Abstract
Hash chains are often used to implement One Time Password based authentication systems. Some use finite hash chains that require frequent system re-initialization. Some use computationally-intensive public-key algorithm to achieve infiniteness. Eldefrawy et al. proposed a hash-based infinite chain but has limited ability to resist pre-play and guessing attack. This paper provides a smartphone-based two-factor authentication system nRICH that uses both knowledge (password) and possession (seed) based information. The OTP is generated perpetually from a multi-dimensional infinite hash chain that eliminates the limitations of other techniques. It is superior to resist pre-play attack. The hard challenge is a random path from origin to a random point inside a multi-dimensional moving hypercube. We have rigorously performed the security analysis and compared with other techniques w.r.t. various metrics and found suitable to be implemented in even low-end devices. The only drawback is the increased length of the challenge to be typed by the user. We propose to use QR code to avoid this problem.
Keywords
- One Time Password
- Authentication
- Hash chain
- One-way encryption
- Security
This work is partially supported by the project entitled “QR code-based Authentication Using Mobile OTP and…” under RUSA 2.0 (Ref. No. R-11/668/19)
This is a preview of subscription content, access via your institution.
Buying options
References
Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)
Cha, B., Park, S., Kim, J.: Cluster Comput. 19, 1865 (2016). https://doi.org/10.1007/s10586-016-0666-6
Cha, B.R., Kim, Y.I., Kim, J.W.: Telecommun. Syst. 52, 2221 (2013). https://doi.org/10.1007/s11235-011-9528-y
Holtmanns, S., Oliver, I.: SMS and one-time-password interception in LTE networks. In: 2017 IEEE International Conference on Communications (ICC), Paris, pp. 1–6 (2017). https://doi.org/10.1109/icc.2017.7997246
Hallsteinsen, S., Jorstad, I., Thanh, D.‐V.: Using the mobile phone as a security token for unified authentication: systems and networks communication. In: International Conference on Systems and Networks Communications, pp. 68–74. IEEE Computer Society, Washington, DC (2007)
Indu, S., Sathya, T.N., Saravana Kumar, V.: A stand-alone and SMS-based approach for authentication using mobile phone. In: 2013 International Conference on Information Communication and Embedded Systems (ICICES), Chennai, pp. 140–145 (2013)
Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.P. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2013. Lecture Notes in Computer Science, vol. 7967, pp. 150–159. Springer, Heidelberg (2013)
Siddique, S.M., Amir, M.: GSM security issues and challenges. In: Proceedings of the Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/ Distributed Computing, SNPD 2006. IEEE Computer Society, Washington, DC (2006)
Wang, H.: Research and design on identity authentication. System in mobile‐commerce, pp. 18–50. Beijing Jiaotong University (2007)
Laukkanen, T., Sinkkonen, S., Kivijarvi, M., Laukkanen, P.: Segmenting bank customers by resistance to mobile banking. In: International Conference on the Management of Mobile Business, p. 42. IEEE Computer Society, Washington, DC (2007)
Eldefrawy, M.H., Khan, M.K., Alghathbar, K., Kim, T., Elkamchouchi, H.: Mobile one-time passwords: two-factor authentication using mobile phones. Secur. Commun. Netw. 5, 508–516 (2012). https://doi.org/10.1002/sec.340
Haller, N.: The S/KEY one‐time password system. In: Proceedings of the ISOC Symposium on Network and Distributed System Security, San Diego, CA, pp. 151–157, February 1994
Goyal, V., Abraham, A., Sanyal, S., Han, S.: The N/R one time password system. In: Proceedings of International Conference on Information Technology: Coding and Computing, ITCC 2005, vol. 1, pp. 733–738. IEEE Computer Society, Washington, DC (2005)
Chefranov, A.: One‐time password authentication with infinite hash chains. In: Novel Algorithms and Techniques in Telecommunications, Automation and Industrial Electronics, pp. 283–286. Springer, Heidelberg (2008)
Bicakci, K., Baykal, N.: Infinite length hash chains and their applications. In: Proceedings of the 11th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborating Enterprises, WETICE 2002, pp. 57–61. IEEE Computer Society, Washington, DC (2002)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Yeh, T., Shen, H., Hwang, J.: A secure one-time password authentication scheme using smart cards. IEICE Trans. Commun. E85–B(11), 2515–2518 (2002)
Yum, D., Lee, P.: Cryptanalysis of Yeh–Shen–Hwang’s one–time password authentication scheme. IEICE Trans. Commun. E88–B(4), 1647–1648 (2005)
Raddum, H., Nestås, L., Hole, K.: Security analysis of mobile phones used as OTP generators. In: Proceedings of the Fourth IFIP Workshop in Information Security Theory and Practice, WISTP 2010, pp. 324–331. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Roy, U.K., Mahansaria, D. (2020). Two-Factor Authentication Using Mobile OTP and Multi-dimensional Infinite Hash Chains. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Advances in Information and Communication. FICC 2020. Advances in Intelligent Systems and Computing, vol 1129. Springer, Cham. https://doi.org/10.1007/978-3-030-39445-5_50
Download citation
DOI: https://doi.org/10.1007/978-3-030-39445-5_50
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39444-8
Online ISBN: 978-3-030-39445-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)