BAN Logic-Based Security Proof for Mobile OTP Authentication Scheme

  • Mohammed Saeed Alkatheiri
  • Mohamed Hamdy Eldefrawy
  • Muhammad Khurram Khan
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 164)


A Mobile One-Time Password (OTP) mechanism solves the password security problem that could result from reusing the same password multiple times. Eldefrawy et al., has presented a two-factor OTP-based authentication scheme using mobile phones which provides forward and infinite OTP generation using two nested hash functions. However, they have not formally analyzed their protocol. In this paper, we are going to formally analyze their presented algorithm with a BAN logic analysis to proof its security in a formal way. The logical postulate is applied to proof the desired attributes of our mobile OTP based two factor authentication using mobile phone. The analysis shows that the security of illustrated protocol has been formally proved.


BAN logic OTP Two-factor authentication Formal analysis 


  1. 1.
    Bicakci, K., Baykal, N.: One-time passwords: security analysis using BAN logic and integrating with smartcard authentication. ISCIS Lect. Notes Comput. Sci. 2869, 794–801 (2003)Google Scholar
  2. 2.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8(1), 18K–36K (1990)CrossRefGoogle Scholar
  3. 3.
    Eldefrawy, M.H., Khan, M.K., Alghathbar, K., Kim, T.-H., Elkamchouchi, H.: Mobile one−time passwords: two−factor authentication using mobile phones. Security Comm. Networks, John Wiley & Sons, Ltd 5 (2012) 508–516 Google Scholar
  4. 4.
    Fan, K., Li, H., Wang, Y.: Security analysis of the Kerberos protocol using BAN logic. IAS 2009 Fifth International Conference on Information Assurance and Security, vol. 2, pp. 467–470 (2009)Google Scholar
  5. 5.
    Han, J., Won, D., Kim, S.: New identity management scheme and its formal analysis. Proceedings of WASET 2009, World Academy of Science, Engineering and Technology 2009, vol. 49, Dubai, United Arab Emirates, 28–29 Jan 2009, pp. 617–623Google Scholar
  6. 6.
    Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Kim, J.-Y., Choi, H.-K., Copeland, J.A.: further improved remote user authentication scheme. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E94-A(6), 1426–1433 (2011)Google Scholar
  8. 8.
    Westermann, B.: Security analysis of AN.ON’s payment scheme. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec, Lecture Notes in Computer Science, vol. 5838, pp. 255–270. Springer, Heidelberg (2009)Google Scholar

Copyright information

© Springer Science+Business Media Dortdrecht 2012

Authors and Affiliations

  • Mohammed Saeed Alkatheiri
    • 1
  • Mohamed Hamdy Eldefrawy
    • 1
  • Muhammad Khurram Khan
    • 1
  1. 1.Center of Excellence in Information AssuranceKing Saud UniversityRiyadhSaudi Arabia

Personalised recommendations