The research on robustness and practicability of the one–time password authentication

• Main Authors: Ming-Her Cheng, 鄭明和
• Other Authors: Chun-Li Lin
• Format: Others
• Language: zh-TW
• Published: 2008
• Online Access: http://ndltd.ncl.edu.tw/handle/31044438020510739315

碩士 === 樹德科技大學 === 資訊工程學系 === 96 === One-Time Password (OTP), which is a disposable password, is a technique of user authentication. In each login, the user must use different password to enter the system. Due to the dissimilar password, OTP technique possesses the benefit of preventing the system from replaying attacks in the process of authentication transmission. Because the password for verifying is different in each authentication session, the user and the server must have an agreed mechanism to compute the variable password for authenticating each other. Moreover, the user and the server require storing some information so-called verifier to support the authentication process. To verify identity between the user and the server, the authentication protocol must be robust to against any attack method from attackers. In the present attack techniques, the most difficult to solve is the server side theft attack. When server’s secret key was stolen, the attacker can use those stolen information to impersonal the user and login the server, even obtain the improper benefit. This thesis proposes an OTP mutual authentication protocol by using reverse hash-chain against theft attack. We also use pre-computation technique to reduce the overhead of computing hash-chain. Recently, the Internet provides the user a convenient transaction way. For security, the network banks use the SSL protocol to protect user’s account number and password for authentication. Several banks even use specific off-line password generator (Off-Line Token) to against key loggers and Trojan horses attack. But those methods can not effectively prevent network phishing attacks. This thesis proposes a challenge-response OTP authentication protocol, which guarantees the password stolen by the phisher is invalid, and hence indirectly prevents phishing attacks. The proposed protocol also uses a popular mobile device (for example, cell phone, PDA etc.) to replace traditional Off-Line Token. Such replacement not only reduces the cost of the token cost, but also increases the practicability. This proposed protocol is very practical and can be used for the login system of network banks and on-line games.