10 1 otp all
TRANSCRIPT
OTP homework
OTP Overview
• Like a password, OTP can be used to authenticate the user to obtain access to a network.
• OTP can be used alone or along with a password for authentication. Typically, OTP is used for two-factor authentication (2FA).
• For example, in large organizations, VPN access often requires the use of user-name, password, and OTP for remote user two-factor authentication.
• Enhanced security is provided when an OTP is used for authentication, because a user must enter a different OTP each time to be authenticated to and authorized from a validation server.
Open AuTHentication (OATH)
• OATH is an industry-wide collaboration to develop open-reference architecture for strong authentication. OATH consortium has developed a set of open royalty-free algorithms for one-time passwords.
• Any OATH-compliant client device can interoperate with an OTP algorithm-enabled OTP validation server.
• OATH Website: www.openauthentication.org
OATH Standards-Based OTP Authentication
- the HMAC-based One-Time Password (HOTP) algorithm to generate an OTP using a shared secret and sequence counter;
- the Time-based One-Time Password (TOTP) algorithm to generate an OTP using a shared secret and derived time reference;
- the Challenge-Response-based One-Time Password (OCRA) algorithm to generate an OTP using a shared secret and the response of a challenge
Initial Goals of the Open Authentication
• To establish an open reference architecture for strong authentication, by leveraging existing open standards
• To propagate device credentials, strong authentication algorithms and authentication software to many network end-points
• To propagate low-cost, multi-function authentication devices (e.g. tokens and smart cards).
High Level Authentication Framework
Authentication Methods
Hardware Token
Identification &Identification &
Weak AuthenticationWeak Authentication
Static Password
Secu
rity
Level
Secu
rity
Level
Biometics
Soft Token
Certificate
Smartcard
Identification & Identification & AuthenticationAuthentication
Identification & Strong Identification & Strong AuthenticationAuthentication
Strongest SecurityStrongest Security
Two Factor Credentials Comparison
Five Key Points of Network Security
Network Network SecuritySecurity
AuthenticationAuthentication
AuthorizationAuthorization
The base of network security
SecrecySecrecy
Insure data integrity and accuracy
Use some special parameters to indicate the accessing right
Make only the authorized user can access the sensitive information, thus ensuring the communication security to the great extends
Non-Non-repudiationrepudiation
IntegrityIntegrity
Undeniable to data transferring and receiving for an authenticated user
Failed to make proper
authorization
Make encrypti
on ineffecti
ve
Make transaction
data meaningle
ss
Network Security is under threat
If cannot confirm the user identity:
Five Key Points of Network Security
Mostly be guessed without effort
Usually be used all the time without change
Too difficult to remember all passwords in distributed
usage
No.2No.2
No.3No.3
No.4No.4
Shortages of Static Password
User input password easily to be stolen
No.1No.1
Two Factor Password Composition
Username: Feitian
Password: ftsafe + 555532
2Factor Password = PIN + Dynamic OTP 2Factor Password = PIN + Dynamic OTP
Initialized as UTC time (Time-based)
Dynamic OTP: change every
60 seconds
The full set of two factor password consists of the PIN (customer setup in the first usage) and the dynamic One-Time password generated each time.
Dynamic OTP Authentication Principle
+
+
Customer+
+
Account1
Account 1
PIN PIN
Timer/Event
Algorithm
Seed
Same Account
Same PIN
Same OTP555532
Same Algorithm
Same Event Counter / Timer
Same Seed
Authenti-cation Server
Timer/Event
Algorithm
Seed
Time/Event Synchronous OTP Principle
Sequence/Timer
of the logon user
Pre-stored Seed
Expected OTP
Authentication server
Customer Token
Validate
Symmetric
Algorithm
Sequence / Timer
of the generated
OTP
Generated OTP
Symmetric Algorithm
Pre-stored Seed
Challenge/Response OTP Principle
Symmetric
Algorithm
ChallengePre-stored Seed
Expected OTP ( Respo
nse )
Authentication
ServerCustomer TokenValidate
Symmetric
Algorithm
Pre-stored Seed
Input
Challenge
Generated Response
Comparison of three types OTP Technology
•Simple, Usable, Manageable, Less occupied network resource
• Less security than challenge response
• Central management system, needless to frequently synchronize
• High security, multipurpose
• Complicate operation, much occupied network resources
• Adapted to high security required system
Time Time SynchronoSynchrono
usus
Event Event SynchronoSynchrono
usus
Challenge Challenge ResponseResponse
• Simple, Usable, Manageable • Less security than challenge response way, having security risk in case the token is stolen.
• Need batch processing system to make batch authentication
OTP Authenticator Overview
2006 2007 2008
OTP C100OTP C100
OTP C400 OTP C500
OTP C200OTP C200 OTP C300OTP C300
OTP C100 Introduction
Event Synchronous
Simple to Use Enhanced Security
More Stable Low Cost
OTP C100
Each one-time password is generated by applying Each one-time password is generated by applying the OATH the OATH HOTPHOTP cryptographic function to the fixed cryptographic function to the fixed
seed code and a sequence number incremented seed code and a sequence number incremented with each button click.with each button click.
OTP C200
OTP C200 Introduction
Time Synchronous
Simple to Use Enhanced Security
More Stable Low Cost
Each one-time password is generated by Each one-time password is generated by applying the OATH applying the OATH TOTPTOTP cryptographic function cryptographic function to the fixed seed code and current time to UTC to the fixed seed code and current time to UTC
epoch.epoch.
Challenge-Response
PIN protected OTP
OTP C300
OTP C300 Introduction
High FunctionalityMore Safe
Each one-time password is generated by applying Each one-time password is generated by applying the OATH the OATH OCRAOCRA cryptographic function to the cryptographic function to the fixed seed code and corresponding response fixed seed code and corresponding response
calculation with the external challenge.calculation with the external challenge.
Security Performance
Dynamic OTP Generation
MechanismTake the Open AuTHentication (OATH) standard algorithm, including the event-synchronous HOTP, time-synchronous TOTP, and the challenge-response based OCRA etc. For example the TOTP is like:
The Arithmetic Flowchart of dynamic OTP generation is showing on the right ->
TOTP = Truncate (HMAC-SHA-1(K, T))
Here in the formula,
• K is the OTP seed secret, and
• T is the number of time steps between the initial counter value T0 and the current UTC time
Software OTP description
Soft OTP TokenThe desktop software utility used to generate dynamic OTP.
Current Soft OTP contains HOTP and TOTP two types, based on the different seed type.
Soft OTP is specially designed for internal testing, but the official release.
Soft OTP has lower security.
Mobile OTP Description
Mobile OTPJava application running on the mobile to generate the dynamic OTP
Current Mobile OTP adapts to the PDA phones with Java support.
The security of Mobile OTP depends on the PDA phones directly, it has lower security comparing to the OTP hardware token.
SMS OTP Description
The generated OTP will be sent in SMS way to the user mobile.
The system should contain dynamic OTP generator and device for sending SMS like the SMS gateway etc
All user need is the mobile phone to receive the SMS with dynamic OTP at a time.
Suited to be used as the auxiliary function of hardware OTP token. Not for individual use.
No.1No.1 No.2No.2
No.3No.3 No.4No.4
Homework
• HOTP Server
•TOTP Server
•OCRA Server
•HOTP Client (PC)
•TOTP Client (PC)
•OCRA Client (PC)
•HOTP Client (Mobile Device)
•TOTP Client (Mobile Device)
•OCRA Client (Mobile Device)