Two Factor Authentication Based Generated One Time Password

Transcription

1 Dr. Hlal Had Computer Scences Department, Unversty of Technology/Baghdad Rana Faeez Computer Scences Department, Unversty of Technology/Baghdad Emal: Revsed on:12/10/2014 & Accepted on: 7/5/2015 ABSTRACT: Ths paper explans a method of how the two factors authentcaton mplemented usng software token to generate (OTP) to secure users accounts. The proposed method guarantees authentcatng e-learnng features. The proposed system nvolves generatng of OTP by usng authentcaton web servce. The generated code s vald for only one logn and t s verfed usng Secured Cryptographc Algorthm. The proposed system has been mplemented and tested successfully. التخویل ثناي ي العوامل بالاعتماد على كلمة المرور المتولدة مرة واحدة الخلاصة: ھذا البحث یوضح طریقة كیفیة تمثیل التخویل ثناي ي العوامل باستخدام برنامج الرمز لتولید OTP لتا مین حسابات المستخدمین. الطریقة المقترحة تضمن توثیق میزات التعلم الالكتروني. النظام المقترح یتضمن تولید كلمة المرور المستخدمة لمرة واحدة باستخدام مصادقة خدمة الویب OTP المولد یكون صالح لتسجیل دخول واحد فقط ویتم التحقق منھ باستخدام خوارزمیة التشفیر المو منة. وقد تم تنفیذ النظام المقترح واختباره بنجاح. Keywords: Authentcaton, OTP, HMAC,SHA256, DES INTRODUCTION Securty s a major concern today n all sectors such as educatonal nsttutons, governmental applcatons, mltary organzatons, banks, etc. The rapd growth n the number of onlne servces leads to an ncreasng number of dfferent dgtal denttes each user needs to manage. But statc passwords are perhaps the most common type of credental used today [1]. In spte of statc password s short and easy, But t has many dsadvantages they are based on subjects close to the user - weddng date, chldren's name. When dfferent systems have dfferent passwords they can be dffcult to remember and may have to be wrtten down rasng ther vulnerablty [2]. To overcome statc password drawbacks, a new method was nvented that s called "One Tme Password (OTP)" OTP s a password that vald for only one logn sesson or 373

2 transacton. Ths OTP allows the user to get logn nto the system by enterng hs password wth OTP [3]. Some solutons based on hardware token to generate OTP, but tokens need cost to purchasng and managng. Tokens are vulnerable to be lost or stolen. So we propose a securely generated and verfed OTP based web servce. The OTP generator s nstalled on each clent computer, whch users run to generate a new OTP wth a predefned expre tme. INCEPTION E-learnng systems represent a new form of learnng and are becomng more and more popular every day. Hence, securty n e-learnng has become a fundamental requrement. But the problem of e-learnng systems s that only lttle money nvested for securty. Also to authentcate an e-learner s a major challenge n an e-learnng envronment. The role of authentcaton technques to prevent unauthorzed access by malcous users becomes more sgnfcant [4]. Authentcaton s the act of creatng or valdatng somethng (or someone) as authentc and clams made about the topc are true. User authentcaton methods can be classfed nto three categores: (1) Methods based on human memory (What you know) such as passwords. (2)Methods based on physcal devces (What you have) such as magnetc, token, etc. (3) Methods based on bometrcs(what you are) such as fngerprnt, rs, etc. Tokens could be a hardware and software. The use of tokens provdes a much safer envronment for users, but t can be very costly for organzatons. For example, an e- learnng foundaton wth hundred learners wll have to purchase, nstall, and mantan a hundred tokens. Furthermore, the foundaton has to provde contnuous support for tranng learners on how to use the tokens [5]. From the user's perspectve, havng an account wth more than one foundaton means need to carry and mantan several tokens whch consttute a bg nconvenence and can lead to tokens beng lost, stolen, or broken. So we propose a computer-based software token that wll save the organzatons, the cost of purchasng and mantanng the hardware tokens [6]. ONE TIME PASSWORDS A (OTP) s just what the names mples, a password that s only vald for one logn. The beneft of OTPs s that t offers much hgher securty than statc passwords, n expense of user frendlness and confguraton ssues. OTPs are mmune aganst password snffng attacks.otp can be generated usng dfferent methods [7]: -Tme-based OTPs: A devce wth an nternal clock generates passwords that are dependng on the current tme, and the same password s generated at the authentcaton server. The generated OTP s only vald for a short perod of tme, before t expres [8]. - Counter-synchronzed OTPs: A counter s synchronzed between the authentcaton server and the devce. For each logn the counter advance one step n the devce and n the server [9].-Seed-chan 374

3 OTPs: In ths method, a prevous entered OTP s used as a seed to generate a new OTP, buldng a chan of passwords that all depend on the prevous password. The passwords wll be prnted out on a pece of paper, and the user wll have to follow the lst n the correct order to be able to log n [2]. -Challenge-based OTPs: These knds of OTPs are used together wth two-factor authentcaton. A user has to put a challenge nto the generatng devce (often a PIN code) n order to generate the OTP [10]. Extng HOTP Algorthm The Hash Message Authentcaton Code (HMAC) -based (HOTP) algorthm [11] s based on an ncreasng counter value and a statc symmetrc key known only to the token and the valdaton servce. In order to create the HOTP value, we wll use the HMAC-SHA-1algorthm.As the output of the HMAC-SHA-1 calculaton s 160 bts, we must truncate ths value to somethng that can be easly entered by a user. A bref descrpton of HMAC-SHA-1 gven n the followng: HOTP (K, C) = Truncate (HMAC-SHA-1(K, C)) (1) Where: Truncate represents the functon that converts an HMAC-SHA-1 value nto an HOTP value The Key (K), the Counter (C), and Data values are hashed hgh-order byte frst. [11] Wth a strong foundaton of the exstng HOTP algorthm, t s necessary to know where the changes should be ncorporated to adapt t to our specfcatons whle retanng ts strengths. Fgure (1) flow dagram provdes graphcal summary of the workng and generaton of OTP usng ths algorthm. The heart of the algorthm s the HMAC-SHA-1 dgest that s produced. HMAC s not a hash functon. It s a message authentcaton code (MAC) that uses the hash functon nternally. The HMAC-SHA-1 uses a shared "Key" wth the user and a "Counter" value as a seed to generate a 160 bts message dgest. The counter value changes wth every logn and thus provdes randomness. Ths 160 bts message dgest s then suppled to a truncaton functon that generates a 6 dgt OTP usng modulo functon [11]. Fgure (1).Flow dagram of the exstng algorthm[12] 375

4 For better securty t s recommended the use of 7-dgt or 8-dgt OTPs. The Chnese group [13] proved that t was possble to break SHA1 hashes. Although HMAC-SHA1 s not compromsed due to the breaks n SHA1 hash functon, t s a good dea to use another hash algorthm whch gves more securty aspects and fnds a schema to ncrease the randomness of the produced OTP. System Desgn and Implementaton In ths paper, the proposed computer-based software token was mplemented and tested. That s supposed to replace exstng hardware token devces. The System nvolves generaton of Secured OTP usng Cryptographc algorthm and verfy the authentcated users to access to the allowed servces, the proposed OTP generator wll be nstalled on each clent computer, whch users wll run to generate a new OTP. The user wll type the OTP value when prompted by the web browser and clcks submt. The authentcaton server calls a web servce to verfy authentcaton attempts by usng the same Cryptographc algorthm and the user nformaton from the SQL server table check the OTP computaton to respond wth success or falure. The Proposed OTP Algorthm To buld strong authentcaton system, the generated OTP must be unpredcted, hgh randomness, hard to retreve by hackers; therefore, there s a need to develop a secure OTP algorthm. The followng factors wll be used to generate OTP: User name: unque name that dentfes each regstered user wth the system. Password: secret phrase for each user, that submts to the system durng regstraton actvty. (Somethng the user knows). E-mal: electronc mal for the user. Phone number: phone number of the user. Algorthm1: Proposed OTP Generaton Algorthm Input : The value of current counter, C. User nformaton n bts. The value of the user key, K. Output: OTP of length 8-dgts. Processng: Part A // (HMAC-SHA256 ) Step1: Makng concatenate the user nformaton wth C and encode as a message. Step2: calculate the (HMAC-SHA256) to the result from step1 wth the key, K. Step3: Passng the result of step2 n part A to truncate operaton. 376

5 Part B // (Truncate Operaton) Step1: Splt the receved result from HMAC-SHA256 nto four sub groups each wth (8 bytes) length. Step2: Apply Data Encrypton Standards-Permutaton Choce1 (DES-PC1) to each of these sub groups to produce four sub groups each wth (7 bytes) length. Step3: Apply (DES-PC2) to the result of prevous step to produce four groups each wth (6 bytes) length. Step4: Apply (DES- 8 substtuton boxes) to the result of step3 to produce four sub groups each wth (4 bytes) length. Step5: Makng XOR between the results groups as follow A = group1 XOR group3 B = group2 XOR group4 Step6: makng XOR between group A and group B, to produce the fnal group whch s (32 bts). Step7: Splt the fnal 32 bts nto 8 sub-groups each wth 4 bts length. Step8: Convertng the groups of step7 to hexadecmal. Step9: convertng the Asc values to character strng. Step10: Dsplay the fnal result from step9 to the user as (OTP). End Fgure (2). Show the flow dagram of Algorthm (1). Fgure(2)Flow dagram of the proposed algorthm 377

6 System Modules Regstraton Phase The servce provder dsplays logn screen to the users. Then users create an account by submttng the requred nformaton and clck on submt button n logn page. The nformaton entered durng the regstraton are stored n a database.the URL lnk of the OTP applcaton wll be sent to the e-mal address of the user. Now the user downloads ths applcaton to generate the OTP. Fgure(2) shows the regstraton page. Fgure (3). Regstraton page A. Authentcaton Phase Processng of authentcaton model descrbed n Fg. (4). 1. The user logs n to the servce provder s web ste, e.g.: an E-Learnng ste, requestng access, As a response to ths access request, secure sesson establshed allowng the user enter hs authentcaton prvleges (user name, password) The frst factor of authentcaton. 2. The servce provder verfes user nformaton by checkng f t s exst n the SQL DB. 3. If the verfcaton was successful, return to user success message and requres OTP, Else gves falure message to the user and suggests vstng the regstraton page. 4. The user run the OTP applcaton on hs/her computer and generates OTP based on the user nformaton, current count, and the secret key. 5. The user logs n web ste by submttng the password and the generated OTP. 6. The servce provder generates OTP based on the current counter, secret key of ths user, and the retreved user nformaton from the DB. 7. Verfy the OTP, f the generated OTP by the provder s the same as the receved OTP from the user, return logn success else logn falure. 378

7 At user end User logn usng 1 If match User name/ password At server end 2 Match user name/ password n DB 4 The user generates OTP 3 Return a request of OTP to the user 5 Logs by OTP + password 6 Generate OTP based on user nfo., current counterand secret key If receved OTP = generated OTP 7 Logn success Fgure (4) Processng of the model OTP Illustraton The user nfo, random secret key and current counter all are the nputs to the proposed algorthm to produce (32bytes), whch reduced to 8 characters OTP code. For example, the user nfo as n (fg.5), current counter s 64bts 7b4510c4ef07b198 and the random secret key value was 256bts 77ad4d0d33dd8954b3b3c4f ba6ae1fd fee e5cac.The result of the HMAC-SHA-256 was 46c96e730ecf3c755e75cdac4a46d50a616 f034011e97054fa9949eefb8b58a8, whch passed to truncaton operaton to be reduced to (32 bts). The result of truncaton was encoded to represent the OTP code, whch s 15821DC9 based of the above gven nput parameters. Ths code s vald for one logn only. 379

8 Fgure (5) Proposed software for OTP SystemTests and Analyss 1. Tests of randomness The randomness of the generated OTP depends on dfferent factors; the most mportant factor was the randomness of the secret key. The proposed algorthm uses SHA256 hash functon, the permutaton and substtuton of the DES and the XOR operaton. - The permutatons and substtutons wll ncrease the randomness of the generated OTP. - The XOR operaton have the property of preserve the randomness meanng that a random bt XOR wth a non-random bt wll result n a random bt. Multple sources of potentally random data can be combned usng XOR, and the unpredctablty of the output s guaranteed to be at least as good as the best ndvdual source [14]. To prove the randomness of the generated OTP, we experment the randomness by passng t through four popular tests of randomness[15]: A. Frequency Test The purpose of ths test s to determne whether the number of 0 s and 1 s n s are approxmately the same, as would be expected for a random sequence, Whch approxmately follows a α2 dstrbuton wth 1 degree of freedom f n 10 X1 = (n0 n1) 2 /n (2) B. Blocks Test The Block test dvdes a pattern nto blocks and examnes the number of 1s n each block. A random pattern would be expected to have about 50 percent 1s n every block. C. Runs Test The purpose of the runs test s to determne whether the number of runs (of ether zeros or ones) of varous lengths n the sequence s s as expected for a random sequence. The expected number of gaps (or blocks) of length n a random sequence of length n s e = (n +3)/2+2. Let k be equal to the largest nteger for whch e 5. Let B, G be the number of blocks and gaps, respectvely, of length n s for each, 1 k. The statstc used: K 2 K 2 ( b e ) ( g e ) X 2 = +. (3) e e = 1 = 1 380

9 Whch approxmately follows a α 2 (ch-square dstrbuton) wth 2k 2 degrees of freedom. D. Seral Test (Two-Bt Test) The purpose of ths test s to determne whether the number of occurrences of 00, 01, 10, and 11 as subsequences of s are approxmately the same, as would be expected for a random sequence. Let n0, n1 denote the number of 0 s and 1 s n s, respectvely, and let n00, n01, n10, n11 denote the number of occurrences of 00, 01, 10, 11 n s, respectvely. Note that n00 + n01 + n10 + n11 = (n 1) snce the subsequence's are allowed to overlap. The statstc used s X 3 = 4 /n 1 (n n n 2 10+n 2 11) 2/n (n 2 0+ n 2 1) (4) Whch approxmately follows a α2 (ch-square dstrbuton) wth 2 degrees of freedom f n 21. Example We test the OTP codes that produce to one user for two tmes logn to the system. The randomness tests gven n the followng: User name: Rana2014 Password: myaccount123 E-mal: rana_rah@yahoo.com Phone no.: Key: 77ad4d0d33dd8954b3b3c4f ba6ae1fd fee e5cac Count: 7b4510c4ef07b198 OTP: 15821DC User name: Rana2014 Password: myaccount123 E-mal: rana_rah@yahoo.com Phone no.: Key: 716f6e 863f 744b9ac22c97ec7b76ea5f5908bc5b2f67c6 1510bfc ea7a Count: 8b4510c4ef07b198 OTP: B4 2. Tme to generate a sngle OTP The tme to generate the OTP s governed only by the algorthm to generate the dgest. Ths tme s almost constant over the length of the OTP generated. Theaverage tme for 381

10 generaton of OTP was foundto range from ( ) second for OTP of sze OTP Entropy Entropy defne as lack of order or predctablty; gradual declne nto dsorder. Hgher OTP entropy the less predctable OTP patterns, so the stronger and more secure OTP [16]. Ths s a smple equaton to demonstrate OTP entropy: H total bnary bts of entropy L length of your password N number of possble symbols n password H = L * log 2 (N).. (5) Here below Table (1) Shows the Entropy of the generated OTP codes. Table (1) OTP Entropy Characters Equaton Bts Passwords 8 8 * log 2 (16) CONCLUSIONS 1. OTP generaton algorthms typcally make use of pseudo randomness or randomness. Ths s necessary because otherwse t would be easy to predct future OTPs by observng prevous ones. 2. If users lost ther pervous password then there s no need to worry for them because OTP gves them a new password for each sesson. 3. OTP prevents user d from replay or eaves droppng attack. 4. In ths work the proposed method for generatng the OTP was mplemented and tested, In future more work should be done on how to provde more securty n ths approach. REFERENCES [1]Josang and G. Sanderud, Securty n Moble Communcatons: Challenges and Opportuntes, n Proc. OfThe Australasan Informaton Securty Workshop Conference on ACSW Fronters. [2] E.Kalakavta,Julana Gnanaselv, Secure Logn Usng Encrypted One Tme Password (OTP)and Moble Based Logn Methodology, Department of Informaton Technology,Rathnam College of Arts and Scence College,2013. [3] B. Rajkumar, C. Yeo, S. Venugopal, S. Malpan, Cloud computng and Emergng IT platforms: vson, hype, and realty for Delverng Computng 5 th utlty, Future Generaton Computer Systems, [4] Asha, S., Chellappan, C., Authentcaton of E-learners Usng Multmodal Bometrc Technology, Department of Computer Scence Engneerng, Anna unversty, Chenna, IEEE,

11 [5] Fad Aloul, Syed Zahd Two Factor Authentcaton Usng Moble Phones, College of Informaton Technology, UAE Unversty. [6] George Sadowsky James X. Dempsey Alan Greenberg Barbara J. Mack Alan Schwartz, Informaton Technology Securty Handbook, Washngton, [7] Markus Johnsson,A.S.M. Faruqe Azam, Moble s and RC4 Encrypton for Cloud Computng, Master Thess, School of Informaton Scence, Computer and Electrcal Engneerng, Halmstad Unversty, [8] Young Sl Lee, Hyo Taek Lm, HoonJae Lee, A Study on Effcent OTP Generaton usng Stream Cpher wth Random Dgt, Advanced Communcaton Technology (ICACT), IEEE, [9] Hmka Parmar, Nancy Nanan, SumayaThaseen, Generaton of Secure One-Tme Password Based on Image Authentcaton,Computer Scence & Informaton Technology, VIT Unversty, Inda, [10] Vshal Paranjape,Vmm Pandey, An Approach towards Securty n Prvate Cloud Usng OTP, Internatonal Journal of Emergng Technology and Advanced Engneerng (IJETAE),Volume 3, Issue 3, March [11] Matthew Allan Ezell, A Framework for Federated Two-Factor Authentcaton Enablng Cost-Effectve Secure Access to Dstrbuted Cybernfrastructure, Master thess, Unversty of Tennessee, Knoxvlle. [12] RohtTolan, Anjal Yeole, SachnGavhane, An HOTP Based Algorthm to Enhance W-F Securty, Department of Computer Engneerng, V.E.S.I.T, [13] Pro. Xaoyun Wang and her assocates, SHA1 Broken,Tsnghua Unversty and Shandong Unversty of Technology,(Onlne) [14] Robert B Daves, Exclusve OR (XOR) and Hardware RandomNumber Generators, [15] J K M SadqueUzZaman,RanjanGhosh, A Revew Study of NIST Statstcal Test Sute: Development of an ndgenous Computer Package, Insttute of Rado Physcs and Electroncs, Unversty of Calcutta. [16] Jacob Ncholson Password Strength and Securty, 2014,(Onlne) 383