OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance: Current Landscape and Trends

Transcription

1 WP WP ActivIdentity OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 1 WHITE PAPER OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance: Current Landscape and Trends Executive Summary This paper will analyze the current landscape of One Time Password (OTP) and Challenge-Response algorithms. It will detail the technical and security differences between algorithms such as the OATH algorithms (HOTP, OCRA, HOTP time based), EMV CAP and the proprietary algorithms from ActivIdentity. The paper describes the most common use cases and applicability as important tools for identity assurance in the financial and e-government industry sectors. It also outlines observed trends in current usage and future trends providing the audience with the valuable information to make a more informed choice in their identity assurance challenges.

2 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 2 Table of Contents Executive Summary Anatomy of OTP algorithms What is a one-time password (OTP) OTP moving factor analysis Time only based algorithms Event only based algorithms Time and Event algorithms (combines best of above) OTP algorithm analysis OTP algorithms using asymmetric cryptography OTP algorithms using symmetric cryptography. 4 OTP authenticaion how it works History and evolution of OTP algorithms. 5 Traditionally - proprietary. 5 Emerging - based on Industry standard (Financial Services) Recently - Open and Royalty free (OATH) Evolution of use case and form factor. 7 Why is OTP still relevant? There are other interaction channels than the internet Advantages of OTP Algorithm comparison. 9 ActivIdentity algorithm family EMV CAP algorithm family OATH algorithm family Algorithm comparison matrix Trends Conclusion References. 15

3 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 3 Anatomy of OTP algorithms Before delving into the history and differences between the various OTP algorithms lets start with the basics. This will allow the understanding of where the differences lie between algorithms and how they impact security and usability. What is a one-time password (OTP) A code that changes after every use, can only be used once, hence is a onetime-password, or OTP. An OTP is based on a cryptographic algorithm using a key K a cryptogram is generated Cryptogram = f(k) Computing the cryptogram with other, moving factors makes the output random and one time: Counter - increased with each usage (also called event) and/or Time number of time intervals (e.g. seconds) Cryptogram = f(k,c,t) A truncation function makes it short and human readable: OTP = Truncate (f(k,c,t)) OTP moving factor analysis The moving factors used to make the password one-time have implications both for the usage and the security of the overall OTP algorithm: Time only based algorithms the OTP changes based on time-interval (e.g. every 30 seconds) the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP is harder to phish because it must be used within the time to live

4 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 4 it is not possible to generate a new OTP within the same time interval (e.g. user needs to wait for next interval -> up to 30 seconds) needs replay protection on the server since a simple algorithm would successfully validate attempts with the same OTP within the same time interval Event only based algorithms the OTP can be requested at any time (no need to wait for time interval to pass) the OTP can be used at any time after being produced = no time to live easier to phish since phisher does not need to use the OTP within a time to live but can harvest the passwords and use them later Replay protection is simply based on forward moving counter only Time and Event algorithms (combines best of above) the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP can be requested at any time (no need to wait for time interval to pass) the OTP is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Needs more complex auto-resync (2 moving factors instead of 1 that could go out of sync between the server and the device) OTP algorithm analysis Let s look more closely at what cryptographic algorithms can be used to generate OTPs: OTP algorithms using asymmetric cryptography Because of the nature of asymmetric keys the verifier will need the complete signature to be able to validate it. The length of PKI signatures depend on the length of the key used so for example: RSA 1024 = 1024 bits long = 128 bytes long = not easy to type This makes the use of asymmetric algorithms less suitable for OTP algorithms, they could be used in situations where there is no human involved when transcribing the OTP for transmission to the validation server, for example in an OTP device that is connected via the USB port to a laptop. OTP algorithms using symmetric cryptography The nature of symmetric key cryptography means that the same Cryptogram can be regenerated by the verifying party and only part of the cryptogram (the truncated bit) can be compared. This means that an arbitrary length of the cryptogram can be used as the OTP making it short and easy to type. Historically all well known OTP algorithms are based on symmetric key cryptography.

5 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 5 OTP authenticaion how it works Figure 1: OTP algorithm in action History and evolution of OTP algorithms Traditionally proprietary Traditionally strong authentication algorithms using OTP were invented by private companies and their use immediately protected via patents. One of the best known such algorithms is SecurID, invented in the U.S.A. by the company Security Dynamics, then acquired by RSA, now part of EMC. Initially these technologies were used to protect the network as part of authenticating a user strongly for access to the enterprise. The same problem was solved independently on the old continent by companies such as ActivCard (now re-branded to ActivIdentity) out of France, now headquartered in Fremont California and later by Vasco (Belgium) now headquartered in Zurich. With the emergence of Internet based financial services, the need to protect those services became crucial and the same algorithms and technologies were used. Furthermore the requirement to protect specific transactions brought the emergence of challenge/response and Symmetric Key Signature (MAC over several parameter) algorithms. Emerging based on Industry standard (Financial Services) The Europay MasterCard Visa Chip Authentication Program (EMV/CAP) is a set of specifications that detail the use of existing device technology [Mas04] (EMV compliant smartcard with unattached reader) for the use of consumer authentication for cardholder not present services e.g. internet based.

6 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 6 The specifications detail: A one time password algorithm A handheld reader A validation service In 2003 MasterCard CAP was harmonized with an equivalent standard from the UK s Association of Payment and Clearing Services (APACS). APACS is currently developing a new specification which refines the user interface model for a handheld reader. This specification makes no proposed changes to the algorithm or validation service. The EMV CAP specification seeks to leverage the extensive deployments of EMV chip based debit and credit cards, by expanding their use to include strong authentication and simple transaction signatures. MasterCard CAP can also be used for transaction verification, either through forcing a re-authentication or more effectively through a Challenge/Response mechanism. To use EMV for authentication requires the use of a Hand Held Device (HHD) that generates a One Time Password from the EMV card application (after correct PIN entry); The resulting Cryptogram can be used for authentication to access and manage accounts held by the cardholder or during cardholder not present payments. As with other OTP technologies the model is suitable for use over the internet or other channels such as a call-centre. Another benefit of the EMV CAP model is that the PIN used to activate the card is typically the same as the PIN that is already used with the card, for example to access ATM based services. This has the advantage that the customer is not required to remember an additional secret, and the infrastructure for PIN issuance and reset is already in place. Visa, aside from a few minor changes to the standard, have adopted the MasterCard CAP specification, thus enabling re-use of CAP readers for Visa members. In Visa terminology, CAP is referred to as Dynamic Passcode Authentication DPA. The focus of this paper will hence treat the two as common under EMV CAP. Currently EMV CAP is being deployed by major financial services institutions in the UK, Netherlands and France as an authentication mechanism for their retail customer base.

7 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 7 Recently Open and Royalty free (OATH) The Initiative for open authentication [OATH] is an industry consortium launched in 2004 and now grown to almost 100 members. OATH was formed after analysis of the existing algorithms for one time passwords suitable for a strong authentication ecosystem showed that they were all proprietary and from competing companies. OATH therefore endeavoured to create a royalty and patent free algorithm based on HMAC. This algorithm was submitted as a draft to IETF and has now become an RFC [RFC4226]. Based on the work done for RFC4226, OATH realised that some applications require an algorithm that is based on a challenge response mechanism, hence a new draft has been submitted to the IETF as OATH Challenge Response Algorithm [OCRA]. Additionally the interest in a royalty free, time based OTP algorithm was growing and the community asked OATH to produce one. In 2008 the first version of the time based OTP, TOTP, specification [TOTP], based on RFC4226 was submitted to IETF. All OATH algorithms, being royalty free and easily embeddable bode well for a very wide adoption. Evolution of use case and form factor Together with the evolution of the algorithms themselves there has been an evolution of the use cases and applications of the technology. Especially since the launch of the royalty free algorithms the number of implementations has flourished in diverse form factors. The following is an attempt to show a timeline combining both use case and form factor evolution: Figure 2: Evolution of use case and form factors in OTP devices

8 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 8 Why is OTP still relevant? There are other interaction channels than the internet When considering phishing and online fraud attacks it is important to consider all interaction channels a user has, some of these channels are often overlooked in phishing analysis that focuses only on the internet channel: Figure 3: Possible user interaction channels Additionally from a user and support perspective it is highly desirable to have the same mechanism to protect all channels, but not all strong authentication mechanisms can be used across all interaction channels. The following matrix provides an analysis of commonly used strong authentication mechanisms and how applicable they are for each channel: Figure 4: Strong authentication mechanisms applicability by interaction channel

9 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 9 As one can see OTP still is one of the most applicable strong authentication mechanisms across all potential interaction channels Advantages of OTP Can be used on existing non PKI enabled network access devices (VPN) Can be implemented in a tamper evident non hackable device (e.g. Token or smart card) No client install needed Often does not require change of access interface Username/Password - > Username/OTP Simple to use (user interaction) Long life devices (up to 6-9 years) Tried and tested Modest infrastructure requirements Truly multi-channel Can be used over phone/ivr Algorithm comparison This section will go into the technical detail of the algorithms and give the audience the information to compare them from an application and security angle. The type defines the type of algorithm: OTP One time Password C/R Challenge Response MAC Symmetric Signature of more then one parameter

10 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 10 ActivIdentity algorithm family Type Characteristics Analysis OTP C/R MAC Algorithm 3DES Time AND Event Based or Event only based Auto-synchronisation digits within OTP (almost no synchronisation issues) Algorithm ANSI X9.8 Fixed response for any give challenge 3DES Time AND Event Based Up to 10 parameters Table 1: Analysis of the ActivIdentity algorithm family. the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP can be requested at any time (no need to wait for time interval to pass) the OTP is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) The response has no time to live. The validation server needs to provide a timing mechanism between the issuance of a challenge and return of the response The response is the same for the same challenge, susceptible to attacks where a previous challenge/response pair is known, on the other hand a fixed response for a specific challenge aids in non repudiation cases the MAC has a time to live (e.g. can be used within next 2 minutes) the MAC can be requested at any time (no need to wait for time interval to pass) the MAC is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) Form factors: Tokens and Smart Card Applet Industry: Enterprise Business to Employees (B2E), Financial Services Business to Employees and Business to Consumer (B2C)

11 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 11 EMV CAP algorithm family Type Characteristics Analysis OTP C/R MAC Algorithm 3DES specified in CAP functional spec Only Event Based Auto-synchronisation digits within OTP (less synchronisation issues) Algorithm 3DES Event based (different response for same challenge) 3DES Event Based Challenge, Amount and Currency or up to 10 parameters the OTP can be requested at any time (no need to wait for time interval to pass) the OTP can be used at any time after being produced = no time to live easier to phish since phisher does not need to use the OTP within a time to live but can harvest the passwords and use them later Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) The response has no time to live. It is the validation server that needs to provide a timing mechanism between the issuance of a challenge and when the response returns The response changes even with the same challenge which prevents previous known challenge/response pair attacks but could create issues during non-repudiation the MAC has a time to live (e.g. can be used within next 2 minutes) the MAC can be requested at any time (no need to wait for time interval to pass) the MAC is harder to phish because it must be used within the time to live Replay protection is simply based on forward moving counter only Auto sync mitigates the issue of resync (2 moving factors instead of 1 that could go out of sync) Table 2: Analysis of the EMV CAP algorithm family. Form factor: Smart card applet with unconnected reader, mobile applet coming Industry: Financial Services (B2C Business to Consumer), Emerging in Government for G2E and G2C

12 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 12 OATH algorithm family Type Characteristics Analysis OTP OTP C/R MAC HOTP RFC 4226 Algorithm HMAC-SHA1 Event only No synchronisation digits within OTP Time based HOTP Algorithm HMAC-SHA1 Time only No synchronisation digits within OTP OATH Challenge Response algorithm (OCRA) Algorithm HMAC- SHA1, HMAC-SHA256, HMACSHA512 Event OR Time Handled by OCRA (see above) the OTP can be requested at any time (no need to wait for time interval to pass) the OTP can be used at any time after being produced = no time to live easier to phish since phisher does not need to use the OTP within a time to live but can harvest the passwords and use them later Replay protection is simply based on forward moving counter only the OTP changes based on time-interval (e.g. every 30 seconds) the OTP has a time to live (e.g. can be used within next 2 minutes) the OTP is harder to phish because it must be used within the time to live it is not possible to generate a new OTP within the same time interval (e.g. user needs to wait for next interval -> up to 30 seconds) needs replay protection on the server since a simple algorithm would successfully validate attempts with the same OTP within the same time interval The response changes even with the same challenge which prevents previous known challenge/response pair attacks but could create issues during non-repudiation The response has a time to live when time is used Very flexible via algorithm suite and optional input like time or event Same as OCRA (see above) Table 3: Analysis of the OATH algorithm family. Form factors: Tokens, Smart Card Applet, Display Card, Soft Tokens (mobile) Industry: Financial Services B2C (Business to Consumer), Enterprise B2E, (Business to Employee)

13 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 13 Algorithm comparison matrix OATH HOTP RFC4226 OATH Challenge Repsonse OCRA OATH Time based TOTP EMV CAP/ DPA AI Vasco RSA Algorithim HMAC- SHA1 HMAC- SHA1 HMAC- SHA256 HMAC- SHA512 HMAC- SHA1 3DES 3DES 3DES AES Moving Factors Truncation Counter Dynamic based on last digit of cryptogram Counter (optional) Time (optional) Dynamic based on last digit of cryptogram Time Counter Counter & Time Dynamic based on last digit of cryptogram Based on mask on the card Fixed Counter & Time Fixed Auto-Sync N N N Y Y Y N OTP Y Y Y Y Y Y Y C/R N Y N Y Y Y Y Sign (MAC) N Y N Y Y Y Y Time Figure 5: Algorithm comparison matrix Trends Currently it is possible to observe the following trends in the use of OTP: OTP authentication being rolled out by financial institutions to retail customer base is prevalently tokens, with EMV CAP cards gaining market presence. Economies of scale are starting to make a difference for EMV CAP Government looking at EMV CAP as means for large scale B2E and G2C authentication to ride on issuance of card readers from financial institutions Government looking at online EMV CAP authentication to provide proof of consent for access to centralised government database repositories OATH tokens starting to become a viable alternative especially now that time based algorithm has been published Proprietary algorithms such as ActivIdentity and Vasco still have a slight edge in security and usability (e.g. Time AND Event based and sophisticated re-sync digits within OTP)

14 OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance P 14 Mobile tokens re-gaining market interest but still not breaking into mass mainstream deployment New application and form factors such as DisplayCard and client less USB make use of this technology easier and more economical to deploy Emergence of managed service offerings in the OTP authentication (BT, VeriSign) Conclusion OTP authentication has come a long way from the proprietary offerings of its infancy. Especially the OATH algorithms have made implementation easier, more cost effective and in more form factors as before. Although other forms of stronger authentication have gathered pace and the era of functionally working PKI authentication without complex client install is upon us, there is still a strong argument for OTP especially where access to resources over non internet channels is required (e.g. retail banking). As demonstrated above there are some differences both in security and usability between the different algorithm offerings. Although proprietary offerings have still an advantage, the OATH time based algorithm brings a royalty free option with levels of security previously reserved to the proprietary ones. More vertical markets are leveraging the technology experience of other verticals, such as the emergence of OTP in the Government to Citizen market, leveraging the financial services Business to Consumer experience. Additionally new form factors such as the DisplayCard are finally bringing the usability difference that made a pure token offering undesirable in certain deployments. This makes OTP, far from an old technology, one of the best choices to strengthen the authentication beyond the password, especially in a multichannel environment.

15 References [OATH] OATH, Initiative for Open Authentication, [RFC4226] IETF, HOTP: An HMAC-Based One-Time Password Algorithm, [OCRA] IETF, OCRA: OATH Challenge-Response Algorithms, [TOTP] IETF, TOTP: Time-based One-time Password Algorithm, [Mas04] MasterCard International Incorporated, Chip Authentication Program - Functional Architecture, September 2004 About ActivIdentity Americas US Federal Europe +33 (0) Asia Pacific +61 (0) info@actividentity.com Web ActivIdentity Corporation is a global leader in intelligent identity assurance, providing solutions to confidently establish a person s identity when interacting digitally. For more than two decades the company s experience has been leveraged by security-minded organizations in large-scale deployments such as the U.S. Department of Defense, Nissan, and Saudi Aramco. The company s customers have issued more than 100 million credentials, securing the holder s digital identity. ActivIdentity is headquartered in Silicon Valley, California. ActivIdentity is part of HID Global, an ASSA ABLOY Group brand. For more information, visit Copyright 2010 ActivIdentity. All rights reserved. ActivIdentity, ActivID, ActivIdentity SecureLogin, ActivClient, and 4TRESS are trademarks of ActivIdentity. All other trademarks, trade names, service marks, service names, and images mentioned and / or used herein belong to their respective owners. DS0611V01