A new one time password mechanism for client-server applications. (English) Zbl 1495.94091
Summary: OTP (One Time Passwords) are very important in today’s scenario in various applications like in financial transactions, e-commerce etc. They are used for enhancing the security of data communication. Many security applications are based on the strength of OTP. Any prediction in OTP generation can create serious threats to information security. Many new methods have been presented by researchers for OTP generation in the past decade. In this paper, we present a new authenticated OTP generation procedure between client and server. We also provide illustration with complete security analysis in order to prove its utility in various applications. Our procedure is implementable very easily and has embedded authentication and randomness.
MSC:
| 94A62 | Authentication, digital signatures and secret sharing |
Keywords:
authentication; HMAC based one time password; one time password; secure hash algorithm; time based one time passwordReferences:
| [1] | Babkin, S.; Epishkina, A., One-time passwords: resistance to masquerade attack, Procedia computer science, 145, 199-203 (2018) · doi:10.1016/j.procs.2018.11.040 |
| [2] | Booz, S. A.E.; Attiya, G.; Fishawy, N. E., A secure cloud storage system combining time-based one-time password and automatic blocker protocol, EURASIPjournal on information security, 13 (2016) · doi:10.1186/s13635-016-0037-0 |
| [3] | Khan, Tayyab; Singh, Karan; Abdel-Basset, Mohamed; Long, Hoang Viet; Singh, Satya P.; Manjul, Manisha, A Novel and Comprehensive Trust Estimation Clustering-Based Approach for Large Scale Wireless Sensor Networks, IEEE Access, 7, 58221-58240 (2019) · doi:10.1109/ACCESS.2019.2914769 |
| [4] | Digital identity guidelines, authentication and lifecycle management, NIST special publication 800-63B, (2017), DOI: doi:10.6028/NIST.SP.800-63b. |
| [5] | Facebook one-time passwords can be stolen, says security company, (2016) available at https://www.tomshardware.com/news/face-book-one-time-passwords-ss7vulnerability,32112.html. |
| [6] | Kansuwan, T., Chomsiri, T., Authentication model using the bundled CAPTCHA OTP instead of traditional password, Joint international conference on digital arts, media and technology with ECTI northern section conference on electrical, electronics, computer and telecommunications engineering (ECTI DAMT-NCON), pp. 5-8, (2019), DOI: 10.1109/EC-TI-NCON.2019.8692255. |
| [7] | Kelley, P. G.; Komanduri, S.; Mazurek, M. L.; Shay, R.; Bauer, T. V.L; Christin, N.; Cranor, L. F.; Lopez, J. |
| [8] | Kumar, G.; Saini, H., Novel non commutative cryptography scheme using extra special group, Security and communication networks, 1-12 (2017) · doi:10.1155/2017/9036382 |
| [9] | Ling, C-H; Lee, C-C; Yang, C-C; Hwang, M-S, A secure and efficient one-time password authentication scheme for WSN, International journal of network security, 19, 2, 177-181 (2017) |
| [10] | Luo, Y.; Lai, X.; Jia, T., Attacks on a double length block cipher-based hash proposal, Cryptography and communications, 7, 3, 289-295 (2015) · Zbl 1343.94073 · doi:10.1007/s12095-014-0117-2 |
| [11] | Mulliner, C.; Borgaonkar, R.; Stewin, P.; Seifert, J-P · doi:10.1007/978-3-642-39235-1_9 |
| [12] | RFC 4226 available at https://tools.ietf.org/html/rfc4226. |
| [13] | RFC 6238 available at https://tools.ietf.org/html/rfc6238. |
| [14] | Sonaniya, N., How I bypassed state bank of India OTP, (2017), available at https://hackernoon.com/how-i-bypassed-state-bank-of-india-otp-f145469a9f1d. |
| [15] | Subpratatsavee, P., Kuacharoen, P., Transaction authentication using HMAC-based one-time password and QR code, Computer science and its applications, Part of the lecture notes in electrical engineering book series (LNEE, volume 330), pp. 93-98, (2015), DOI: doi:10.1007/978-3-662-45402-2_14. |
| [16] | Uymatiao, M.L.T., Yu, W.E.S., Time-based OTP authentication via secure tunnel (TOAST): a mobile TOTP scheme using TLS seed exchange and encrypted offline keystore, 4th IEEE international conference on information science and technology, Shenzhen, China, (2014), DOI: 10.1109/ICIST.2014.6920371. |
| [17] | Vagle, J.L., Furtive encryption: power, trust, and the constitutional cost of collective surveillance, Indiana law journal, volume 90, number 101, pp. 101-150, (2015), available at http://ilj.law.indiana.edu/articles/11-Vagle.pdf |
| [18] | Valluri, M.R., Authentication schemes using polynomials over noncommutative rings, International journal on cryptology and information security, volume 2, number 4, pp. 51-58, (2012), available at https://wireilla.com/papers/ijcis/V2N4/2412ijcis06.pdf. |
| [19] | Lee, Cheng-Chi; Huang, Kou-You; Huang, Shiow-Yuan, On-line password guessing attack on Lu-Cao key agreement protocol for secure authentication, Journal of Discrete Mathematical Sciences and Cryptography, 12, 5, 595-598 (2009) · Zbl 1200.94046 · doi:10.1080/09720529.2009.10698258 |
| [20] | Dinker, Aarti Gautam, Multilevel authentication scheme for security critical networks, Journal of Information and Optimization Sciences, 39, 1, 357-367 (2018) · doi:10.1080/02522667.2017.1374745 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
