Ubiquitous One-Time Password Service Using the Generic Authentication Architecture

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.

[1]  Lance James,et al.  Phishing exposed , 2005 .

[2]  Valtteri Niemi,et al.  Cellular Authentication for Mobile and Internet Services , 2008 .

[3]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[4]  Siani Pearson Trusted Computing Platforms , the Next Security Solution , 2002 .

[5]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[6]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[7]  Gene Tsudik,et al.  Authentication method with impersonal token cards , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[9]  Audun Jøsang,et al.  The Mobile Phone as a Multi OTP Device Using Trusted Computing , 2010, 2010 Fourth International Conference on Network and System Security.

[10]  Anne Marsden,et al.  International Organization for Standardization , 2014 .

[11]  David M'Raïhi,et al.  HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.