One-time password

The oft-used abbreviation OTP stands for English one-time password , which the direct translation equivalent of "one-time password". However, there is a risk of confusion with the One-Time-Pad encryption method, as both are abbreviated to “OTP”.

The challenge with the one-time password is how both parties can know which password is valid for a particular login. There are two ways to do this: password lists or password generators.

Password lists

With this system, ready-made lists of passwords are stored on both sides. This list is either processed in sequence (i.e. the entries are numbered) or a value that has not yet been used is freely selected. This value is transmitted as a password and removed from the list on both sides. The TAN lists in online banking are an example of a password list.

There is the following difference between the variants mentioned: In the case of one-time passwords that are used one after the other, i.e. sequentially , there is exactly one valid value at any point in time, namely the first one that has not yet been used. In the case of one-time passwords, which can be selected from a list by the sender, there are just as many valid values ​​at any point in time as there are unused values ​​on the list.

A disadvantage is a possible loss of the password list. An attacker who gets hold of it (e.g. in the event of a system break-in) knows all the one-time passwords that could be used. A system that does not have to save the complete list is therefore preferable to this method.

Password generators

A password generator is a program that automatically generates a password.

Procedure

With the password generators, a special algorithm is used to generate a current password at each point in time. A distinction must be made between three procedures:

1. Timed Generators
2. Event-driven generators
3. Challenge-Response Controlled Generators

With all three, it is not the algorithm itself that is transmitted, but only the evidence, the result of the algorithm. With the correct result, the client proves that it has the correct algorithm and, if necessary, the correct initialization.

Timed

Although the server always performs the same calculation as the client (the security token ), it generally accepts and calculates several one-time passwords within a tolerance range, as the clock built into the token may not be 100% accurate. Nevertheless, every one-time password has a precisely defined time interval for its validity, which is usually between 1 and 15 minutes.

A short example of a token that changes its one-time password every minute. The one-time password, however, is not only valid at time t , but is also accepted by the server at time t  − 1 min and t  + 1 min and thus for three minutes because of the tolerance . Good practices synchronize with the client based on the incoming data. If there are longer interruptions between registrations, this can also fail.

When using a single token at several independent bodies, eavesdropping on the one-time password at one point would result in a security risk for the other bodies within the tolerance range.

Event-driven

With the event-controlled method, too, the server carries out the same calculation as with the time-controlled method that took place on the client side, and here too it calculates and accepts several one-time passwords within a tolerance range, with the exception of those that have already been used. The reason is that occasionally the owner might not be able to use a generated password. This process is much more gentle on the batteries of a corresponding device (token). It is also possible to operate it without a permanent power supply, by simply saving the last value used and thus invalidated anyway.

If a single token is used by several independent bodies, all bodies must be promptly informed of any use in any event.

Challenge-response controlled

There are no synchronization problems in the case of a challenge-response procedure. With this procedure, the server specifies a task (challenge) that the client must answer (response). The client receives a value from the server as input and calculates a one-time password based on it.

The advantage of this procedure is that the challenge can be made completely independently. If there is no algorithm on the server side that can be calculated in advance, then there is no possibility on the client or cracker side to calculate a response in advance. This means that it is also possible to use a single algorithm for several independent bodies; this does not reduce security. There are solutions that use a device (token) to calculate the response. In this case, the technique described below can also be used, with the initial value as the challenge.

Technology used in most generators

Typical examples of the most frequently used methods are on the one hand the so-called tokens of z. B. RSA Security , ID Control, Vasco, Kobil and other manufacturers, on the other hand, for example, implementations of the one-time password according to Lamport (also known as Lamport hash ), whose algorithm is essentially based on the repeated use of a hash function.

The prerequisite for the one-time password procedure is that both parties involved (client and server) know a common, secret password . A series of one-time passwords (OTP) is generated from this. ${\ displaystyle ggKW}$

initialization

${\ displaystyle S = H (r_ {A} \ || \ ggKW)}$.

Calculation of one-time passwords

Now, a series of one-time passwords generated by applying to the hash function is applied repeatedly iterative: The first OTP generated by the hash function is applied times: . The next by applying the hash function times. A possible eavesdropper cannot calculate the next one from the sent password, as he would have to invert the hash function to get from to . However, this is impossible. ${\ displaystyle S}$${\ displaystyle N}$${\ displaystyle KW_ {N} = H ^ {N} (S)}$${\ displaystyle N-1}$${\ displaystyle KW_ {N}}$${\ displaystyle KW_ {N-1}}$

Verification of the OTP at the server

The server initially performed the same operation as the client and only noted it. First, the client sends OTP to the server. This verifies it by applying the hash function once to the newly received OTP and comparing the result with the OTP stored on it . If the values ​​match, the OTP is verified. ${\ displaystyle KW_ {N} \ = H ^ {N} (S)}$${\ displaystyle KW_ {N-1}}$${\ displaystyle KW_ {N-1}}$${\ displaystyle H (KW_ {N-1}) \ \ to KW_ {N}}$${\ displaystyle KW_ {N}}$${\ displaystyle KW_ {N-1}}$

For the next verification, the server now remembers and the client has to send OTP next . ${\ displaystyle KW_ {N-1}}$${\ displaystyle KW_ {N-2}}$

Reinitialization

Since a new OTP is sent with each authentication and the counter eventually reaches zero, the OTP system must be reinitialized. For this purpose, the client can e.g. B. independently choose a new seed and a new one and inform the server. A new shared, secret password can also be agreed over a secure line . However, many tokens used today do not provide for communication beyond the value itself. ${\ displaystyle N}$${\ displaystyle r_ {A}}$${\ displaystyle N}$${\ displaystyle ggKW}$

safety

Since cryptographic hash functions cannot be inverted, the secret password cannot be found out. The system is also protected against replay attacks , as a new password is transmitted each time.

However, only the client is authenticated by the server. The server, however, does not authenticate itself with the client. In this way, an attacker can install his own server in the network and trick the client into thinking that this server is the authentication server.

See also

• Transaction number
• UAF (FIDO)
• Two-factor authentication

Web links