Patent Application
20140115677
The field of the invention is authentication, and in particular authentication using a hardware device.
A method for calculating a One Time Password. A secret is concatenated with a count, where the secret is uniquely assigned to a token. The secret can be a private key or a shared secret symmetric key. The count is a number that increases monotonically at the token with the number of One Time Passwords generated at the token. The count is also tracked at an authentication server, where it increases monotonically with each calculation of a One Time Password at the authentication server. An OTP can be calculated by hashing a concatenated secret and count. The result can be truncated.
A common step in deciding whether to grant a request for access to data or services in a network is to identify and authenticate the requesting user. Authentication includes the process of verifying the identity of a user. A known identification and authentication system includes associating a user identifier (“user id”) and a secret (“password”) for a user. The password can be a secret shared between the user and an authentication service. The user can submit his user id and password to the authentication service, which compares them with a user id and associated password that can be stored at the service. If they match, then the user is said to have been authenticated. If not, the user is said not to be authenticated.
A token is a device that can be used to authenticate a user. It can include one or more secrets, some of which can be shared with a validation center. For example, a token can store a secret key that can be used as the basis for calculating a One Time Password (OTP). A OTP can be a number (or alphanumeric string) that is generated once and then is not reused. The token can generate an OTP and send it along with a unique token serial number to an authentication server. The authentication server can calculate an OTP using its copy of the secret key for the token with the received serial number. If the OTPs match, then the user can be said to be authenticated. To further strengthen the link from the user to the token, the user can establish a secret Personal Identification Number (PIN) shared with the token that must be entered by the user to unlock the token. Alternatively, the PIN can be shared between the user, the token and the authentication server, and can be used with other factors to generate the OTP. A token typically implements tamper-resistant measures to protect the secrets from unauthorized disclosure.
An embodiment of the present invention includes a protocol for generating One Time Passwords (“OTPs”) at a hardware device that can be used to authenticate a user. The OTPs are generated by a token, which can be a physical device that includes mechanisms to prevent the unauthorized modification or disclosure of the software and information that it contains, and to help ensure its proper functioning.
An embodiment of this protocol can be sequence based, and can be two-factor, e.g., based upon something the user knows (such as a Personal Identification Number, a secret shared between the user and the authentication service) and a physical device having special properties (e.g., a unique secret key such as a private key, or a shared secret symmetric key) that the user possesses (e.g., a token.).
The protocol for generating the OTPs can be based upon a counter, e.g., a monotonically increasing number based, for example, on the number of times a OTP has been requested from the token. The value of the OTP can be displayed on a token, and can be easily read and entered by the user, e.g., via a keyboard coupled to a computer that is in turn coupled to a network. The OTP can be transportable over the RADIUS system.
An embodiment of the protocol in accordance with the present invention can based on an increasing counter value and a static symmetric key known only to the token and an authentication service (the “strong auth” service.) An OTP value can be created using the HMAC-SHA1 algorithm as defined in RFC 2104, or any other suitable hash algorithm. This hashed MAC algorithm has the strength of SHA-1, but allows the addition of a secret during the calculation of the output.
The output of the HMAC-SHA1 calculation is 160 bits. However, this value can be truncated to a length that can be easily entered by a user. Thus,
OTP=Truncate(HMAC-SHA1 (Count, Secret))
Both the client and authentication server can calculate the OTP value. If the value received by the server matches the value calculated by the server, then the user can be said to be authenticated. Once an authentication occurs at the server, the server increments the counter value by one.
Although the servers counter value can be incremented after a successful OTP authentication, the counter on the token can be incremented every time the button is pushed. Because of this, the counter values on the server and on the token can often be out of synchronization. Indeed, there is a good chance that the token will always be out of synchronization with the server given the user environment (e.g., the user pushes the button unnecessarily, button is pushed accidentally, user mistypes the OTP, etc.)
Because the server's counter will only increment when a valid OTP is presented, the server's counter value on the token is expected to always be less than the counter value on token. It is important to ensure that resynchronization is to ensure it's not a burden to either the user or the enterprise IT department.
Synchronization of counters is in this scenario can be achieved by having the server calculate the next n OTP values and determine if there is a match, where n is an integer. If we assume that the difference between the count at the token and the count at the server is 50, then depending on the implementation of the strong auth server, the server would at most have to calculate the next 50 OTP values. Thus, for example, if the correct OTP is found at the n+12 value, then the server can authenticate the user and then increment the counter by 12.
It is important to carefully choose a value for n that can be easily calculated by the server. There should be upper bounds to ensure the server doesn't check OTP values forever, thereby succumbing to a Denial of Service attack.
Truncating the HMAC-SHA1 value to a 6 character value could make a brute force attack easy to mount, especially if only numeric digits are used. Because of this, such attacks can be detected and stopped at the strong auth server. Each time the server calculates an OTP that does not validate, it should record this and implement measures to prevent being swamped, e.g., at some point, turn away future requests for validation from the same source. Alternatively, the user can be forced to wait for a longer period of time between validation attempts.
Once a user is locked out, the user can be to “self-unlock” by providing a web interface that would require the user, for example, to enter multiple OTP in a sequence, thus proving they have the token.
Once the shared secret has been combined with the counter, a 160 bit (20-byte) HMAC-SHA1 result can be obtained. In one embodiment, at most four bytes of this information for our OTP. The HMAC RFC (RFC 2104—HMAC: Keyed-Hashing for Message Authentication) further warns that we should use at least half the HMAC result in Section 5, Truncated Output:
Thus, another way is needed to choose only four or fewer bytes of the HMAC result in a way that will not weaken either HMAC or SHA1. In one, dynamic offset truncation, described below, can be used.
The purpose of this technique is to extract a four byte dynamic binary code from an HMAC-SHA1 result while still keeping most of the cryptographic strength of the MAC.
The following code example describes the extraction of a dynamic binary code given that hmac_result is a byte array with the HMAC-SHA1 result:
int offset=hmac_result[19] & 0xf;
int bin_code=(hmac_result[offset] & 0x7f)<<24
|(hmac_result[offset+1] & 0xff)<<16
|(hmac_result[offset+2] & 0xff)<<8
|(hmac_result[offset+3] & 0xff);
The following is an example of using this technique:
We treat the dynamic binary code as a 31 bit, unsigned, big-endian integer; the first byte is masked with a 0x7f.
The One Time Password for a given secret and moving factor can vary based on three parameters: Encoding Base, Code Digits, and Has Checksum. With 10 as an Encoding Base, 7 Code Digits and Has Checksum set to TRUE, we continue with the above example:
10−((5+8+5+2+9+2+2)mod 10)=10−(33 mod 10)=10−3=7
The following is the Glossary of terms used in this application:
The One Time Number value is calculated by first shifting in the Hash Bits, and then the Synchronization Bits, and then shifting in the result of the check_function ( ) of the prior intermediate value.
The binary value is then translated to appropriate character values. There are three likely character representations of the password: Decimal, Hexadecimal, and Alpha-Numeric.
The token can convert the dynamic binary code to decimal and then display then last Code Digits plus optionally the checksum. For example, for a six digit, no checksum, decimal token will convert the binary code to decimal and display the last six digits.
The token can convert the dynamic binary code to hexadecimal and then display then last Code Digits plus optionally the checksum. For example, for a six digit, no checksum, hexadecimal token will convert the binary code to hexadecimal and display the last six digits.
The token can convert the dynamic binary code to base 32 and then display then last Code Digits plus optionally the checksum. For example, for a six digit, no checksum, base 32 token will convert the binary code to base 32 and display the last six digits.
In order to be a true two-factor authentication token, there can also be a “what you know” value in addition to the “what you have” value of the OTP. This value is usually a static PIN or password known only to the user. This section discusses three alternative architectures to validate this static PIN in accordance with the present invention.
Enabling PIN validation in the cloud can bind a single PIN to a single token. The PIN should be protected over the wire to ensure it is not revealed. PIN management (set, change) should be implemented by the strong auth service.
Enabling PIN validation in the cloud may mean multiple PIN's for a single token.
The PIN need never leave the “security world” of the enterprise. PIN management can be implemented by the enterprise.
This embodiment can be implemented using a keypad on the token. The PIN is never sent over the wire, and may be used as a seed to the OTP algorithm. The PIN may be used to simply unlock the token.
This section describes two data flow scenarios. The first scenario assumes that the StrongAuth service does not knows the username associated with a token. In this scenario it is assumed that the PIN management operations require the user to enter their token SN, instead of their user name.
The second scenario is very similar to the first, except by the fact that the user name is the key into the StrongAuth service, instead of the token SN. There are a few issues in this case. First, the username is known to the service, and second we must come up with a scheme to ensure a unique mapping from a username to a token SN.
A strong authentication server 110, an enterprise authentication server 120 and a client 130 are coupled, e.g., through a network (not shown.) As shown in
The authentication procedure of
This patent application is a Continuation of U.S. patent application Ser. No. 10/590,415, filed Oct. 20, 2006, which is a nation stage entry application claiming priority under 35 U.S.C. §371 to Patent Cooperation Treaty Application No. PCT/US05/05481, filed Feb. 23, 2005, which claims priority to U.S. Provisional Application No. 60/546,194, filed Feb. 23, 2004, each of which are herein incorporated by reference.
| Number | Date | Country | |
|---|---|---|---|
| 60546194 | Feb 2004 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 10590415 | Oct 2006 | US |
| Child | 14136795 | US |
