Tuesday, May 14, 2013

OTP (One Time Password) Demystified - Part 1

Introduction

At the beginning of 2004, I was working with a small team of Gemplus on the EAP-SIM authentication protocol. As we were a bit ahead of the market, our team was reassigned to work with a team of Verisign on a new authentication method: OTP or One Time Password.

At this time, the existing one time password was a token from RSA that was using a clock to synchronize the passwords.

The lab of Versign came with a very simple but I should say very smart concept. The OTP that you may be using with your bank or Google was born.

This is this algorithm and authentication method I describe in the following two articles. In this article, I present a complete code of the OTP generator. It is very similar to the Javacard Applet I wrote in 2004 when I started to work on this concept with the Versign labs.

The One Time Password Generator

This OTP is based on the very popular algorithm HMAC SHA. The HMAC SHA is an algorithm generally used to perform authentication by challenge response. It is not an encryption algorithm but a hashing algorithm that transforms a set of bytes to another set of bytes. This algorithm is not reversible which means that you cannot use the result to go back to the source.

A HMAC SHA uses a key to transform an input array of bytes. The key is the secret that must never be accessible to a hacker and the input is the challenge. This means that OTP is a challenge response authentication.

The secret key must be 20 bytes at least; the challenge is usually a counter of 8 bytes which leaves quite some time before the value is exhausted.

The algorithm takes the 20 bytes key and the 8 bytes counter to create a 8 digits number. This means that there will obviously be duplicates during the life time of the OTP generator but this doesn't matter as no duplicate can occur consecutively and an OTP is only valid for a couple of minutes.

Read more: Codeproject
QR: Inline image 1