One Time Password - A two factor authentication system
•Download as PPTX, PDF•
7 likes•6,186 views
This document provides an overview of one-time passwords (OTP), including a brief history, benefits and costs, categories, generation methods like HOTP and TOTP, delivery methods, relevant RFCs and standards, potential attacks, and development libraries. It defines an OTP as a single-use password or code used to authenticate over untrusted channels, complementing a user password for two-factor authentication. Common OTP types are event-based HOTP, which uses a HMAC to generate codes based on a key and counter, and time-based TOTP, which extends HOTP to generate codes based on time.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to One Time Password - A two factor authentication system
Similar to One Time Password - A two factor authentication system (20)
Recently uploaded
Recently uploaded (20)
One Time Password - A two factor authentication system
- 1. ONE TIME PASSWORD By Swetha Kogatam SJSU ID: 009439339
- 2. AGENDA Introduction Brief History of OTP systems Benefits &Costs, Categories of OTP Methods of Generation • HOTP & TOTP Methods of delivery RFCs and standards Attacks OTP Development Libraries
- 3. What is a One-time Password? A single-use password or series of codes used to authenticate a user over an untrusted communication channel • Complements a user password Two-Factor Authentication
- 4. Brief & Probable History Leslie Lamport wrote an article on chaining hashes for authentication (CACM 1981) Bellcore developed S/Key based on the Lamport scheme (1994) Hardware tokens are developed OPIE was a more modern implementation and compatible with S/Key OTPW developed
- 5. Modern day examples for OTP
- 6. Benefits of OTPs Cost effective alternative for expensive digital certificates Cannot be reused Avoids expensive Hardware tokens Can be time-limited Can be used over untrusted communication paths • Telnet, web-based, serial terminals Can use with a compromised user password Multiple generation/delivery mechanisms
- 7. Costs Difficult for human beings to memorize and require additional technology to work Based on a shared secret Software tools can be compromised Attacks are still possible
- 8. Categories of OTPs More often used two types of OTPs are 1. Event Based - HMAC-based One-time Password (HOTP) 2. Time Based - Time-based One time Password (TOTP) Others include 1. Challenge-based - User enters a key sent from server plus a password 2. Proprietary – RSA SecureID
- 9. Methods of Generation - HOTP HOTP (HMAC-based) • Computes a HMAC-SHA-1 and truncation to compute the HOTP value • HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)) Where the Key (K), the Counter (C),
- 10. HOTP We can describe the operations in 3 distinct steps: Step 1: Generate an HMAC-SHA-1 value Let HS = HMAC-SHA-1(K, C) // HS is a 20-byte string Step 2: Generate a 4-byte string (Dynamic Truncation) Let Sbits = DT (HS) // DT, defined below, // returns a 31-bit string Step 3: Compute an HOTP value Let Snum = StToNum (Sbits) // Convert S to a number in 0...2^{31}-1 Return D = Snum mod 10^Digit // D is a number in the range 0...10^ {Digit}-1
- 11. TOTP TOTP (Time-based) • An extension of HOTP to support time • TOTP = HOTP (K, T), • TOTP(K,C) = Truncate(HMAC-SHA-1(K,T)) • Where T = (Current Unix time - T0) / X, where the default floor function is used in the computation • For example, with T0 = 0 and Time Step X = 30, T = 1 if the current UNIX time is 59 seconds, and T = 2 if the current UNIX time is 60 seconds
- 12. Methods of Delivery Software applications • Command line OTP calculators Text messaging • Requests are made to send a code via SMS • Requests from SMS itself or out-of-band Phone call • During the authentication process, you receive a phone call and enter a PIN
- 13. More Methods of Delivery Paper • Lists of passwords or codes to use • Some systems use paper codes as a backup Hardware token • Token has a rotating display of the current code • May have buttons for challenges Mobile applications • The code is displayed exactly like a HW token • OTP calculators can work with counter-based OTP
- 14. RFCs and Standards RFC 1760, The S/KEY One-Time Password System RFC 2289, A One-time Password System RFC 4226, HOTP: An HMAC-Based One-Time Password Algorithm RFC 6238, TOTP: Time-based One-time Password Algorithm
- 15. Attacks on OTP Man-in-the-Middle • Attacker captures and resends authentication data to legitimate server Mobile based delivery for OTPs can be attacked Paper based delivery for OTPs - theft
- 16. OTP Development Libraries Java: javaotp Ruby: ropt, ruby-otp Python: POTP PHP: OTPHP, multiOTP C/C++: OpenOTP Many more available
- 17. Questions