Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Final Year Project
Transcript of Final Year Project
It is really difficult to remember different passwords so users mostly have few passwords which use them for different systems.
Forgotten or lost
Efficient doubling of resynchronization for HOTP
have many drawbacks which makes them unreliable.
Investigating current HOTP system
Proposing a new scheme for HOTP
Proposed method increases security and efficiency of current method with a small overhead
Proposed algorithm will be developed and analyzed in the next trimester.
have many drawbacks which makes them unreliable
It can be stolen
It can be forgotten or lost
It can be so short and easy to guess
the communication line.
Selecting weak passwords.
Writing password as plain text in different places.
Can address the second and mostly third problem.
Easy to remember
Use different combination of punctuations and letters
"Passphrases are more secure."
Still didn't solve the network problem.
Keyloggers can get the password as well.
Disadvantage of passphrase
A password that is
It has been used in military and high secure areas for many years.
Traditionally, users were provided with an offline token that will generate a new numeric personal identification number (PIN) in regular intervals.
With the ubiquitous Internet, the generation of an OTP can be done by personal computers, mobile internet devices and also smart phones.
One Time Password (OTP)
HMAC-Based One time password (HOTP) RFC4226
Time-Base One time password (TOTP) RFC6238
Types of OTP
The TOTP standard utilizes the system clock to generate the appropriate OTP on both the client and server side.
For example in each one minute the password in client and server updates to a new password.
HOTP standard uses a counter value that was initially synchronized between the client and the server component.
Counter increments at client-side each time user generates a password.
Counter increments at serve-side each time user successfully authenticated at server.
of counter at server and client side lead to generation of the same password.
How does the password that client-side generates, validate at server-side?
Counters at server-side and client-side can be dismatched due to many reasons.
Counter desynchronization and resynchronization
(in server-side and client-side)
The method to restore both sides counters to same value is called
In case of password dismatches from client-side, Server will increment counter by S times (Resynchronization window), to resynchronize counters.
Provide a system for HOTP which is:
More reliable for users
Less vulnerable to DOS attacks.
Mission is to:
Develop current HOTP system
Develop new HOTP system (Next trimester)
Analyze new system and compare with current HOTP system. (Next trimester)
System contains 3 parts to be built:
mobile phone token
Lamport in 1981 introduces OTP.
It was a new method to reduce static passwords security.
In the studey of Liao in 2009, OTP categorizes in two categories:
In the study of Haller in 1994, he proposed a method for OTP
i with shared key
There is no connection between client and server.
Client generates password on its own.
As described in RFC 4226 In the HOTP scheme, the counter value is increased each time the client generates a new password with the token. On the server side, it will increase the value each time an authentication request is received.
HMAC-SHA-1 algorithm as it is described in RFC 2104.
HS = HMAC-SHA1(K, C) K: Key C: Counter (8 bytes)
D = Truncate(HS)
HOTP(K, C) = D mod 10^n
Counter increments each time user generates a password.
As described in RFC 6238 TOTP uses the system clock and increases the counter value by periodically.
The period for the counter value to increase is to be agreed upon between the client and the authenticating server.
TOTP = HOTP (K,T)
K: Shared key
Time-based one time password
User generates a password
Doesn't use for authentication
Counter increments by 1
Server is not able to match password
Server uses Resynch-Protocol lookahead window
Increment counter by one for S times (reynchronization parameter)
If password is matched counters are resynchronized unless
It will reset counter back to its previous value.
This method is vulnerable against DOS attacks.
System consists of 3 components:
Overview of system
Use case diagram
Iterative and incremental process model is used to develop this application.
Determining parity of client-side counter value at server.
Hiding parity of client's counter in the password that is sent to server for authentication.
Generates password last bit
shows counter parity
Sent Encrypted modified password
Check for parity of itself and client
Server doesn't need to check all the counter values in Resynch-Protocol.
It will check double more numbers than normal Resynchronization method.
More reliable against DOS attacks since windows size is doubled.
Advantage of proposed method
Flowchart of Existing HOTP method at server-side based on RFC 4226
proposed HOTP scheme at client side
Flowchart of proposed HOTP method at server-side
.Net framework is used for developing.
Windows phone 7 application as token to generate password.
Asp.net web application for server-side password validator.
C#: Programming language
First phase: Developing existing HOTP system based on RFC 4226. (Done)
Second phase: Developing proposed HOTP system (Next trimester)
Thanks for your time