Overview of dynamic password (OTP) Authentication Technology

Source: Internet
Author: User
Tags hmac rsa securid securid

The dynamic password (OTP, one-time password), also known as the one-time password, is an authentication technology that uses the Password Technology to share secrets between clients and servers, it is a strong authentication technology, a very convenient technical means to enhance the current static password authentication, and an important two-factor authentication technology, the dynamic password authentication technology consists of a client used to generate a password generator, a dynamic token, a hardware device, and a background dynamic password authentication system used to manage tokens and password authentication.

I. Tracing of OTP history

The dynamic password (OTP) has a predecessor with different translations of the same name. The one-time password (OTP, one-time pad), also known as the cipher book, is a type of intelligence technology used in the military field, that is to say, the communication information is encrypted and decrypted using the predefined one-time cipher book. The former is not used, and the former is only used once. If you watch some domestic spy war TV series, you may be impressed by a Japanese spy who claimed to be a "single-armed thief" in the Japanese bombing of Chongqing during World War II, on the same day, he used the one-time password technology, used the Nobel-winning novel "The Good Earth" for intelligence encoding, and finally was cracked by the father of the United States password, Albert Adley. Currently, the OTP Dynamic Password Technology Used in the security strong authentication field originated from the RSA SecureID product, which was first developed by RSA in 1986. dynamic passwords are not a one-time password technology, it is a dynamic one-time password technology. Currently, there are two mainstream international dynamic password OTPAlgorithm, One is RSA SecurID, and the other is the OTP algorithm organized by oath. In China, the other is the country-specific OTP cryptographic algorithm. RSA SecurID uses the AES symmetric algorithm, oath uses the HMAC algorithm, and the State-key algorithm uses the state-key SM1 (symmetric) and Sm3 (hash) algorithms.

Ii. OTP authentication principles and Synchronization Methods

The basic authentication principle of a dynamic password is that both parties share the key, also known as the seed key, the same seed key is used to calculate the cryptographic algorithm for an event count, time value, or asynchronous Challenge number. The algorithms used include symmetric algorithms, hash algorithms, and HMAC, then compare whether the calculated values are consistent for authentication. A dynamic password can be created at a time. The password is usually 6-8 characters long and easy to use. It is similar to the common static password authentication method and is easy to use and integrated with the system, therefore, the OTP dynamic password technology is widely used in a variety of system channels, such as web applications, mobile applications, telephone applications, and ATM self-help terminals.

There are three types of dynamic password synchronization mechanisms: time, event, and Challenge and Response. Currently, the most popular dynamic time passwords are used, the Application of challenge and responsive dynamic passwords is also increasing, and dynamic passwords are gradually becoming a combination of multiple synchronous types, such as time + Challenge and Response.

Iii. Comparison between OTP and common authentication technologies

The Enhanced authentication technologies currently used in information systems include:

1 usb key: request a PKI certificate.

2. Dynamic Logging card: The printed password is flushed.

3. Dynamic text message: Use the telecom channel to send a password.

4 IC card/SIM card: built-in information related to user identity.

5. biometric features: Unique biometric features are used to authenticate identities, such as fingerprints.

6. dynamic token: The Dynamic Password generator and authentication system.

Different solutions are compared as follows:

solution

Security

compatibility

price

ease of use

flexibility

USBkey/pki

high

difference

high

General

difference

Dynamic Logging card

General

good

low

General

good

dynamic SMS

high

good

high

General

General

IC card/SIM card

high

difference

high

General

difference

biometrics

high

difference

high

General

difference

Dynamic token

High

Good

High

Convenient

Good

The above comparison shows that the dynamic password authentication technology has some advantages.

Iv. Insufficient Dynamic Password Authentication Technology

The dynamic password authentication technology is not certified by an authority of 3rd. If the security policy of the business application system is not complete, it may be attacked by man-in-the-middle. For example, a certain bank uses a time-based dynamic token to be attacked by phishing. It is recommended to improve the security Usage Policy in the application, clear the permission for using passwords, and strengthen the process control of the transaction system to improve the system security.

Appendix: oath algorithm JavaSource code: Http://download.csdn.net/detail/goldboar/3932212

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.