The dynamic password (OTP, one-time password), also known as the one-time password, is an authentication technology that uses the Password Technology to share secrets between clients and servers, it is a strong authentication technology, a very convenient technical means to enhance the current static password authentication, and an important two-factor authentication technology, the dynamic password authentication technology consists of a client used to generate a password generator, a dynamic token, a hardware device, and a background dynamic password authentication system used to manage tokens and password authentication.
I. Tracing of OTP history
The dynamic password (OTP) has a predecessor with different translations of the same name. The one-time password (OTP, one-time pad), also known as the cipher book, is a type of intelligence technology used in the military field, that is to say, the communication information is encrypted and decrypted using the predefined one-time cipher book. The former is not used, and the former is only used once. If you watch some domestic spy war TV series, you may be impressed by a Japanese spy who claimed to be a "single-armed thief" in the Japanese bombing of Chongqing during World War II, on the same day, he used the one-time password technology, used the Nobel-winning novel "The Good Earth" for intelligence encoding, and finally was cracked by the father of the United States password, Albert Adley. Currently, the OTP Dynamic Password Technology Used in the security strong authentication field originated from the RSA SecureID product, which was first developed by RSA in 1986. dynamic passwords are not a one-time password technology, it is a dynamic one-time password technology. Currently, there are two mainstream international dynamic password OTPAlgorithm, One is RSA SecurID, and the other is the OTP algorithm organized by oath. In China, the other is the country-specific OTP cryptographic algorithm. RSA SecurID uses the AES symmetric algorithm, oath uses the HMAC algorithm, and the State-key algorithm uses the state-key SM1 (symmetric) and Sm3 (hash) algorithms.
Ii. OTP authentication principles and Synchronization Methods
The basic authentication principle of a dynamic password is that both parties share the key, also known as the seed key, the same seed key is used to calculate the cryptographic algorithm for an event count, time value, or asynchronous Challenge number. The algorithms used include symmetric algorithms, hash algorithms, and HMAC, then compare whether the calculated values are consistent for authentication. A dynamic password can be created at a time. The password is usually 6-8 characters long and easy to use. It is similar to the common static password authentication method and is easy to use and integrated with the system, therefore, the OTP dynamic password technology is widely used in a variety of system channels, such as web applications, mobile applications, telephone applications, and ATM self-help terminals.
There are three types of dynamic password synchronization mechanisms: time, event, and Challenge and Response. Currently, the most popular dynamic time passwords are used, the Application of challenge and responsive dynamic passwords is also increasing, and dynamic passwords are gradually becoming a combination of multiple synchronous types, such as time + Challenge and Response.
Iii. Comparison between OTP and common authentication technologies
The Enhanced authentication technologies currently used in information systems include:
1 usb key: request a PKI certificate.
2. Dynamic Logging card: The printed password is flushed.
3. Dynamic text message: Use the telecom channel to send a password.
4 IC card/SIM card: built-in information related to user identity.
5. biometric features: Unique biometric features are used to authenticate identities, such as fingerprints.
6. dynamic token: The Dynamic Password generator and authentication system.
Different solutions are compared as follows:
solution
|
Security
|
compatibility
|
price
|
ease of use
|
flexibility
|
USBkey/pki
|
high
|
difference
|
high
|
General
|
difference
|
Dynamic Logging card
|
General
|
good
|
low
|
General
|
good
|
dynamic SMS
|
high
|
good
|
high
|
General
|
General
|
IC card/SIM card
|
high
|
difference
|
high
|
General
|
difference
|
biometrics
|
high
|
difference
|
high
|
General
|
difference
|
Dynamic token
|
High
|
Good
|
High
|
Convenient
|
Good
|
The above comparison shows that the dynamic password authentication technology has some advantages.
Iv. Insufficient Dynamic Password Authentication Technology
The dynamic password authentication technology is not certified by an authority of 3rd. If the security policy of the business application system is not complete, it may be attacked by man-in-the-middle. For example, a certain bank uses a time-based dynamic token to be attacked by phishing. It is recommended to improve the security Usage Policy in the application, clear the permission for using passwords, and strengthen the process control of the transaction system to improve the system security.
Appendix: oath algorithm JavaSource code: Http://download.csdn.net/detail/goldboar/3932212