Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Final Year Project

Efficient doubling of resynchronization for HOTP

Alireza Beikverdi

on 27 May 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Final Year Project

Using different passwords for different authentication systems may result in forgetting passwords.
It is really difficult to remember different passwords so users mostly have few passwords which use them for different systems.
Forgotten or lost
Efficient doubling of resynchronization for HOTP
static passwords
have many drawbacks which makes them unreliable.
Literature Review
Investigating current HOTP system
Proposing a new scheme for HOTP
Proposed method increases security and efficiency of current method with a small overhead
Proposed algorithm will be developed and analyzed in the next trimester.
static passwords
have many drawbacks which makes them unreliable
It can be stolen
It can be forgotten or lost
It can be so short and easy to guess
Active attacks:
the communication line.
Passive attacks
Selecting weak passwords.
Writing password as plain text in different places.
Can address the second and mostly third problem.
Easy to remember
Not short
Use different combination of punctuations and letters
Pass phrase
"Passphrases are more secure."
Still not
Still didn't solve the network problem.
Keyloggers can get the password as well.
Disadvantage of passphrase
A password that is
generated once
used once
and then

It has been used in military and high secure areas for many years.

Traditionally, users were provided with an offline token that will generate a new numeric personal identification number (PIN) in regular intervals.
With the ubiquitous Internet, the generation of an OTP can be done by personal computers, mobile internet devices and also smart phones.
One Time Password (OTP)
HMAC-Based One time password (HOTP) RFC4226
Time-Base One time password (TOTP) RFC6238
Types of OTP
The TOTP standard utilizes the system clock to generate the appropriate OTP on both the client and server side.

For example in each one minute the password in client and server updates to a new password.
HOTP standard uses a counter value that was initially synchronized between the client and the server component.
Counter increments at client-side each time user generates a password.
Counter increments at serve-side each time user successfully authenticated at server.

of counter at server and client side lead to generation of the same password.
How does the password that client-side generates, validate at server-side?
Counters at server-side and client-side can be dismatched due to many reasons.
Counter desynchronization and resynchronization
(in server-side and client-side)
It's called
The method to restore both sides counters to same value is called
In case of password dismatches from client-side, Server will increment counter by S times (Resynchronization window), to resynchronize counters.
Resynchronization window
Provide a system for HOTP which is:
More reliable for users
Less vulnerable to DOS attacks.

Mission is to:
Develop current HOTP system
Develop new HOTP system (Next trimester)
Analyze new system and compare with current HOTP system. (Next trimester)
System contains 3 parts to be built:
mobile phone token
Web application
Lamport in 1981 introduces OTP.
It was a new method to reduce static passwords security.
In the studey of Liao in 2009, OTP categorizes in two categories:
OTP Review
In the study of Haller in 1994, he proposed a method for OTP
Challenge-Response Review
Challenge i
i with shared key
There is no connection between client and server.
Client generates password on its own.
Unidirectional Review
As described in RFC 4226 In the HOTP scheme, the counter value is increased each time the client generates a new password with the token. On the server side, it will increase the value each time an authentication request is received.

HMAC-SHA-1 algorithm as it is described in RFC 2104.

HS = HMAC-SHA1(K, C) K: Key C: Counter (8 bytes)
D = Truncate(HS)
HOTP(K, C) = D mod 10^n
Counter increments each time user generates a password.
As described in RFC 6238 TOTP uses the system clock and increases the counter value by periodically.
The period for the counter value to increase is to be agreed upon between the client and the authenticating server.

K: Shared key
T: Time
Time-based one time password
Counter are
HOTP problem
User generates a password
Doesn't use for authentication
Counter increments by 1
Server is not able to match password
Server uses Resynch-Protocol lookahead window
Increment counter by one for S times (reynchronization parameter)
If password is matched counters are resynchronized unless
It will reset counter back to its previous value.
This method is vulnerable against DOS attacks.
System consists of 3 components:
Overview of system
Use case diagram
Iterative and incremental process model is used to develop this application.
Process model
Determining parity of client-side counter value at server.
Hiding parity of client's counter in the password that is sent to server for authentication.
Proposed method
Generates password last bit
shows counter parity
Sent Encrypted modified password
Check for parity of itself and client
Generates password
Server doesn't need to check all the counter values in Resynch-Protocol.
It will check double more numbers than normal Resynchronization method.
More reliable against DOS attacks since windows size is doubled.
Advantage of proposed method
Flowchart of Existing HOTP method at server-side based on RFC 4226
proposed HOTP scheme at client side
Flowchart of proposed HOTP method at server-side
.Net framework is used for developing.

Windows phone 7 application as token to generate password.

Asp.net web application for server-side password validator.
C#: Programming language

First phase: Developing existing HOTP system based on RFC 4226. (Done)
Second phase: Developing proposed HOTP system (Next trimester)
Thanks for your time
Full transcript