OTP Authentication

A report submitted in partial fulfilment of the requirements for the award of the
Degree of

BACHELOR OF ENGINEERING

IN

INFORMATION TECHNOLOGY

BY

DIPTANSHU (BE/10281/14)
MITCHELL MONICA BILUNG (BE/10368/14)

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

BIRLA INSTITUTE OF TECHNOLOGY

MESRA-835215, RANCHI

2018
 DECLARATION CERTIFICATE

This is to certify that the work presented in the report entitled “OTP
Authentication” in partial fulfilment of the requirement for the award
of degree of “Information Technology of Birla Institute of
Technology Mesra, Ranchi” is an authentic work carried out under
my supervision and guidance. To the best of my knowledge, the
content of this thesis does not form a basis for award of any
previous Degree to anyone else.

(Guide’s Name and Signature)

Dept. Of Computer Science and Engineering,

Birla Institute of Technology,

Mesra, Ranchi.
Index
 Acknowledgement

We would like to express my gratitude to my professor in-charge

–as well as our faculty members who gave us the opportunity to
do this project. It helped us doing a lot of research and we came
to know about so many new things.

Secondly we would like to thank our parents and batch mates

who helped us a lot in finalizing this project within the limited time
frame.
 Abstract

OTP (one time password) is a password that is valid only for one
transaction on a computer system or other digital device. OTP
generation algorithms typically make use of randomness by
making it difficult for the attacker to predict and also hash
functions which can be used to derive a value but are difficult to
reverse. This is important otherwise it would be easy to predict
future OTPs by observing pervious ones.
It is a secure way to provide access to an application or perform a
transaction only one time. The password becomes invalid after it
has been used and cannot be used again.
 Introduction

OTP stands for One Time Password. It’s a security technique that
helps us provide protection against various password-based
attacks, especially password sniffing and replay attacks. Its main
purpose is to make difficult to gain unauthorized access to
restricted resources, like a database or a bank account with
sensitive information.
OTP generator more enhanced protection than static passwords,
which remain same for multiple login sessions.
The algorithm used uses random characters and symbols to
create a password so that a hacker cannot interpret it.

The increasing authenticated applications and the growing attacks

keep driving OTP technology. The idea of an OTP was first
suggested by Leslie Lamport in the early 1980s. Nowadays, there
are many patented OTP tokens. The method of delivering the
OTP may be a proprietary token, via mobile phone, on paper or a
web-based approach. A few standards have been developed to
facilitate adoption of OTP authentication by enabling
interoperability across commercial and open-source
implementations for a better user experience. The first step of
OTP technology is OTP calculation, which is the algorithm to
generate a unique passcode for every authentication.
Passwords have been quite unpopular for a while. In order to
improve login security, many of the leading online service
providers have introduced “two factor authentication” procedures
in which your password is complemented with a second factor.
Concrete OTP algorithms vary greatly in details. Various
approaches for the generation of OTP are listed below:
 Based on time synchronization between server and client
providing the password
 Using a mathematical algorithm to generate a new password
based on the previous password (OTPs are effectively a
chain and must be used in a predefined order)
 Using a mathematical algorithm where the new password is
based on a challenge (e.g: a random number chosen by the
authentication server or transaction details) or a counter.
There are also many ways to make aware of the next OTP to use.
Some systems use special electronic security tokens that the user
carries and that generates OTPs and show them using a small
display. Other systems consist of software that runs on the user’s
mobile phone. Yet other systems generate OTPs on the server-
side and send them to the user using an out-of-band channel
such as SMS messaging. Finally, in some systems, OTPs are
printed on paper that the user is required to carry.
 Methodology

Method of Calculation
This OTP is based on the very popular algorithm HMAC SHA.
The HMAC SHA is an algorithm generally used to perform
authentication by challenge response. It is not an encryption
algorithm but a hashing algorithm that transforms a set of bytes to
another set of bytes. This algorithm is not reversible which means
that you cannot use the result to go back to the source.

A HMAC SHA uses a key to transform an input array of bytes.

The key is the secret that must never be accessible to a hacker
and the input is the challenge. This means that OTP is a
challenge response authentication.

The secret key must be 20 bytes at least; the challenge is usually

a counter of 8 bytes which leaves quite some time before the
value is exhausted.

The algorithm takes the 20 bytes key and the 8 bytes counter to
create an 8 digits number. This means that there will obviously be
duplicates during the life time of the OTP generator but this
doesn't matter as no duplicate can occur consecutively and an
OTP is only valid for a couple of minutes.

Why is the OTP a very strong authentication method?

There are few reasons why this is a very strong method.

 The key is 20 digits

 A password is a couple counter/password, only valid once
and a very short time
 The algorithm that generates each password is not
reversible
 With an OTP token, the key is hardware protected
 If the OTP is received on your phone, the key always stays
at the server

Those few characteristics make the OTP a strong authentication

protocol. The weakness in an authentication is usually the human
factor. It is difficult to remember many complex passwords, so
users often use the same one all across the internet and not really
a strong one. With an OTP, you don't have to remember a
password, the most you would have to remember would be PIN
code (4 to 8 digits) if the OTP token is PIN protected. In the case
of an OTP sent by a mobile phone, it is protected by your phone
security. A PIN is short but you can't generally try it more than 3
times before the token is locked.

The weakness of an OTP if there is one, is the media used to

generate or receive the OTP. If the user loses it, then the
authentication could be compromised. A possible solution would
be to protect this device with a biometric credential, making it
virtually totally safe.

HMAC generation uses two passes of hash computation. The

secret key is first used to derive two keys – inner and outer. The
first pass of the algorithm produces an internal hash derived from
the message and the inner key. The second pass produces the
final HMAC code derived from the inner hash result and the outer
key. Thus the algorithm provides better immunity against length
extension attacks.

HMAC(K,m) = H( (K’ ⊕ opad ) || H ( (K’ ⊕ ipad) || m) )

where
H is a cryptographic hash function,
K is the secret key,
m is the message to be authenticated,
K' is another secret key, derived from the original key K (by
padding K to the right with extra zeroes to the input block size of the
hash function, or by hashing K if it is longer than that block size),
|| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-
long hexadecimal constant),
and ipad is the inner padding (0x363636…3636, one-block-
long hexadecimal constant).

Example:

HMAC_SHA1("key", "The quick brown fox jumps over the lazy dog") =
de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

Methods of delivering OTP

Phones:
A common technology used for the delivery of OTPs is text
messaging. Because text messaging is a ubiquitous
communication channel, being directly available in nearly all
mobile handsets and, through text-to-speech conversion, to any
mobile or landline telephone, text messaging has a great potential
to reach all consumers with a low total cost to implement.
However, the cost of text messaging for each OTP may not be
acceptable to some users. OTP over text messaging may be
encrypted using an A5/x standard, which several hacking groups
report can be successfully decrypted within minutes or seconds.
Additionally, security flaws in the SS7 routing protocol can and
have been used to redirect the associated text messages to
attackers; in 2017, several O2 customers in Germany were
breached in this manner in order to gain access to their mobile
banking accounts. In July 2016, the U.S. NIST issued a draft of a
special publication with guidance on authentication practices,
which discourages the use of SMS as a method of implementing
out-of-band two-factor authentication, due to the ability for SMS to
be intercepted at scale.

On smartphones, one-time passwords can also be delivered

directly through mobile apps, including dedicated authentication
apps such as Authy, Duo, and Google Authenticator, or within a
service's existing app, such as in the case of Steam. These
systems do not share the same security vulnerabilities as SMS,
and do not necessarily require a connection to a mobile network
to use, as they are internet-based.

Proprietary tokens :
EMV is starting to use a challenge-response algorithm (called
"Chip Authentication Program") for credit cards in Europe. On the
other hand, in access control for computer networks, RSA
Security's SecurID is one example of a time-synchronization type
of token or HID Global. Like all tokens, these may be lost,
damaged, or stolen; additionally there is an inconvenience as
batteries die, especially for tokens without a recharging facility or
with a non-replaceable battery. A variant of the proprietary token
was proposed by RSA in 2006 and was described as "ubiquitous
authentication", in which RSA would partner with manufacturers
to add physical SecurID chips to devices such as mobile phones.
Recently, it has become possible to take the electronic
components associated with regular keyfob OTP tokens and
embed them in a credit card form factor. However, the thinness of
the cards, at 0.79mm to 0.84mm thick, prevents standard
components or batteries from being used. Special polymer-based
batteries must be used which have a much lower battery life
than coin (button) cells. Semiconductor components must not only
be very flat but must minimise power used in standby and when
operating.
Yubico offers a small USB token with an embedded chip that
creates an OTP when a key is pressed and simulates a keyboard
to facilitate easily entering a long password.[11] Since it is a USB
device it avoids the inconvenience of battery replacement.
A new version of this technology has been developed that
embeds a keypad into a payment card of standard size and
thickness. The card has an embedded keypad, display,
microprocessor and proximity chip.

Web-based methods:
Authentication-as-a-service providers offer various web-based
methods for delivering one-time passwords without the need for
tokens. One such method relies on the user’s ability to recognize
pre-chosen categories from a randomly generated grid of
pictures. When first registering on a website, the user chooses
several secret categories of things; such as dogs, cars, boats and
flowers. Each time the user logs into the website they are
presented with a randomly generated grid of picalphanumeric
character overlaid on it. The user looks for the pictures that fit
their pre-chosen categories and enters the associated
alphanumeric characters to form a one-time access code.

Hardcopy:
In some countries' online banking, the bank sends to the user a
numbered list of OTPs that are printed on paper. Other banks
send plastic cards with actual OTPs obscured by a layer that the
user has to scratch off to reveal a numbered OTP. For every
online transaction, the user is required to enter a specific OTP
from that list. Some systems ask for the numbered OTPs
sequentially, others pseudorandomly chose an OTP to be
entered. In Germany and many other countries like Austria and
Brazil,[14] tho.se OTPs are typically called TANs (for 'transaction
authentication numbers'). Some banks even dispatch such TANs
to the user's mobile phone via SMS, in which case they are called
mTANs (for 'mobile TANs').

OTPs versus other methods of securing data:

One-time passwords are vulnerable to social engineering attacks
in which phishers steal OTPs by tricking customers into providing
one or more OTPs that they used in the past. In late 2005
customers of a Swedish bank were tricked into giving up their
one-time passwords.[15] In 2006 this type of attack was used on
customers of a US bank.[16] Even time-synchronized OTPs are
vulnerable to phishing, by two methods: The password may be
used as quickly by the attacker as the legitimate user, if the
attacker can get the OTP in plaintext quickly enough. The other
type of attack—which may be defeated by OTP systems
implementing the hash chain as discussed above—is for the
phisher to use the information gained (past OTP codes which are
no longer valid) by this social-engineering method to predict what
OTP codes will be used in the future. For example, an OTP
password-generator that is pseudo-random rather than truly
random might or might not be able to be compromised, because
pseudo-random numbers are often predictable once one has
the past OTP codes. An OTP system can only use
truly random OTPs if the OTP is generated by the authenticator
and transmitted (presumably out-of-band) to the user; otherwise,
the OTP must be independently generated by each party,
necessitating a repeatable, and therefore merely pseudo-
random, algorithm.
 FUTURE SCOPE

Passwords have been quite unpopular for a while. The

vulnerability of data has opened a wide scope for the protection of
the data. OTP is now being used everywhere because it’s secure
authentication process. Whether it be an online bank transaction,
online shopping sites, sensitive information passing, OTP is the
answer to all.
New software and techniques is being developed every day to
make our data more secure than ever. New algorithms with
greater complexity and less time consumption are being
developed.

Every transaction on the net is being done through one time

password which makes the future on the field of OTP
authentication very eye opening.
The OTP has gained traction for authenticating transactions and
users across industries. In emerging economies such as India
and China, the OTP is a secondary factor for transaction
authorization. Certain banks – including the likes
of OCBC and ICBC in China –issue physical hardware for OTP
generation whereas, in India, most of the incumbents use OTP
delivered via text messages. Banks – such as ICICI Bank – use a
combination of security grid present on the account holder’s card
as well as an OTP; others like Standard Chartered use an OTP
and Citibank gives the customer a choice to authorize the
transaction both via a PIN or a text-delivered OTP. Prepaid
instruments in India also use OTP as a factor for authentication
 Conclusion

Although OTPs are in some ways more secure than a static

memorized password, users of OTP systems are still vulnerable
to man-in-the-middle attacks. OTPs should therefore not be
disclosed to any third parties, and using an OTP as one layer
in layered security is safer than using OTP alone; one way to
implement layered security is to use an OTP in combination with a
password that is memorized by the user (and never transmitted to
the user, as OTPs often are). An advantage to using layered
security is that a single sign-on combined with one master
password or password manager becomes safer than using only 1
layer of security during the sign-on, and thus the inconvenience
of password fatigue is avoided if one usually has long sessions
with many passwords that would need to be entered mid-session
(to open different documents, websites, and applications);
however, the disadvantage of using many forms of security all at
once during a single sign-on is that one has the inconvenience of
more security precautions during every login—even if one is
logging in only for a brief usage of the computer to access
information or an application that doesn't require as much security
as some other top-secret items that computer is used for.

Authentication is done via three factors: Knowledge, Ownership

and Inheritance. Knowledge and ownership are factors which are
transferable and prone to fraudulent usage. It is only the
inheritance factor which is robust but the implementation is
certainly an uphill task for many of the incumbent players in the
market.  As such OTP, is just one of the ownership factors of
authentication. The future might see authentications with
biometrics only. A few organisations such as Barclays
Wealth already use the more reliable voice prints for
authenticating large ticket transactions.