This presentation explains a brief history of One Time Password (OTP). One Time Password is a password that is valid for only one login session.

1. One time password
Mahdi Ataeyan
Website: www.ataeyan.com
Twitter: @kalpase

2. Please feel free to interrupt
me if you have questions!

3. Methods for authenticating people
● What you know (password)
● what you have (smart card)
● what you are (biometric sensors)

4. ● Cracked
● Stolen
● Guessed
● Lost
● difficult to manage or unmanageable
static password

5. What is otp?

6. Why?
● Cracked
● Stolen
● Guessed
● Lost
● manageable

7. bottleneck

8. Methods of generating the OTP
● Time­synchronized
● Mathematical algorithms
➢ based on the previous password
➢ based on a challenge

9. in other word
● Time­based authentication
● Event­based authentication
● Challenge­response­based authentication

10. based on the previous password
● s = seed
● f(s) = hash function
● f(f(f( .... f(s) .…)))
● f1000
(s) is stored on the target system
● p = f999
(s) # user's first login password
● f(p) = f1000
(s) #server can authenticate password
● The value stored in target replaced by p.
● p = f998
(s) #next login
● f(p) = f999
(s) #server can authenticate password

13. based on a challenge
● non­cryptographic protocols
➢Password
➢CAPTCHAs
➢copy protection challenges.
• Cryptographic techniques
➢Message authentication code

14. Challenge–response authentication
● Server sends a unique challenge value sc to the client
● Client generates unique challenge value cc
● Client computes cr = hash(cc + sc + secret)
● Client sends cr and cc to the server
● Server calculates the expected value of cr and ensures the client
responded correctly
● Server computes sr = hash(sc + cc + secret)
● Server sends sr
● Client calculates the expected value of sr and ensures the server
responded correctly

15. Examples of challenge­response
algorithms
● zero­knowledge password proof and key agreement systems
(such as Secure Remote Password (SRP))
● Challenge­Handshake Authentication Protocol (CHAP)
● OCRA ­ OATH Challenge­Response Algorithm
● Salted Challenge Response Authentication Mechanism
(SCRAM)
● ssh's challenge­response system based on RSA

16. Message authentication code

17. ● hash function
➢ MD5 #HMAC­MD5
➢ SHA­1 #HMAC­SHA1
● IPsec and TLS protocols are used HMAC­SHA1
and HMAC­MD5.
Hash­based message
authentication code

18. ● H is a cryptographic hash function,
● K is a secret key padded to the right with extra zeroes to the
input block size of the hash function, or the hash of the
original key if it is longer than that block size,
● m is the message
● opad is the outer padding (0x5c5c5c…5c5c, one­block­
long hexadecimal constant),
● and ipad is the inner padding (0x363636…3636, one­
block­long hexadecimal constant).

20. HMAC­based One­time Password
Algorithm
● HOTP­Value = HOTP(K,C) mod 10d
#number of digits
● HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
● HMAC(K,C) = SHA1(K 0x5c5c… SHA1(K 0x3636… C))⊕ ∥ ⊕ ∥
● K = secret key
● C = counter
● Truncate = a function that selects 4 bytes from the result of the
HMAC in a defined manner.

21. Time­based One­time Password
Algorithm
● TC = (unixtime(now) ­ unixtime(T0)) / TS
– T0 = start of an epochand
– TS = counting in units of a time step
● TOTP = HOTP(SecretKey, TC)
● TOTP­Value = TOTP mod 10d #
d = number of
digits

22. Methods of delivering
● Text messaging
● Mobile phones
● Proprietary tokens
● Web­based methods
● Hardcopy

23. Text messaging

24. Mobile phones

25. Proprietary tokens

26. Web­based methods

27. Hardcopy (TAN)

28. Transaction authentication number
(TAN)
● Classic TAN
● Indexed TAN (iTAN)
● Indexed TAN with CAPTCHA (iTANplus)
● Mobile TAN (mTAN)
● pushTAN

29. Two­factor authentication

30. Multi­factor authentication

31. Authentication­as­a­service
● Automates everything
● Protects everything
● Protects everyone
● Easy migration
● Saves money