of what
constitutes "true" multi-factor authentication.
62. MULTI-FACTOR AUTHENTICATION
Supplying a username and password
Supplying additional information in the form of answers to
challenge questions
Adding a visual image