2011 Eighth International Conference on Information Technology: New Generations

OTP-Based Two-Factor Authentication Using Mobile Phones

Mohamed Hamdy Eldefrawy1, Khaled Alghathbar1, 2, Muhammad Khurram Khan1
1

Center of Excellence in Information Assurance (CoEIA), King Saud University, Saudi Arabia, 2 Information Systems Department, College of Computer and Information Sciences, King Saud University, Saudi Arabia. meldefrawy@ksu.edu.sa1, kalghathbar@ksu.edu.sa1, 2, mkhurram@ksu.edu.sa1

AbstractTwo-factor authentication (2FA) provides improved protection, since users are prompted to provide something they know and something they have. This method delivers a higher level of authentication assurance, which is essential for online banking security. Many banking systems have satisfied the 2FA requirements by sending a One Time Password (OTP), something possessed, through an SMS to the users phone device. Unfortunately, international roaming and SMS costs and delays put restrictions on this system reliability. This paper presents a novel two-factor authentication scheme whereby a users device produces multiples OTPs from an initial seed using the proposed production scheme. The initial seed is produced by the communications partners unique parameters. Applying the many from one function to a certain seed removes the requirement of sending SMS-based OTPs to users, and reduces the restrictions caused by the SMS system. Keywords-one time password; nested hashing chain; twofactor authentication; online banking authentication.

D. SMS Security It can be said that while designing the GSM system, it had all security measures in mind, but as time passed and algorithms were cracked by the hackers [4], SMS-OTP based systems were not kept secure. Accordingly, new solutions for mobile telephony subscribers have been proposed. One of these utilizes backward hash chains to generate an OTP for authentication purposes. This solution, however, generally requires intensive computation by the clients device, which typically has limited computational resources. Additionally, there is a restriction in the length of the chain. Another solution suggests the utilization of signature chains to address the chain length restriction by involving public key techniques. This technique, however, also increases computation costs. Moreover, time-synchronized OTP systems, which are typically based on an internal clock synchronized with a main server, are not applicable for mobile phones. In addition, due to the general nature of mobile phones (e.g., out of network, etc.); such synchronization cannot typically be guaranteed. To overcome the restrictions discussed above, this paper will discuss OTP production in the forward direction. This production will completely eliminate the mentioned limitations. Our idea is to produce multiple OTPs from an initial seed in a parallel process with the service provider itself, e.g., an online bank, by utilizing two different types of hash functions, which come with a nested chain. The resulting chain provides forwardness and infiniteness. The rest of this paper is organized as follows: Section 2 discusses the related work, Section 3 proposes our new algorithm, Section 4 analyzes the security attributes, Section 5 assesses our schemes performance, and finally Section 6 concludes the paper. II. RELATED WORK The idea of an OTP was first suggested by Leslie Lamport [5] in the early 1980s. The OTP principle emphasizes that each time the user tries to log on, the algorithm produces pseudorandom output, thus improving the security. Thus, to avoid replay attack vulnerability, an OTP is a password that is only valid for a single login session or transaction.

I.

INTRODUCTION

Online banking requires strong user authentication. User authentication is often achieved by utilizing a two-factor authentication technique based on something the user knows, i.e., a static password, and something the user has, i.e., an OTP. The major advantage of involving a mobile phone is that most users already have mobile phones, and therefore no extra hardware token needs to be bought, deployed, or supported. The traditional system [1] works by sending an OTP over an SMS to a user who wants to make an online transaction. However, this two-factor authentication system suffers from the following shortcomings: A. SMS Cost During every login request or transaction process, it is necessary to send an SMS-OTP from the bank to the user. This, in turn, will be costly to the bank with the consideration of statistics of banks transactions [2], [3]. B. SMS Lateness The SMS transmission delay represents one of the major limitations of the traditional system [3]. C. International Roaming Travelling overseas creates restrictions on the SMS services. Turning off the roaming service will prevent the bank from sending the SMS-OTP, which in turn, stops the user from resuming any further processes.
978-0-7695-4367-3/11 $26.00 2011 IEEE DOI 10.1109/ITNG.2011.64 327

A. The S/Key OTP System The S/KEY [6] one-time password authentication system uses a computation to generate a finite sequence of single-use passwords from a single secret seed. The security is entirely based on this seed, which is known only to the user. The single-use passwords are related in a way that makes it computationally intractable to compute any password from the preceding sequence. This involves applying hash function h ( ) for N times to a seed s to form a hash chain of length N:

OTPt ( s ) = At ( s, d ) , (5 ) and the verification of the t th OTP is done by decrypting OTPt ( s ) using e,
A ( OTPt ( s ) , e ) = OTPt 1 ( s ) .
(6 ) Increasing the number of cascaded exponentiations increases the computational complexity, making this algorithm very difficult to implement in limited computation devices e.g., mobile phones.

C. RSA SecurID Authenticator

N 1

h (s), h (s),, h

(s), h (s)

(1)

At the t th authentication host sends a challenge to the user:

Challenge(t ) = N t

(2 )

Then the user calculates the t th OTP according to this challenge,

OTPt ( s ) = h N t ( s ) ,

(3 )

and the host authenticates the user by checking that the following equality holds:
h ( OTPt ( s ) ) = h N t +1 ( s ) ,

RSA SecurID utilizes a token [10], which could be hardware or software, with a main server synchronized internal clock. Each token is uploaded with a unique seed, which is used to generate a pseudo-random number. An OTP is generated using this token every 60 seconds as an output of a mathematical operation considering the current time stamp and the loaded seed. The same synchronized process occurs at the server side in a parallel way. Each user uses the produced OTP along with his corresponding PIN, only known to him, to authenticate himself to the server side. Due to the general nature of mobile phones, such synchronization cannot typically be guaranteed. III. OUR APPROACH We have extended Lamports idea with some modifications in order to produce infiniteness and forwardness, avoiding the use of public key cryptography. The shortcoming of those two parameters, infiniteness and forwardness, cause the several vulnerabilities shown with respect to the related work. Thus, we need to integrate Lamports scheme using two different one-way hash functions, hA () and hB () , one for the seed updating and the other for the OTP generation, as shown in Fig. 1.
y x OTP ( x, y ) = hB ( hA ( seed ) ) x:1 , y :1

(4 )

where the value h N t +1 ( s ) is already saved in the host

systems password file from the previous t 1 th authentication. After any successful authentication, the system password file is updated with the OTP that was saved before the host systems final hash execution as h N t ( s ) . In this case then, the host increments t by one and

sends a new challenge to the user for the next authentication. This scheme is constrained to a certain number of authentications N, so that after reaching N authentications, a process restart is required. In addition, it has vulnerability because an opponent, impersonating the host, can send a challenge with a small value to the user, who responds with the hash chain initial values, which allow the intruder to calculate further OTPs [7]. This attack can be referred to as a small challenge attack. In addition, the user computational requirements are high during the calculations for the chains initial values, which make the system unsuitable for devices with limited resources, i.e., mobile phones.
B. Bicakci et al.s Scheme The infinite length hash chains (ILHC) proposed by [8] use a public-key algorithm, A, to produce a forward and infinite one-way function (OWF.) This OWF is the OTP production core. Bicakci et al. proposed a protocol using RSA [9], where d is the private key and e is the public key. The OTP originating from initial input s using the RSA public-key algorithm for the t th authentication is:

(7 )

In addition, we have the ability to implement this approach in a 3D fashion by utilizing three different hash functions, hA () , hB () , and hC () , as shown in Fig. 2.
y 2 OTP (2, y ) = hB ( hA ( s ) ) 2 2 OTP (2, 2) = hB ( hA ( s ) )

hB () sint = s h1 ( s ) A

1 2 OTP (2,1) = hB ( hA ( s ) )

hA ()
2 x hA ( s ) hA ( s )

(a)

328

h9 Ih4 Hs e e dLM B A h7 Ih2 Hs e e dLM B A h4 Ih5 Hs e e dLM B A h2 Ih1 Hs e e dLM B A 2

h8 Ih6 Hs e e dLM B A h7 Ih10 Hs e e dLM B A h4 Ih8 Hs e e dLM B A h2 Ih7 Hs e e dLM B A h2 Ih9 Hs e e dLM B A 8 10

B. Login and Authentication Phase This section will discuss the login and authentication process between the user and service provider. The steps below are shown in Fig. 3.

h1 Ih3 Hs e e dLM B A

4 hA

(b) Figure 1. One time password generation considering a nested hash chain
of two different hashes, hA () and hB () .

The user logs in to the service providers website, e.g., 1 an online bank, requesting access. As a response to this access request, a secure session is established, i.e., an SSL session, allowing the user to enter his authentication privileges, i.e., user name and password, the first factor of authentication, what the user knows. Also the user provides the server with his OTPs current status. The current status allows the server to synchronize his seed with the clients current seed to get the same seed value on both sides before sending a challenge. The server randomly challenges the user with new 2 indexes. The user enters those indexes, in his OTP generator to get the corresponding OTP. The user responds with this corresponding OTP. The 3 server compares the received OTP with the calculated one. 4 According to the server check, done in the previous step, the server will transfer an authorization execution or a communication termination.

hB

10 8 6 hB 4 2 0 hC

Figure 3. The framework operation for the user side OTP generation by
the utilization of two different hash functions.
8 6 4 2 0 hA

C. Numerical Illustration Through the registration process, the user gets two different hash functions, e.g., h A () , which could be SHA-1

Figure 2. One time password generation considering a nested hash chain

of three different hashes, hA () , hB () , and hC () .

A. Registration Phase

The user gets the two different hash functions, hA () and hB () , and an initial seed, sint , established on his mobile phone. To ensure that the information is completely shared with the service provider, the seed is produced by the shared and unique parameters of the host and user, e.g., the International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and registration date.

[11], and hB () , which could be MD5 [11], along with an initial seed, sint , as the concatenation of the IMEI, IMSI, and registration time, which could be 12345678912345612 34567891234507012010200259 assuming IMEI is 12345 6789123456, IMSI is 12345678912345, and the registration time is 7/1/2010 20:02:59. After logging into the service providers website using a different and static username and password, the first factor of authentication, the server asks the user for the OTPs current status. If the user has generated numerous OTPs without using them, he might have reached an OTP status of, for example, 17. The user will submit his current status to the server to allow the server to calculate the current seed scrt = h17 ( sint ) = 122084864803077378592486728 A
5680707842195071405780 , which means that the server has

329

calculated seventeen cascaded hashes of its initial seed sint , using the SHA-1 algorithm, to be synchronized with the client. After that the server sends a random challenge value of new indexes, e.g., x , y = 3, 4 , which means the user has to calculate his session OTP using this formula: 4 3 OTP = hB hA ( scrt ) = 686060611779191885233638136020

seeds, because the intruder will be faced with the necessity of breaking the second hash function, hB () . B. Forgery Attack To mount a forgery attack on the proposed scheme, an adversary must generate an OTP corresponding to a given challenge. Since the adversary doesnt know sint , he cant correctly update the session OTP for acceptance by the host. Hence, the proposed scheme can resist the forgery attack. It is also necessary to have tight control over the transition from an old OTP generator to a new one [12], [14], [15]. C. Insider Attack If a host insider tries to impersonate the user to access other hosts using the shared OTPs between them, s/he will not be able to do so because the cooperation of the OTPs seed fabrication between this user and the different hosts is strong. This seed is produced by the shared and unique parameters of each host and each user. Furthermore, as the OTP production, using two different types of strong hashes, hA () and hB () , is strong, the host insider cant derive these OTPs by performing an off-line guessing attack on what he has received. D. Small Challenge Attack Attacks based on sending small challenges by intruders who impersonate the communication host only affect the backward hash chains OTPs. Our scheme uses forward hashing techniques, which eliminates this type of attack completely. E. Reparability If the user finds or suspects that his seed has been compromised, e.g., token theft, he can re-register with the host and agree upon new seeds, but this must be done manually. V. PERFORMANCE ASSESSMENT The performance evaluation considers the computational cost from the user side. Considering the t th authentication login time, the utilization of the S/KEY [6] will cost the user a number of N t hash operations, where N is the defined chain length. Bicakcis scheme [8] has the lowest number of steps, utilizing just one chain step; the price of this benefit is the use of public key cryptography to produce the signature chain. However time based algorithms have to guarantee a main server synchronized internal clock. Our approach costs the user x + y hash operations, which is very cheap compared with the number of N t hashes. Our approach doesnt involve public key techniques, and has no need of utilizing time synchronization. VI. CONCLUSIONS A new two-factor OTP-based authentication scheme has been proposed using mobile phones as they are becoming

16333158 . The server has to calculate the same value in a parallel process, and as soon as the client responds, the server will match the two values to give either a yes or no. In this illustration, we did not cover the conversion from digits, the hashing output, to characters, the password format, considering the human interface. The second hash function hB allowed us to go in the forward direction by protecting the produced chain by hA . Also as indicated in (7) it is not admissible for x nor y to be equal to 0 IV. SECURITY ANALYSIS

The proposed scheme can resist an off-line guessing attack because it uses strong passwords produced from strong hash functions. Moreover, replaying reusable passwords is restricted by encoding passwords to be used one time. However, it is necessary to prevent another token from becoming an OTP generator for the same user [12]. A manual process should handle this situation. In this section, we will briefly give a security assessment of our proposed scheme. A. Pre-Play Attack Unless the challenge is protected, a type of suppressreplay attack, known as a pre-play attack, becomes possible [13]. Consider that an intruder, who is able to predict the next challenge, wishes to impersonate the user to the service provider. The intruder takes the service provider role, by impersonating it to the user, and asks the user to authenticate itself. The intruder chooses the next challenge that will be chosen by the service provider when authenticating the user. The challenges response sent by the user is memorized by the intruder. Then, at some future time, the intruder can impersonate the user to the service provider, using this memorized response. Our proposal allows the service provider to challenge the user with unpredictable uniformly distributed values of x and y . If we suppose that x and y can take one value of forward m values, the probability of successfully guessing a challenge will be the joint probability of x and y , which is equal to

1 m2 . We can refer to this property as the ability to resist

predictable attacks. This means that the next challenge is not predictable. Furthermore, the produced OTPs cannot help the intruder to calculate further OTPs or to get current or initial

330

more and more powerful devices. This new algorithm provides forward and infinite OTP generation using two nested hash functions. We have illustrated our approach to an online authentication process. This scheme achieves better characteristics than the other schemes discussed above. Our proposal is not limited to a certain number of authentications, unlike the previously-mentioned OTP hashing-based schemes [5], [6], and does not involve computationally expensive techniques to provide the infiniteness like [8]. Our algorithm doesnt require a token embedded server synchronized clock like [10]. Our approach eliminates the problems with utilizing OTPs with an SMS, consisting of the SMS cost and delay, along with international roaming restrictions like [1]. A detailed security analysis was also performed that covered many of the common types of attacks. The two factor authentication property has been achieved without restrictions. REFERENCES
[1] S. Hallsteinsen, I. Jorstad, D-V., Thanh, Using the mobile phone as a security token for unified authentication, Systems and Networks Communication. In: International Conference on Systems and Networks Communications, 2007, pp. 68-74. T. Laukkanen, S. Sinkkonen, M. Kivijarvi, P. Laukkanen, Management of Mobile Business, ICMB 2007, International Conference on the Digital Object Identifier, 2007, pp.42-42. H. Wang, Research and Design on Identity Authentication System in Mobile-Commerce, In: Beijing Jiaotong University, 2007, pp. 18-50. S.M. Siddique, M. Amir, GSM Security Issues and Challenges Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, 2006. SNPD 2006. 7th ACIS International Conference on Digital Object Identifier, pp. 413-418. L. Lamport, Password Authentication with Insecure Communication, In: Comm. ACM, vol. 24, No 11, 1981, pp. 770-772. N. Haller, The S/KEY OneTime Password System. In: Proceedings of the ISOC Symposium on Network and Distributed System Security, 1994, pp. 151-157. A. Chefranov, OneTime Password Authentication with Infinite Hash Chains. Novel Algorithms and Techniques, In: Telecommunications, Automation and Industrial Electronics, 2008, pp. 283-286. K. Bicakci N. Baykal, Infinite length hash chains and their applications In: Proceedings of 1st IEEE Int. Workshops on Enabling Technologies: Infrastructure for Collaborating Enterprises WETICE02, 2002, pp. 57-61. R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and publickey cryptosystems, In: Communications of the ACM, 1978. http://www.rsa.com/node.aspx?id=1156. [Accessed: October 04, 2010]. A. Menezes, P. Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, Inc. 1997 L. Raddum, Nests, K. Hole, Security Analysis of Mobile Phones Used as OTP Generators, In: IFIP International Federation for Information Processing. 2010, pp. 324-331. C. Mitchell, L. Chen, Comments on the S/KEY user authentication scheme, In: ACM Operating System Review, vol. 30, No. 4, 1996, pp. 12-16. M. Khan, Fingerprint Biometricbased Self and Deniable Authentication Schemes for the Electronic World, In: IETE Technical Review, vol. 26, No. 3, 2009, pp. 191-195. M.H. Eldefrawy, M.K., Khan, K. Alghathbar, E.-S. Cho Broadcast Authentication for Wireless Sensor Networks Using Nested Hashing and the Chinese Remainder Theorem, Sensors, 10(9): 2010, pp. 8683-8695.

[16] V. Goyal, A. Abraham, S. Sanyal, S. Han, The N/R one time password system In Proceedings of International Conference on Information Technology: Coding and Computing (ITCC05), vol. 1 2005, pp. 733-738. [17] T. Yeh, H. Shen, J. Hwang, A secure onetime password authentication scheme using smart cards, In: IEICE Trans. In: Commun, vol. E85-B, No. 11, 2002, pp. 2515-2518. [18] D. Yum, P. Lee, Cryptanalysis of YehShenHwangs onetime password authentication scheme , IEICE Trans. Commun, vol. E88 B, No. 4, 2005, pp. 1647-1648.

[2] [3] [4]

[5] [6] [7]

[8]

[9] [10] [11] [12] [13] [14] [15]

331