mirror of
https://github.com/1f349/twofactor.git
synced 2025-01-10 16:46:35 +00:00
2076 lines
75 KiB
Plaintext
2076 lines
75 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Network Working Group D. M'Raihi
|
|||
|
Request for Comments: 4226 VeriSign
|
|||
|
Category: Informational M. Bellare
|
|||
|
UCSD
|
|||
|
F. Hoornaert
|
|||
|
Vasco
|
|||
|
D. Naccache
|
|||
|
Gemplus
|
|||
|
O. Ranen
|
|||
|
Aladdin
|
|||
|
December 2005
|
|||
|
|
|||
|
|
|||
|
HOTP: An HMAC-Based One-Time Password Algorithm
|
|||
|
|
|||
|
Status of This Memo
|
|||
|
|
|||
|
This memo provides information for the Internet community. It does
|
|||
|
not specify an Internet standard of any kind. Distribution of this
|
|||
|
memo is unlimited.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2005).
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document describes an algorithm to generate one-time password
|
|||
|
values, based on Hashed Message Authentication Code (HMAC). A
|
|||
|
security analysis of the algorithm is presented, and important
|
|||
|
parameters related to the secure deployment of the algorithm are
|
|||
|
discussed. The proposed algorithm can be used across a wide range of
|
|||
|
network applications ranging from remote Virtual Private Network
|
|||
|
(VPN) access, Wi-Fi network logon to transaction-oriented Web
|
|||
|
applications.
|
|||
|
|
|||
|
This work is a joint effort by the OATH (Open AuTHentication)
|
|||
|
membership to specify an algorithm that can be freely distributed to
|
|||
|
the technical community. The authors believe that a common and
|
|||
|
shared algorithm will facilitate adoption of two-factor
|
|||
|
authentication on the Internet by enabling interoperability across
|
|||
|
commercial and open-source implementations.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 1]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Overview ........................................................3
|
|||
|
2. Introduction ....................................................3
|
|||
|
3. Requirements Terminology ........................................4
|
|||
|
4. Algorithm Requirements ..........................................4
|
|||
|
5. HOTP Algorithm ..................................................5
|
|||
|
5.1. Notation and Symbols .......................................5
|
|||
|
5.2. Description ................................................6
|
|||
|
5.3. Generating an HOTP Value ...................................6
|
|||
|
5.4. Example of HOTP Computation for Digit = 6 ..................7
|
|||
|
6. Security Considerations .........................................8
|
|||
|
7. Security Requirements ...........................................9
|
|||
|
7.1. Authentication Protocol Requirements .......................9
|
|||
|
7.2. Validation of HOTP Values .................................10
|
|||
|
7.3. Throttling at the Server ..................................10
|
|||
|
7.4. Resynchronization of the Counter ..........................11
|
|||
|
7.5. Management of Shared Secrets ..............................11
|
|||
|
8. Composite Shared Secrets .......................................14
|
|||
|
9. Bi-Directional Authentication ..................................14
|
|||
|
10. Conclusion ....................................................15
|
|||
|
11. Acknowledgements ..............................................15
|
|||
|
12. Contributors ..................................................15
|
|||
|
13. References ....................................................15
|
|||
|
13.1. Normative References .....................................15
|
|||
|
13.2. Informative References ...................................16
|
|||
|
Appendix A - HOTP Algorithm Security: Detailed Analysis ...........17
|
|||
|
A.1. Definitions and Notations .................................17
|
|||
|
A.2. The Idealized Algorithm: HOTP-IDEAL .......................17
|
|||
|
A.3. Model of Security .........................................18
|
|||
|
A.4. Security of the Ideal Authentication Algorithm ............19
|
|||
|
A.4.1. From Bits to Digits ................................19
|
|||
|
A.4.2. Brute Force Attacks ................................21
|
|||
|
A.4.3. Brute force attacks are the best possible attacks ..22
|
|||
|
A.5. Security Analysis of HOTP .................................23
|
|||
|
Appendix B - SHA-1 Attacks ........................................25
|
|||
|
B.1. SHA-1 Status ..............................................25
|
|||
|
B.2. HMAC-SHA-1 Status .........................................26
|
|||
|
B.3. HOTP Status ...............................................26
|
|||
|
Appendix C - HOTP Algorithm: Reference Implementation .............27
|
|||
|
Appendix D - HOTP Algorithm: Test Values ..........................32
|
|||
|
Appendix E - Extensions ...........................................33
|
|||
|
E.1. Number of Digits ..........................................33
|
|||
|
E.2. Alphanumeric Values .......................................33
|
|||
|
E.3. Sequence of HOTP values ...................................34
|
|||
|
E.4. A Counter-Based Resynchronization Method ..................34
|
|||
|
E.5. Data Field ................................................35
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 2]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
1. Overview
|
|||
|
|
|||
|
The document introduces first the context around an algorithm that
|
|||
|
generates one-time password values based on HMAC [BCK1] and, thus, is
|
|||
|
named the HMAC-Based One-Time Password (HOTP) algorithm. In Section
|
|||
|
4, the algorithm requirements are listed and in Section 5, the HOTP
|
|||
|
algorithm is described. Sections 6 and 7 focus on the algorithm
|
|||
|
security. Section 8 proposes some extensions and improvements, and
|
|||
|
Section 10 concludes this document. In Appendix A, the interested
|
|||
|
reader will find a detailed, full-fledged analysis of the algorithm
|
|||
|
security: an idealized version of the algorithm is evaluated, and
|
|||
|
then the HOTP algorithm security is analyzed.
|
|||
|
|
|||
|
2. Introduction
|
|||
|
|
|||
|
Today, deployment of two-factor authentication remains extremely
|
|||
|
limited in scope and scale. Despite increasingly higher levels of
|
|||
|
threats and attacks, most Internet applications still rely on weak
|
|||
|
authentication schemes for policing user access. The lack of
|
|||
|
interoperability among hardware and software technology vendors has
|
|||
|
been a limiting factor in the adoption of two-factor authentication
|
|||
|
technology. In particular, the absence of open specifications has
|
|||
|
led to solutions where hardware and software components are tightly
|
|||
|
coupled through proprietary technology, resulting in high-cost
|
|||
|
solutions, poor adoption, and limited innovation.
|
|||
|
|
|||
|
In the last two years, the rapid rise of network threats has exposed
|
|||
|
the inadequacies of static passwords as the primary mean of
|
|||
|
authentication on the Internet. At the same time, the current
|
|||
|
approach that requires an end user to carry an expensive, single-
|
|||
|
function device that is only used to authenticate to the network is
|
|||
|
clearly not the right answer. For two-factor authentication to
|
|||
|
propagate on the Internet, it will have to be embedded in more
|
|||
|
flexible devices that can work across a wide range of applications.
|
|||
|
|
|||
|
The ability to embed this base technology while ensuring broad
|
|||
|
interoperability requires that it be made freely available to the
|
|||
|
broad technical community of hardware and software developers. Only
|
|||
|
an open-system approach will ensure that basic two-factor
|
|||
|
authentication primitives can be built into the next generation of
|
|||
|
consumer devices such as USB mass storage devices, IP phones, and
|
|||
|
personal digital assistants.
|
|||
|
|
|||
|
One-Time Password is certainly one of the simplest and most popular
|
|||
|
forms of two-factor authentication for securing network access. For
|
|||
|
example, in large enterprises, Virtual Private Network access often
|
|||
|
requires the use of One-Time Password tokens for remote user
|
|||
|
authentication. One-Time Passwords are often preferred to stronger
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 3]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
forms of authentication such as Public-Key Infrastructure (PKI) or
|
|||
|
biometrics because an air-gap device does not require the
|
|||
|
installation of any client desktop software on the user machine,
|
|||
|
therefore allowing them to roam across multiple machines including
|
|||
|
home computers, kiosks, and personal digital assistants.
|
|||
|
|
|||
|
This document proposes a simple One-Time Password algorithm that can
|
|||
|
be implemented by any hardware manufacturer or software developer to
|
|||
|
create interoperable authentication devices and software agents. The
|
|||
|
algorithm is event-based so that it can be embedded in high-volume
|
|||
|
devices such as Java smart cards, USB dongles, and GSM SIM cards.
|
|||
|
The presented algorithm is made freely available to the developer
|
|||
|
community under the terms and conditions of the IETF Intellectual
|
|||
|
Property Rights [RFC3979].
|
|||
|
|
|||
|
The authors of this document are members of the Open AuTHentication
|
|||
|
initiative [OATH]. The initiative was created in 2004 to facilitate
|
|||
|
collaboration among strong authentication technology providers.
|
|||
|
|
|||
|
3. Requirements Terminology
|
|||
|
|
|||
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|||
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|||
|
document are to be interpreted as described in [RFC2119].
|
|||
|
|
|||
|
4. Algorithm Requirements
|
|||
|
|
|||
|
This section presents the main requirements that drove this algorithm
|
|||
|
design. A lot of emphasis was placed on end-consumer usability as
|
|||
|
well as the ability for the algorithm to be implemented by low-cost
|
|||
|
hardware that may provide minimal user interface capabilities. In
|
|||
|
particular, the ability to embed the algorithm into high-volume SIM
|
|||
|
and Java cards was a fundamental prerequisite.
|
|||
|
|
|||
|
R1 - The algorithm MUST be sequence- or counter-based: one of the
|
|||
|
goals is to have the HOTP algorithm embedded in high-volume devices
|
|||
|
such as Java smart cards, USB dongles, and GSM SIM cards.
|
|||
|
|
|||
|
R2 - The algorithm SHOULD be economical to implement in hardware by
|
|||
|
minimizing requirements on battery, number of buttons, computational
|
|||
|
horsepower, and size of LCD display.
|
|||
|
|
|||
|
R3 - The algorithm MUST work with tokens that do not support any
|
|||
|
numeric input, but MAY also be used with more sophisticated devices
|
|||
|
such as secure PIN-pads.
|
|||
|
|
|||
|
R4 - The value displayed on the token MUST be easily read and entered
|
|||
|
by the user: This requires the HOTP value to be of reasonable length.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 4]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
The HOTP value must be at least a 6-digit value. It is also
|
|||
|
desirable that the HOTP value be 'numeric only' so that it can be
|
|||
|
easily entered on restricted devices such as phones.
|
|||
|
|
|||
|
R5 - There MUST be user-friendly mechanisms available to
|
|||
|
resynchronize the counter. Section 7.4 and Appendix E.4 details the
|
|||
|
resynchronization mechanism proposed in this document
|
|||
|
|
|||
|
R6 - The algorithm MUST use a strong shared secret. The length of
|
|||
|
the shared secret MUST be at least 128 bits. This document
|
|||
|
RECOMMENDs a shared secret length of 160 bits.
|
|||
|
|
|||
|
5. HOTP Algorithm
|
|||
|
|
|||
|
In this section, we introduce the notation and describe the HOTP
|
|||
|
algorithm basic blocks -- the base function to compute an HMAC-SHA-1
|
|||
|
value and the truncation method to extract an HOTP value.
|
|||
|
|
|||
|
5.1. Notation and Symbols
|
|||
|
|
|||
|
A string always means a binary string, meaning a sequence of zeros
|
|||
|
and ones.
|
|||
|
|
|||
|
If s is a string, then |s| denotes its length.
|
|||
|
|
|||
|
If n is a number, then |n| denotes its absolute value.
|
|||
|
|
|||
|
If s is a string, then s[i] denotes its i-th bit. We start numbering
|
|||
|
the bits at 0, so s = s[0]s[1]...s[n-1] where n = |s| is the length
|
|||
|
of s.
|
|||
|
|
|||
|
Let StToNum (String to Number) denote the function that as input a
|
|||
|
string s returns the number whose binary representation is s. (For
|
|||
|
example, StToNum(110) = 6.)
|
|||
|
|
|||
|
Here is a list of symbols used in this document.
|
|||
|
|
|||
|
Symbol Represents
|
|||
|
-------------------------------------------------------------------
|
|||
|
C 8-byte counter value, the moving factor. This counter
|
|||
|
MUST be synchronized between the HOTP generator (client)
|
|||
|
and the HOTP validator (server).
|
|||
|
|
|||
|
K shared secret between client and server; each HOTP
|
|||
|
generator has a different and unique secret K.
|
|||
|
|
|||
|
T throttling parameter: the server will refuse connections
|
|||
|
from a user after T unsuccessful authentication attempts.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 5]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
|
|||
|
s resynchronization parameter: the server will attempt to
|
|||
|
verify a received authenticator across s consecutive
|
|||
|
counter values.
|
|||
|
|
|||
|
Digit number of digits in an HOTP value; system parameter.
|
|||
|
|
|||
|
5.2. Description
|
|||
|
|
|||
|
The HOTP algorithm is based on an increasing counter value and a
|
|||
|
static symmetric key known only to the token and the validation
|
|||
|
service. In order to create the HOTP value, we will use the HMAC-
|
|||
|
SHA-1 algorithm, as defined in RFC 2104 [BCK2].
|
|||
|
|
|||
|
As the output of the HMAC-SHA-1 calculation is 160 bits, we must
|
|||
|
truncate this value to something that can be easily entered by a
|
|||
|
user.
|
|||
|
|
|||
|
HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
|
|||
|
|
|||
|
Where:
|
|||
|
|
|||
|
- Truncate represents the function that converts an HMAC-SHA-1
|
|||
|
value into an HOTP value as defined in Section 5.3.
|
|||
|
|
|||
|
The Key (K), the Counter (C), and Data values are hashed high-order
|
|||
|
byte first.
|
|||
|
|
|||
|
The HOTP values generated by the HOTP generator are treated as big
|
|||
|
endian.
|
|||
|
|
|||
|
5.3. Generating an HOTP Value
|
|||
|
|
|||
|
We can describe the operations in 3 distinct steps:
|
|||
|
|
|||
|
Step 1: Generate an HMAC-SHA-1 value Let HS = HMAC-SHA-1(K,C) // HS
|
|||
|
is a 20-byte string
|
|||
|
|
|||
|
Step 2: Generate a 4-byte string (Dynamic Truncation)
|
|||
|
Let Sbits = DT(HS) // DT, defined below,
|
|||
|
// returns a 31-bit string
|
|||
|
|
|||
|
Step 3: Compute an HOTP value
|
|||
|
Let Snum = StToNum(Sbits) // Convert S to a number in
|
|||
|
0...2^{31}-1
|
|||
|
Return D = Snum mod 10^Digit // D is a number in the range
|
|||
|
0...10^{Digit}-1
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 6]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
The Truncate function performs Step 2 and Step 3, i.e., the dynamic
|
|||
|
truncation and then the reduction modulo 10^Digit. The purpose of
|
|||
|
the dynamic offset truncation technique is to extract a 4-byte
|
|||
|
dynamic binary code from a 160-bit (20-byte) HMAC-SHA-1 result.
|
|||
|
|
|||
|
DT(String) // String = String[0]...String[19]
|
|||
|
Let OffsetBits be the low-order 4 bits of String[19]
|
|||
|
Offset = StToNum(OffsetBits) // 0 <= OffSet <= 15
|
|||
|
Let P = String[OffSet]...String[OffSet+3]
|
|||
|
Return the Last 31 bits of P
|
|||
|
|
|||
|
The reason for masking the most significant bit of P is to avoid
|
|||
|
confusion about signed vs. unsigned modulo computations. Different
|
|||
|
processors perform these operations differently, and masking out the
|
|||
|
signed bit removes all ambiguity.
|
|||
|
|
|||
|
Implementations MUST extract a 6-digit code at a minimum and possibly
|
|||
|
7 and 8-digit code. Depending on security requirements, Digit = 7 or
|
|||
|
more SHOULD be considered in order to extract a longer HOTP value.
|
|||
|
|
|||
|
The following paragraph is an example of using this technique for
|
|||
|
Digit = 6, i.e., that a 6-digit HOTP value is calculated from the
|
|||
|
HMAC value.
|
|||
|
|
|||
|
5.4. Example of HOTP Computation for Digit = 6
|
|||
|
|
|||
|
The following code example describes the extraction of a dynamic
|
|||
|
binary code given that hmac_result is a byte array with the HMAC-
|
|||
|
SHA-1 result:
|
|||
|
|
|||
|
int offset = hmac_result[19] & 0xf ;
|
|||
|
int bin_code = (hmac_result[offset] & 0x7f) << 24
|
|||
|
| (hmac_result[offset+1] & 0xff) << 16
|
|||
|
| (hmac_result[offset+2] & 0xff) << 8
|
|||
|
| (hmac_result[offset+3] & 0xff) ;
|
|||
|
|
|||
|
SHA-1 HMAC Bytes (Example)
|
|||
|
|
|||
|
-------------------------------------------------------------
|
|||
|
| Byte Number |
|
|||
|
-------------------------------------------------------------
|
|||
|
|00|01|02|03|04|05|06|07|08|09|10|11|12|13|14|15|16|17|18|19|
|
|||
|
-------------------------------------------------------------
|
|||
|
| Byte Value |
|
|||
|
-------------------------------------------------------------
|
|||
|
|1f|86|98|69|0e|02|ca|16|61|85|50|ef|7f|19|da|8e|94|5b|55|5a|
|
|||
|
-------------------------------***********----------------++|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 7]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
* The last byte (byte 19) has the hex value 0x5a.
|
|||
|
* The value of the lower 4 bits is 0xa (the offset value).
|
|||
|
* The offset value is byte 10 (0xa).
|
|||
|
* The value of the 4 bytes starting at byte 10 is 0x50ef7f19,
|
|||
|
which is the dynamic binary code DBC1.
|
|||
|
* The MSB of DBC1 is 0x50 so DBC2 = DBC1 = 0x50ef7f19 .
|
|||
|
* HOTP = DBC2 modulo 10^6 = 872921.
|
|||
|
|
|||
|
We treat the dynamic binary code as a 31-bit, unsigned, big-endian
|
|||
|
integer; the first byte is masked with a 0x7f.
|
|||
|
|
|||
|
We then take this number modulo 1,000,000 (10^6) to generate the 6-
|
|||
|
digit HOTP value 872921 decimal.
|
|||
|
|
|||
|
6. Security Considerations
|
|||
|
|
|||
|
The conclusion of the security analysis detailed in the Appendix is
|
|||
|
that, for all practical purposes, the outputs of the Dynamic
|
|||
|
Truncation (DT) on distinct counter inputs are uniformly and
|
|||
|
independently distributed 31-bit strings.
|
|||
|
|
|||
|
The security analysis then details the impact of the conversion from
|
|||
|
a string to an integer and the final reduction modulo 10^Digit, where
|
|||
|
Digit is the number of digits in an HOTP value.
|
|||
|
|
|||
|
The analysis demonstrates that these final steps introduce a
|
|||
|
negligible bias, which does not impact the security of the HOTP
|
|||
|
algorithm, in the sense that the best possible attack against the
|
|||
|
HOTP function is the brute force attack.
|
|||
|
|
|||
|
Assuming an adversary is able to observe numerous protocol exchanges
|
|||
|
and collect sequences of successful authentication values. This
|
|||
|
adversary, trying to build a function F to generate HOTP values based
|
|||
|
on his observations, will not have a significant advantage over a
|
|||
|
random guess.
|
|||
|
|
|||
|
The logical conclusion is simply that the best strategy will once
|
|||
|
again be to perform a brute force attack to enumerate and try all the
|
|||
|
possible values.
|
|||
|
|
|||
|
Considering the security analysis in the Appendix of this document,
|
|||
|
without loss of generality, we can approximate closely the security
|
|||
|
of the HOTP algorithm by the following formula:
|
|||
|
|
|||
|
Sec = sv/10^Digit
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 8]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Where:
|
|||
|
- Sec is the probability of success of the adversary;
|
|||
|
- s is the look-ahead synchronization window size;
|
|||
|
- v is the number of verification attempts;
|
|||
|
- Digit is the number of digits in HOTP values.
|
|||
|
|
|||
|
Obviously, we can play with s, T (the Throttling parameter that would
|
|||
|
limit the number of attempts by an attacker), and Digit until
|
|||
|
achieving a certain level of security, still preserving the system
|
|||
|
usability.
|
|||
|
|
|||
|
7. Security Requirements
|
|||
|
|
|||
|
Any One-Time Password algorithm is only as secure as the application
|
|||
|
and the authentication protocols that implement it. Therefore, this
|
|||
|
section discusses the critical security requirements that our choice
|
|||
|
of algorithm imposes on the authentication protocol and validation
|
|||
|
software.
|
|||
|
|
|||
|
The parameters T and s discussed in this section have a significant
|
|||
|
impact on the security -- further details in Section 6 elaborate on
|
|||
|
the relations between these parameters and their impact on the system
|
|||
|
security.
|
|||
|
|
|||
|
It is also important to remark that the HOTP algorithm is not a
|
|||
|
substitute for encryption and does not provide for the privacy of
|
|||
|
data transmission. Other mechanisms should be used to defeat attacks
|
|||
|
aimed at breaking confidentiality and privacy of transactions.
|
|||
|
|
|||
|
7.1. Authentication Protocol Requirements
|
|||
|
|
|||
|
We introduce in this section some requirements for a protocol P
|
|||
|
implementing HOTP as the authentication method between a prover and a
|
|||
|
verifier.
|
|||
|
|
|||
|
RP1 - P MUST support two-factor authentication, i.e., the
|
|||
|
communication and verification of something you know (secret code
|
|||
|
such as a Password, Pass phrase, PIN code, etc.) and something you
|
|||
|
have (token). The secret code is known only to the user and usually
|
|||
|
entered with the One-Time Password value for authentication purpose
|
|||
|
(two-factor authentication).
|
|||
|
|
|||
|
RP2 - P SHOULD NOT be vulnerable to brute force attacks. This
|
|||
|
implies that a throttling/lockout scheme is RECOMMENDED on the
|
|||
|
validation server side.
|
|||
|
|
|||
|
RP3 - P SHOULD be implemented over a secure channel in order to
|
|||
|
protect users' privacy and avoid replay attacks.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 9]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
7.2. Validation of HOTP Values
|
|||
|
|
|||
|
The HOTP client (hardware or software token) increments its counter
|
|||
|
and then calculates the next HOTP value HOTP client. If the value
|
|||
|
received by the authentication server matches the value calculated by
|
|||
|
the client, then the HOTP value is validated. In this case, the
|
|||
|
server increments the counter value by one.
|
|||
|
|
|||
|
If the value received by the server does not match the value
|
|||
|
calculated by the client, the server initiate the resynch protocol
|
|||
|
(look-ahead window) before it requests another pass.
|
|||
|
|
|||
|
If the resynch fails, the server asks then for another
|
|||
|
authentication pass of the protocol to take place, until the
|
|||
|
maximum number of authorized attempts is reached.
|
|||
|
|
|||
|
If and when the maximum number of authorized attempts is reached, the
|
|||
|
server SHOULD lock out the account and initiate a procedure to inform
|
|||
|
the user.
|
|||
|
|
|||
|
7.3. Throttling at the Server
|
|||
|
|
|||
|
Truncating the HMAC-SHA-1 value to a shorter value makes a brute
|
|||
|
force attack possible. Therefore, the authentication server needs to
|
|||
|
detect and stop brute force attacks.
|
|||
|
|
|||
|
We RECOMMEND setting a throttling parameter T, which defines the
|
|||
|
maximum number of possible attempts for One-Time Password validation.
|
|||
|
The validation server manages individual counters per HOTP device in
|
|||
|
order to take note of any failed attempt. We RECOMMEND T not to be
|
|||
|
too large, particularly if the resynchronization method used on the
|
|||
|
server is window-based, and the window size is large. T SHOULD be
|
|||
|
set as low as possible, while still ensuring that usability is not
|
|||
|
significantly impacted.
|
|||
|
|
|||
|
Another option would be to implement a delay scheme to avoid a brute
|
|||
|
force attack. After each failed attempt A, the authentication server
|
|||
|
would wait for an increased T*A number of seconds, e.g., say T = 5,
|
|||
|
then after 1 attempt, the server waits for 5 seconds, at the second
|
|||
|
failed attempt, it waits for 5*2 = 10 seconds, etc.
|
|||
|
|
|||
|
The delay or lockout schemes MUST be across login sessions to prevent
|
|||
|
attacks based on multiple parallel guessing techniques.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 10]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
7.4. Resynchronization of the Counter
|
|||
|
|
|||
|
Although the server's counter value is only incremented after a
|
|||
|
successful HOTP authentication, the counter on the token is
|
|||
|
incremented every time a new HOTP is requested by the user. Because
|
|||
|
of this, the counter values on the server and on the token might be
|
|||
|
out of synchronization.
|
|||
|
|
|||
|
We RECOMMEND setting a look-ahead parameter s on the server, which
|
|||
|
defines the size of the look-ahead window. In a nutshell, the server
|
|||
|
can recalculate the next s HOTP-server values, and check them against
|
|||
|
the received HOTP client.
|
|||
|
|
|||
|
Synchronization of counters in this scenario simply requires the
|
|||
|
server to calculate the next HOTP values and determine if there is a
|
|||
|
match. Optionally, the system MAY require the user to send a
|
|||
|
sequence of (say, 2, 3) HOTP values for resynchronization purpose,
|
|||
|
since forging a sequence of consecutive HOTP values is even more
|
|||
|
difficult than guessing a single HOTP value.
|
|||
|
|
|||
|
The upper bound set by the parameter s ensures the server does not go
|
|||
|
on checking HOTP values forever (causing a denial-of-service attack)
|
|||
|
and also restricts the space of possible solutions for an attacker
|
|||
|
trying to manufacture HOTP values. s SHOULD be set as low as
|
|||
|
possible, while still ensuring that usability is not impacted.
|
|||
|
|
|||
|
7.5. Management of Shared Secrets
|
|||
|
|
|||
|
The operations dealing with the shared secrets used to generate and
|
|||
|
verify OTP values must be performed securely, in order to mitigate
|
|||
|
risks of any leakage of sensitive information. We describe in this
|
|||
|
section different modes of operations and techniques to perform these
|
|||
|
different operations with respect to the state of the art in data
|
|||
|
security.
|
|||
|
|
|||
|
We can consider two different avenues for generating and storing
|
|||
|
(securely) shared secrets in the Validation system:
|
|||
|
|
|||
|
* Deterministic Generation: secrets are derived from a master
|
|||
|
seed, both at provisioning and verification stages and generated
|
|||
|
on-the-fly whenever it is required.
|
|||
|
* Random Generation: secrets are generated randomly at
|
|||
|
provisioning stage and must be stored immediately and kept
|
|||
|
secure during their life cycle.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 11]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Deterministic Generation
|
|||
|
------------------------
|
|||
|
|
|||
|
A possible strategy is to derive the shared secrets from a master
|
|||
|
secret. The master secret will be stored at the server only. A
|
|||
|
tamper-resistant device MUST be used to store the master key and
|
|||
|
derive the shared secrets from the master key and some public
|
|||
|
information. The main benefit would be to avoid the exposure of the
|
|||
|
shared secrets at any time and also avoid specific requirements on
|
|||
|
storage, since the shared secrets could be generated on-demand when
|
|||
|
needed at provisioning and validation time.
|
|||
|
|
|||
|
We distinguish two different cases:
|
|||
|
|
|||
|
- A single master key MK is used to derive the shared secrets;
|
|||
|
each HOTP device has a different secret, K_i = SHA-1 (MK,i)
|
|||
|
where i stands for a public piece of information that identifies
|
|||
|
uniquely the HOTP device such as a serial number, a token ID,
|
|||
|
etc. Obviously, this is in the context of an application or
|
|||
|
service -- different application or service providers will have
|
|||
|
different secrets and settings.
|
|||
|
- Several master keys MK_i are used and each HOTP device stores a
|
|||
|
set of different derived secrets, {K_i,j = SHA-1(MK_i,j)} where
|
|||
|
j stands for a public piece of information identifying the
|
|||
|
device. The idea would be to store ONLY the active master key
|
|||
|
at the validation server, in the Hardware Security Module (HSM),
|
|||
|
and keep in a safe place, using secret sharing methods such as
|
|||
|
[Shamir] for instance. In this case, if a master secret MK_i is
|
|||
|
compromised, then it is possible to switch to another secret
|
|||
|
without replacing all the devices.
|
|||
|
|
|||
|
The drawback in the deterministic case is that the exposure of the
|
|||
|
master secret would obviously enable an attacker to rebuild any
|
|||
|
shared secret based on correct public information. The revocation of
|
|||
|
all secrets would be required, or switching to a new set of secrets
|
|||
|
in the case of multiple master keys.
|
|||
|
|
|||
|
On the other hand, the device used to store the master key(s) and
|
|||
|
generate the shared secrets MUST be tamper resistant. Furthermore,
|
|||
|
the HSM will not be exposed outside the security perimeter of the
|
|||
|
validation system, therefore reducing the risk of leakage.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 12]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Random Generation
|
|||
|
-----------------
|
|||
|
|
|||
|
The shared secrets are randomly generated. We RECOMMEND following
|
|||
|
the recommendations in [RFC4086] and selecting a good and secure
|
|||
|
random source for generating these secrets. A (true) random
|
|||
|
generator requires a naturally occurring source of randomness.
|
|||
|
Practically, there are two possible avenues to consider for the
|
|||
|
generation of the shared secrets:
|
|||
|
|
|||
|
* Hardware-based generators: they exploit the randomness that
|
|||
|
occurs in physical phenomena. A nice implementation can be based on
|
|||
|
oscillators and built in such ways that active attacks are more
|
|||
|
difficult to perform.
|
|||
|
|
|||
|
* Software-based generators: designing a good software random
|
|||
|
generator is not an easy task. A simple, but efficient,
|
|||
|
implementation should be based on various sources and apply to the
|
|||
|
sampled sequence a one-way function such as SHA-1.
|
|||
|
|
|||
|
We RECOMMEND selecting proven products, being hardware or software
|
|||
|
generators, for the computation of shared secrets.
|
|||
|
|
|||
|
We also RECOMMEND storing the shared secrets securely, and more
|
|||
|
specifically encrypting the shared secrets when stored using tamper-
|
|||
|
resistant hardware encryption and exposing them only when required:
|
|||
|
for example, the shared secret is decrypted when needed to verify an
|
|||
|
HOTP value, and re-encrypted immediately to limit exposure in the RAM
|
|||
|
for a short period of time. The data store holding the shared
|
|||
|
secrets MUST be in a secure area, to avoid as much as possible direct
|
|||
|
attack on the validation system and secrets database.
|
|||
|
|
|||
|
Particularly, access to the shared secrets should be limited to
|
|||
|
programs and processes required by the validation system only. We
|
|||
|
will not elaborate on the different security mechanisms to put in
|
|||
|
place, but obviously, the protection of shared secrets is of the
|
|||
|
uttermost importance.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 13]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
8. Composite Shared Secrets
|
|||
|
|
|||
|
It may be desirable to include additional authentication factors in
|
|||
|
the shared secret K. These additional factors can consist of any
|
|||
|
data known at the token but not easily obtained by others. Examples
|
|||
|
of such data include:
|
|||
|
|
|||
|
* PIN or Password obtained as user input at the token
|
|||
|
* Phone number
|
|||
|
* Any unique identifier programmatically available at the token
|
|||
|
|
|||
|
In this scenario, the composite shared secret K is constructed during
|
|||
|
the provisioning process from a random seed value combined with one
|
|||
|
or more additional authentication factors. The server could either
|
|||
|
build on-demand or store composite secrets -- in any case, depending
|
|||
|
on implementation choice, the token only stores the seed value. When
|
|||
|
the token performs the HOTP calculation, it computes K from the seed
|
|||
|
value and the locally derived or input values of the other
|
|||
|
authentication factors.
|
|||
|
|
|||
|
The use of composite shared secrets can strengthen HOTP-based
|
|||
|
authentication systems through the inclusion of additional
|
|||
|
authentication factors at the token. To the extent that the token is
|
|||
|
a trusted device, this approach has the further benefit of not
|
|||
|
requiring exposure of the authentication factors (such as the user
|
|||
|
input PIN) to other devices.
|
|||
|
|
|||
|
9. Bi-Directional Authentication
|
|||
|
|
|||
|
Interestingly enough, the HOTP client could also be used to
|
|||
|
authenticate the validation server, claiming that it is a genuine
|
|||
|
entity knowing the shared secret.
|
|||
|
|
|||
|
Since the HOTP client and the server are synchronized and share the
|
|||
|
same secret (or a method to recompute it), a simple 3-pass protocol
|
|||
|
could be put in place:
|
|||
|
1- The end user enter the TokenID and a first OTP value OTP1;
|
|||
|
2- The server checks OTP1 and if correct, sends back OTP2;
|
|||
|
3- The end user checks OTP2 using his HOTP device and if correct,
|
|||
|
uses the web site.
|
|||
|
|
|||
|
Obviously, as indicated previously, all the OTP communications have
|
|||
|
to take place over a secure channel, e.g., SSL/TLS, IPsec
|
|||
|
connections.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 14]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
10. Conclusion
|
|||
|
|
|||
|
This document describes HOTP, a HMAC-based One-Time Password
|
|||
|
algorithm. It also recommends the preferred implementation and
|
|||
|
related modes of operations for deploying the algorithm.
|
|||
|
|
|||
|
The document also exhibits elements of security and demonstrates that
|
|||
|
the HOTP algorithm is practical and sound, the best possible attack
|
|||
|
being a brute force attack that can be prevented by careful
|
|||
|
implementation of countermeasures in the validation server.
|
|||
|
|
|||
|
Eventually, several enhancements have been proposed, in order to
|
|||
|
improve security if needed for specific applications.
|
|||
|
|
|||
|
11. Acknowledgements
|
|||
|
|
|||
|
The authors would like to thank Siddharth Bajaj, Alex Deacon, Loren
|
|||
|
Hart, and Nico Popp for their help during the conception and
|
|||
|
redaction of this document.
|
|||
|
|
|||
|
12. Contributors
|
|||
|
|
|||
|
The authors of this document would like to emphasize the role of
|
|||
|
three persons who have made a key contribution to this document:
|
|||
|
|
|||
|
- Laszlo Elteto is system architect with SafeNet, Inc.
|
|||
|
|
|||
|
- Ernesto Frutos is director of Engineering with Authenex, Inc.
|
|||
|
|
|||
|
- Fred McClain is Founder and CTO with Boojum Mobile, Inc.
|
|||
|
|
|||
|
Without their advice and valuable inputs, this document would not be
|
|||
|
the same.
|
|||
|
|
|||
|
13. References
|
|||
|
|
|||
|
13.1. Normative References
|
|||
|
|
|||
|
[BCK1] M. Bellare, R. Canetti and H. Krawczyk, "Keyed Hash
|
|||
|
Functions and Message Authentication", Proceedings of
|
|||
|
Crypto'96, LNCS Vol. 1109, pp. 1-15.
|
|||
|
|
|||
|
[BCK2] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
|
|||
|
Hashing for Message Authentication", RFC 2104, February
|
|||
|
1997.
|
|||
|
|
|||
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|||
|
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 15]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
[RFC3979] Bradner, S., "Intellectual Property Rights in IETF
|
|||
|
Technology", BCP 79, RFC 3979, March 2005.
|
|||
|
|
|||
|
[RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
|
|||
|
"Randomness Requirements for Security", BCP 106, RFC 4086,
|
|||
|
June 2005.
|
|||
|
|
|||
|
13.2. Informative References
|
|||
|
|
|||
|
[OATH] Initiative for Open AuTHentication
|
|||
|
http://www.openauthentication.org
|
|||
|
|
|||
|
[PrOo] B. Preneel and P. van Oorschot, "MD-x MAC and building
|
|||
|
fast MACs from hash functions", Advances in Cryptology
|
|||
|
CRYPTO '95, Lecture Notes in Computer Science Vol. 963, D.
|
|||
|
Coppersmith ed., Springer-Verlag, 1995.
|
|||
|
|
|||
|
[Crack] Crack in SHA-1 code 'stuns' security gurus
|
|||
|
http://www.eetimes.com/showArticle.jhtml?
|
|||
|
articleID=60402150
|
|||
|
|
|||
|
[Sha1] Bruce Schneier. SHA-1 broken. February 15, 2005.
|
|||
|
http://www.schneier.com/blog/archives/2005/02/
|
|||
|
sha1_broken.html
|
|||
|
|
|||
|
[Res] Researchers: Digital encryption standard flawed
|
|||
|
http://news.com.com/
|
|||
|
Researchers+Digital+encryption+standard+flawed/
|
|||
|
2100-1002-5579881.html?part=dht&tag=ntop&tag=nl.e703
|
|||
|
|
|||
|
[Shamir] How to Share a Secret, by Adi Shamir. In Communications
|
|||
|
of the ACM, Vol. 22, No. 11, pp. 612-613, November, 1979.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 16]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Appendix A - HOTP Algorithm Security: Detailed Analysis
|
|||
|
|
|||
|
The security analysis of the HOTP algorithm is summarized in this
|
|||
|
section. We first detail the best attack strategies, and then
|
|||
|
elaborate on the security under various assumptions and the impact of
|
|||
|
the truncation and make some recommendations regarding the number of
|
|||
|
digits.
|
|||
|
|
|||
|
We focus this analysis on the case where Digit = 6, i.e., an HOTP
|
|||
|
function that produces 6-digit values, which is the bare minimum
|
|||
|
recommended in this document.
|
|||
|
|
|||
|
A.1. Definitions and Notations
|
|||
|
|
|||
|
We denote by {0,1}^l the set of all strings of length l.
|
|||
|
|
|||
|
Let Z_{n} = {0,.., n - 1}.
|
|||
|
|
|||
|
Let IntDiv(a,b) denote the integer division algorithm that takes
|
|||
|
input integers a, b where a >= b >= 1 and returns integers (q,r)
|
|||
|
|
|||
|
the quotient and remainder, respectively, of the division of a by b.
|
|||
|
(Thus, a = bq + r and 0 <= r < b.)
|
|||
|
|
|||
|
Let H: {0,1}^k x {0,1}^c --> {0,1}^n be the base function that takes
|
|||
|
a k-bit key K and c-bit counter C and returns an n-bit output H(K,C).
|
|||
|
(In the case of HOTP, H is HMAC-SHA-1; we use this formal definition
|
|||
|
for generalizing our proof of security.)
|
|||
|
|
|||
|
A.2. The Idealized Algorithm: HOTP-IDEAL
|
|||
|
|
|||
|
We now define an idealized counterpart of the HOTP algorithm. In
|
|||
|
this algorithm, the role of H is played by a random function that
|
|||
|
forms the key.
|
|||
|
|
|||
|
To be more precise, let Maps(c,n) denote the set of all functions
|
|||
|
mapping from {0,1}^c to {0,1}^n. The idealized algorithm has key
|
|||
|
space Maps(c,n), so that a "key" for such an algorithm is a function
|
|||
|
h from {0,1}^c to {0,1}^n. We imagine this key (function) to be
|
|||
|
drawn at random. It is not feasible to implement this idealized
|
|||
|
algorithm, since the key, being a function from {0,1}^c to {0,1}^n,
|
|||
|
is way too large to even store. So why consider it?
|
|||
|
|
|||
|
Our security analysis will show that as long as H satisfies a certain
|
|||
|
well-accepted assumption, the security of the actual and idealized
|
|||
|
algorithms is for all practical purposes the same. The task that
|
|||
|
really faces us, then, is to assess the security of the idealized
|
|||
|
algorithm.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 17]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
In analyzing the idealized algorithm, we are concentrating on
|
|||
|
assessing the quality of the design of the algorithm itself,
|
|||
|
independently of HMAC-SHA-1. This is in fact the important issue.
|
|||
|
|
|||
|
A.3. Model of Security
|
|||
|
|
|||
|
The model exhibits the type of threats or attacks that are being
|
|||
|
considered and enables one to assess the security of HOTP and HOTP-
|
|||
|
IDEAL. We denote ALG as either HOTP or HOTP-IDEAL for the purpose of
|
|||
|
this security analysis.
|
|||
|
|
|||
|
The scenario we are considering is that a user and server share a key
|
|||
|
K for ALG. Both maintain a counter C, initially zero, and the user
|
|||
|
authenticates itself by sending ALG(K,C) to the server. The latter
|
|||
|
accepts if this value is correct.
|
|||
|
|
|||
|
In order to protect against accidental increment of the user counter,
|
|||
|
the server, upon receiving a value z, will accept as long as z equals
|
|||
|
ALG(K,i) for some i in the range C,...,C + s-1, where s is the
|
|||
|
resynchronization parameter and C is the server counter. If it
|
|||
|
accepts with some value of i, it then increments its counter to i+1.
|
|||
|
If it does not accept, it does not change its counter value.
|
|||
|
|
|||
|
The model we specify captures what an adversary can do and what it
|
|||
|
needs to achieve in order to "win". First, the adversary is assumed
|
|||
|
to be able to eavesdrop, meaning, to see the authenticator
|
|||
|
transmitted by the user. Second, the adversary wins if it can get
|
|||
|
the server to accept an authenticator relative to a counter value for
|
|||
|
which the user has never transmitted an authenticator.
|
|||
|
|
|||
|
The formal adversary, which we denote by B, starts out knowing which
|
|||
|
algorithm ALG is being used, knowing the system design, and knowing
|
|||
|
all system parameters. The one and only thing it is not given a
|
|||
|
priori is the key K shared between the user and the server.
|
|||
|
|
|||
|
The model gives B full control of the scheduling of events. It has
|
|||
|
access to an authenticator oracle representing the user. By calling
|
|||
|
this oracle, the adversary can ask the user to authenticate itself
|
|||
|
and get back the authenticator in return. It can call this oracle as
|
|||
|
often as it wants and when it wants, using the authenticators it
|
|||
|
accumulates to perhaps "learn" how to make authenticators itself. At
|
|||
|
any time, it may also call a verification oracle, supplying the
|
|||
|
latter with a candidate authenticator of its choice. It wins if the
|
|||
|
server accepts this accumulator.
|
|||
|
|
|||
|
Consider the following game involving an adversary B that is
|
|||
|
attempting to compromise the security of an authentication algorithm
|
|||
|
ALG: K x {0,1}^c --> R.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 18]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Initializations - A key K is selected at random from K, a counter C
|
|||
|
is initialized to 0, and the Boolean value win is set to false.
|
|||
|
|
|||
|
Game execution - Adversary B is provided with the two following
|
|||
|
oracles:
|
|||
|
|
|||
|
Oracle AuthO()
|
|||
|
--------------
|
|||
|
A = ALG(K,C)
|
|||
|
C = C + 1
|
|||
|
Return O to B
|
|||
|
|
|||
|
Oracle VerO(A)
|
|||
|
--------------
|
|||
|
i = C
|
|||
|
While (i <= C + s - 1 and Win == FALSE) do
|
|||
|
If A == ALG(K,i) then Win = TRUE; C = i + 1
|
|||
|
Else i = i + 1
|
|||
|
Return Win to B
|
|||
|
|
|||
|
AuthO() is the authenticator oracle and VerO(A) is the verification
|
|||
|
oracle.
|
|||
|
|
|||
|
Upon execution, B queries the two oracles at will. Let Adv(B) be the
|
|||
|
probability that win gets set to true in the above game. This is the
|
|||
|
probability that the adversary successfully impersonates the user.
|
|||
|
|
|||
|
Our goal is to assess how large this value can be as a function of
|
|||
|
the number v of verification queries made by B, the number a of
|
|||
|
authenticator oracle queries made by B, and the running time t of B.
|
|||
|
This will tell us how to set the throttle, which effectively upper
|
|||
|
bounds v.
|
|||
|
|
|||
|
A.4. Security of the Ideal Authentication Algorithm
|
|||
|
|
|||
|
This section summarizes the security analysis of HOTP-IDEAL, starting
|
|||
|
with the impact of the conversion modulo 10^Digit and then focusing
|
|||
|
on the different possible attacks.
|
|||
|
|
|||
|
A.4.1. From Bits to Digits
|
|||
|
|
|||
|
The dynamic offset truncation of a random n-bit string yields a
|
|||
|
random 31-bit string. What happens to the distribution when it is
|
|||
|
taken modulo m = 10^Digit, as done in HOTP?
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 19]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
The following lemma estimates the biases in the outputs in this case.
|
|||
|
|
|||
|
Lemma 1
|
|||
|
-------
|
|||
|
Let N >= m >= 1 be integers, and let (q,r) = IntDiv(N,m). For z in
|
|||
|
Z_{m} let:
|
|||
|
|
|||
|
P_{N,m}(z) = Pr [x mod m = z : x randomly pick in Z_{n}]
|
|||
|
|
|||
|
Then for any z in Z_{m}
|
|||
|
|
|||
|
P_{N,m}(z) = (q + 1) / N if 0 <= z < r
|
|||
|
q / N if r <= z < m
|
|||
|
|
|||
|
Proof of Lemma 1
|
|||
|
----------------
|
|||
|
Let the random variable X be uniformly distributed over Z_{N}. Then:
|
|||
|
|
|||
|
P_{N,m}(z) = Pr [X mod m = z]
|
|||
|
|
|||
|
= Pr [X < mq] * Pr [X mod m = z| X < mq]
|
|||
|
+ Pr [mq <= X < N] * Pr [X mod m = z| mq <= X < N]
|
|||
|
|
|||
|
= mq/N * 1/m +
|
|||
|
(N - mq)/N * 1 / (N - mq) if 0 <= z < N - mq
|
|||
|
0 if N - mq <= z <= m
|
|||
|
|
|||
|
= q/N +
|
|||
|
r/N * 1 / r if 0 <= z < N - mq
|
|||
|
0 if r <= z <= m
|
|||
|
|
|||
|
Simplifying yields the claimed equation.
|
|||
|
|
|||
|
Let N = 2^31, d = 6, and m = 10^d. If x is chosen at random from
|
|||
|
Z_{N} (meaning, is a random 31-bit string), then reducing it to a 6-
|
|||
|
digit number by taking x mod m does not yield a random 6-digit
|
|||
|
number.
|
|||
|
|
|||
|
Rather, x mod m is distributed as shown in the following table:
|
|||
|
|
|||
|
Values Probability that each appears as output
|
|||
|
----------------------------------------------------------------
|
|||
|
0,1,...,483647 2148/2^31 roughly equals to 1.00024045/10^6
|
|||
|
483648,...,999999 2147/2^31 roughly equals to 0.99977478/10^6
|
|||
|
|
|||
|
If X is uniformly distributed over Z_{2^31} (meaning, is a random
|
|||
|
31-bit string), then the above shows the probabilities for different
|
|||
|
outputs of X mod 10^6. The first set of values appears with
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 20]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
probability slightly greater than 10^-6, the rest with probability
|
|||
|
slightly less, meaning that the distribution is slightly non-uniform.
|
|||
|
|
|||
|
However, as the table above indicates, the bias is small, and as we
|
|||
|
will see later, negligible: the probabilities are very close to
|
|||
|
10^-6.
|
|||
|
|
|||
|
A.4.2. Brute Force Attacks
|
|||
|
|
|||
|
If the authenticator consisted of d random digits, then a brute force
|
|||
|
attack using v verification attempts would succeed with probability
|
|||
|
sv/10^Digit.
|
|||
|
|
|||
|
However, an adversary can exploit the bias in the outputs of
|
|||
|
HOTP-IDEAL, predicted by Lemma 1, to mount a slightly better attack.
|
|||
|
|
|||
|
Namely, it makes authentication attempts with authenticators that are
|
|||
|
the most likely values, meaning the ones in the range 0,...,r - 1,
|
|||
|
where (q,r) = IntDiv(2^31,10^Digit).
|
|||
|
|
|||
|
The following specifies an adversary in our model of security that
|
|||
|
mounts the attack. It estimates the success probability as a
|
|||
|
function of the number of verification queries.
|
|||
|
|
|||
|
For simplicity, we assume that the number of verification queries is
|
|||
|
at most r. With N = 2^31 and m = 10^6, we have r = 483,648, and the
|
|||
|
throttle value is certainly less than this, so this assumption is not
|
|||
|
much of a restriction.
|
|||
|
|
|||
|
Proposition 1
|
|||
|
-------------
|
|||
|
|
|||
|
Suppose m = 10^Digit < 2^31, and let (q,r) = IntDiv(2^31,m). Assume
|
|||
|
s <= m. The brute-force-attack adversary B-bf attacks HOTP using v
|
|||
|
<= r verification oracle queries. This adversary makes no
|
|||
|
authenticator oracle queries, and succeeds with probability
|
|||
|
|
|||
|
Adv(B-bf) = 1 - (1 - v(q+1)/2^31)^s
|
|||
|
|
|||
|
which is roughly equal to
|
|||
|
|
|||
|
sv * (q+1)/2^31
|
|||
|
|
|||
|
With m = 10^6 we get q = 2,147. In that case, the brute force attack
|
|||
|
using v verification attempts succeeds with probability
|
|||
|
|
|||
|
Adv(B-bf) roughly = sv * 2148/2^31 = sv * 1.00024045/10^6
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 21]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
As this equation shows, the resynchronization parameter s has a
|
|||
|
significant impact in that the adversary's success probability is
|
|||
|
proportional to s. This means that s cannot be made too large
|
|||
|
without compromising security.
|
|||
|
|
|||
|
A.4.3. Brute force attacks are the best possible attacks.
|
|||
|
|
|||
|
A central question is whether there are attacks any better than the
|
|||
|
brute force one. In particular, the brute force attack did not
|
|||
|
attempt to collect authenticators sent by the user and try to
|
|||
|
cryptanalyze them in an attempt to learn how to better construct
|
|||
|
authenticators. Would doing this help? Is there some way to "learn"
|
|||
|
how to build authenticators that result in a higher success rate than
|
|||
|
given by the brute-force attack?
|
|||
|
|
|||
|
The following says the answer to these questions is no. No matter
|
|||
|
what strategy the adversary uses, and even if it sees, and tries to
|
|||
|
exploit, the authenticators from authentication attempts of the user,
|
|||
|
its success probability will not be above that of the brute force
|
|||
|
attack -- this is true as long as the number of authentications it
|
|||
|
observes is not incredibly large. This is valuable information
|
|||
|
regarding the security of the scheme.
|
|||
|
|
|||
|
Proposition 2 ------------- Suppose m = 10^Digit < 2^31, and let
|
|||
|
(q,r) = IntDiv(2^31,m). Let B be any adversary attacking HOTP-IDEAL
|
|||
|
using v verification oracle queries and a <= 2^c - s authenticator
|
|||
|
oracle queries. Then
|
|||
|
|
|||
|
Adv(B) < = sv * (q+1)/ 2^31
|
|||
|
|
|||
|
Note: This result is conditional on the adversary not seeing more
|
|||
|
than 2^c - s authentications performed by the user, which is hardly
|
|||
|
restrictive as long as c is large enough.
|
|||
|
|
|||
|
With m = 10^6, we get q = 2,147. In that case, Proposition 2 says
|
|||
|
that any adversary B attacking HOTP-IDEAL and making v verification
|
|||
|
attempts succeeds with probability at most
|
|||
|
|
|||
|
Equation 1
|
|||
|
----------
|
|||
|
sv * 2148/2^31 roughly = sv * 1.00024045/10^6
|
|||
|
|
|||
|
Meaning, B's success rate is not more than that achieved by the brute
|
|||
|
force attack.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 22]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
A.5. Security Analysis of HOTP
|
|||
|
|
|||
|
We have analyzed, in the previous sections, the security of the
|
|||
|
idealized counterparts HOTP-IDEAL of the actual authentication
|
|||
|
algorithm HOTP. We now show that, under appropriate and well-
|
|||
|
believed assumption on H, the security of the actual algorithms is
|
|||
|
essentially the same as that of its idealized counterpart.
|
|||
|
|
|||
|
The assumption in question is that H is a secure pseudorandom
|
|||
|
function, or PRF, meaning that its input-output values are
|
|||
|
indistinguishable from those of a random function in practice.
|
|||
|
|
|||
|
Consider an adversary A that is given an oracle for a function f:
|
|||
|
{0,1}^c --> {0, 1}^n and eventually outputs a bit. We denote Adv(A)
|
|||
|
as the prf-advantage of A, which represents how well the adversary
|
|||
|
does at distinguishing the case where its oracle is H(K,.) from the
|
|||
|
case where its oracle is a random function of {0,1}^c to {0,1}^n.
|
|||
|
|
|||
|
One possible attack is based on exhaustive search for the key K. If
|
|||
|
A runs for t steps and T denotes the time to perform one computation
|
|||
|
of H, its prf-advantage from this attack turns out to be (t/T)2^-k.
|
|||
|
Another possible attack is a birthday one [PrOo], whereby A can
|
|||
|
attain advantage p^2/2^n in p oracle queries and running time about
|
|||
|
pT.
|
|||
|
|
|||
|
Our assumption is that these are the best possible attacks. This
|
|||
|
translates into the following.
|
|||
|
|
|||
|
Assumption 1
|
|||
|
------------
|
|||
|
|
|||
|
Let T denotes the time to perform one computation of H. Then if A is
|
|||
|
any adversary with running time at most t and making at most p oracle
|
|||
|
queries,
|
|||
|
|
|||
|
Adv(A) <= (t/T)/2^k + p^2/2^n
|
|||
|
|
|||
|
In practice, this assumption means that H is very secure as PRF. For
|
|||
|
example, given that k = n = 160, an attacker with running time 2^60
|
|||
|
and making 2^40 oracle queries has advantage at most (about) 2^-80.
|
|||
|
|
|||
|
Theorem 1
|
|||
|
---------
|
|||
|
|
|||
|
Suppose m = 10^Digit < 2^31, and let (q,r) = IntDiv(2^31,m). Let B
|
|||
|
be any adversary attacking HOTP using v verification oracle queries,
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 23]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
a <= 2^c - s authenticator oracle queries, and running time t. Let T
|
|||
|
denote the time to perform one computation of H. If Assumption 1 is
|
|||
|
true, then
|
|||
|
|
|||
|
Adv(B) <= sv * (q + 1)/2^31 + (t/T)/2^k + ((sv + a)^2)/2^n
|
|||
|
|
|||
|
In practice, the (t/T)2^-k + ((sv + a)^2)2^-n term is much smaller
|
|||
|
than the sv(q + 1)/2^n term, so that the above says that for all
|
|||
|
practical purposes the success rate of an adversary attacking HOTP is
|
|||
|
sv(q + 1)/2^n, just as for HOTP-IDEAL, meaning the HOTP algorithm is
|
|||
|
in practice essentially as good as its idealized counterpart.
|
|||
|
|
|||
|
In the case m = 10^6 of a 6-digit output, this means that an
|
|||
|
adversary making v authentication attempts will have a success rate
|
|||
|
that is at most that of Equation 1.
|
|||
|
|
|||
|
For example, consider an adversary with running time at most 2^60
|
|||
|
that sees at most 2^40 authentication attempts of the user. Both
|
|||
|
these choices are very generous to the adversary, who will typically
|
|||
|
not have these resources, but we are saying that even such a powerful
|
|||
|
adversary will not have more success than indicated by Equation 1.
|
|||
|
|
|||
|
We can safely assume sv <= 2^40 due to the throttling and bounds on
|
|||
|
s. So:
|
|||
|
|
|||
|
(t/T)/2^k + ((sv + a)^2)/2^n <= 2^60/2^160 + (2^41)^2/2^160
|
|||
|
roughly <= 2^-78
|
|||
|
|
|||
|
which is much smaller than the success probability of Equation 1 and
|
|||
|
negligible compared to it.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 24]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Appendix B - SHA-1 Attacks
|
|||
|
|
|||
|
This sections addresses the impact of the recent attacks on SHA-1 on
|
|||
|
the security of the HMAC-SHA-1-based HOTP. We begin with some
|
|||
|
discussion of the situation of SHA-1 and then discuss the relevance
|
|||
|
to HMAC-SHA-1 and HOTP. Cited references are in Section 13.
|
|||
|
|
|||
|
B.1. SHA-1 Status
|
|||
|
|
|||
|
A collision for a hash function h means a pair x,y of different
|
|||
|
inputs such that h(x)=h(y). Since SHA-1 outputs 160 bits, a birthday
|
|||
|
attack finds a collision in 2^{80} trials. (A trial means one
|
|||
|
computation of the function.) This was thought to be the best
|
|||
|
possible until Wang, Yin, and Yu announced on February 15, 2005, that
|
|||
|
they had an attack finding collisions in 2^{69} trials.
|
|||
|
|
|||
|
Is SHA-1 broken? For most practical purposes, we would say probably
|
|||
|
not, since the resources needed to mount the attack are huge. Here
|
|||
|
is one way to get a sense of it: we can estimate it is about the same
|
|||
|
as the time we would need to factor a 760-bit RSA modulus, and this
|
|||
|
is currently considered out of reach.
|
|||
|
|
|||
|
Burr of NIST is quoted in [Crack] as saying "Large national
|
|||
|
intelligence agencies could do this in a reasonable amount of time
|
|||
|
with a few million dollars in computer time". However, the
|
|||
|
computation may be out of reach of all but such well-funded agencies.
|
|||
|
|
|||
|
One should also ask what impact finding SHA-1 collisions actually has
|
|||
|
on security of real applications such as signatures. To exploit a
|
|||
|
collision x,y to forge signatures, you need to somehow obtain a
|
|||
|
signature of x and then you can forge a signature of y. How damaging
|
|||
|
this is depends on the content of y: the y created by the attack may
|
|||
|
not be meaningful in the application context. Also, one needs a
|
|||
|
chosen-message attack to get the signature of x. This seems possible
|
|||
|
in some contexts, but not others. Overall, it is not clear that the
|
|||
|
impact on the security of signatures is significant.
|
|||
|
|
|||
|
Indeed, one can read in the press that SHA-1 is "broken" [Sha1] and
|
|||
|
that encryption and SSL are "broken" [Res]. The media have a
|
|||
|
tendency to magnify events: it would hardly be interesting to
|
|||
|
announce in the news that a team of cryptanalysts did very
|
|||
|
interesting theoretical work in attacking SHA-1.
|
|||
|
|
|||
|
Cryptographers are excited too. But mainly because this is an
|
|||
|
important theoretical breakthrough. Attacks can only get better with
|
|||
|
time: it is therefore important to monitor any progress in hash
|
|||
|
functions cryptanalysis and be prepared for any really practical
|
|||
|
break with a sound migration plan for the future.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 25]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
B.2. HMAC-SHA-1 Status
|
|||
|
|
|||
|
The new attacks on SHA-1 have no impact on the security of
|
|||
|
HMAC-SHA-1. The best attack on the latter remains one needing a
|
|||
|
sender to authenticate 2^{80} messages before an adversary can create
|
|||
|
a forgery. Why?
|
|||
|
|
|||
|
HMAC is not a hash function. It is a message authentication code
|
|||
|
(MAC) that uses a hash function internally. A MAC depends on a
|
|||
|
secret key, while hash functions don't. What one needs to worry
|
|||
|
about with a MAC is forgery, not collisions. HMAC was designed so
|
|||
|
that collisions in the hash function (here SHA-1) do not yield
|
|||
|
forgeries for HMAC.
|
|||
|
|
|||
|
Recall that HMAC-SHA-1(K,x) = SHA-1(K_o,SHA-1(K_i,x)) where the keys
|
|||
|
K_o,K_i are derived from K. Suppose the attacker finds a pair x,y
|
|||
|
such that SHA-1(K_i,x) = SHA-1(K_i,y). (Call this a hidden-key
|
|||
|
collision.) Then if it can obtain the MAC of x (itself a tall
|
|||
|
order), it can forge the MAC of y. (These values are the same.) But
|
|||
|
finding hidden-key collisions is harder than finding collisions,
|
|||
|
because the attacker does not know the hidden key K_i. All it may
|
|||
|
have is some outputs of HMAC-SHA-1 with key K. To date, there are no
|
|||
|
claims or evidence that the recent attacks on SHA-1 extend to find
|
|||
|
hidden-key collisions.
|
|||
|
|
|||
|
Historically, the HMAC design has already proven itself in this
|
|||
|
regard. MD5 is considered broken in that collisions in this hash
|
|||
|
function can be found relatively easily. But there is still no
|
|||
|
attack on HMAC-MD5 better than the trivial 2^{64} time birthday one.
|
|||
|
(MD5 outputs 128 bits, not 160.) We are seeing this strength of HMAC
|
|||
|
coming into play again in the SHA-1 context.
|
|||
|
|
|||
|
B.3. HOTP Status
|
|||
|
|
|||
|
Since no new weakness has surfaced in HMAC-SHA-1, there is no impact
|
|||
|
on HOTP. The best attacks on HOTP remain those described in the
|
|||
|
document, namely, to try to guess output values.
|
|||
|
|
|||
|
The security proof of HOTP requires that HMAC-SHA-1 behave like a
|
|||
|
pseudorandom function. The quality of HMAC-SHA-1 as a pseudorandom
|
|||
|
function is not impacted by the new attacks on SHA-1, and so neither
|
|||
|
is this proven guarantee.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 26]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Appendix C - HOTP Algorithm: Reference Implementation
|
|||
|
|
|||
|
/*
|
|||
|
* OneTimePasswordAlgorithm.java
|
|||
|
* OATH Initiative,
|
|||
|
* HOTP one-time password algorithm
|
|||
|
*
|
|||
|
*/
|
|||
|
|
|||
|
/* Copyright (C) 2004, OATH. All rights reserved.
|
|||
|
*
|
|||
|
* License to copy and use this software is granted provided that it
|
|||
|
* is identified as the "OATH HOTP Algorithm" in all material
|
|||
|
* mentioning or referencing this software or this function.
|
|||
|
*
|
|||
|
* License is also granted to make and use derivative works provided
|
|||
|
* that such works are identified as
|
|||
|
* "derived from OATH HOTP algorithm"
|
|||
|
* in all material mentioning or referencing the derived work.
|
|||
|
*
|
|||
|
* OATH (Open AuTHentication) and its members make no
|
|||
|
* representations concerning either the merchantability of this
|
|||
|
* software or the suitability of this software for any particular
|
|||
|
* purpose.
|
|||
|
*
|
|||
|
* It is provided "as is" without express or implied warranty
|
|||
|
* of any kind and OATH AND ITS MEMBERS EXPRESSaLY DISCLAIMS
|
|||
|
* ANY WARRANTY OR LIABILITY OF ANY KIND relating to this software.
|
|||
|
*
|
|||
|
* These notices must be retained in any copies of any part of this
|
|||
|
* documentation and/or software.
|
|||
|
*/
|
|||
|
|
|||
|
package org.openauthentication.otp;
|
|||
|
|
|||
|
import java.io.IOException;
|
|||
|
import java.io.File;
|
|||
|
import java.io.DataInputStream;
|
|||
|
import java.io.FileInputStream ;
|
|||
|
import java.lang.reflect.UndeclaredThrowableException;
|
|||
|
|
|||
|
import java.security.GeneralSecurityException;
|
|||
|
import java.security.NoSuchAlgorithmException;
|
|||
|
import java.security.InvalidKeyException;
|
|||
|
|
|||
|
import javax.crypto.Mac;
|
|||
|
import javax.crypto.spec.SecretKeySpec;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 27]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
/**
|
|||
|
* This class contains static methods that are used to calculate the
|
|||
|
* One-Time Password (OTP) using
|
|||
|
* JCE to provide the HMAC-SHA-1.
|
|||
|
*
|
|||
|
* @author Loren Hart
|
|||
|
* @version 1.0
|
|||
|
*/
|
|||
|
public class OneTimePasswordAlgorithm {
|
|||
|
private OneTimePasswordAlgorithm() {}
|
|||
|
|
|||
|
// These are used to calculate the check-sum digits.
|
|||
|
// 0 1 2 3 4 5 6 7 8 9
|
|||
|
private static final int[] doubleDigits =
|
|||
|
{ 0, 2, 4, 6, 8, 1, 3, 5, 7, 9 };
|
|||
|
|
|||
|
/**
|
|||
|
* Calculates the checksum using the credit card algorithm.
|
|||
|
* This algorithm has the advantage that it detects any single
|
|||
|
* mistyped digit and any single transposition of
|
|||
|
* adjacent digits.
|
|||
|
*
|
|||
|
* @param num the number to calculate the checksum for
|
|||
|
* @param digits number of significant places in the number
|
|||
|
*
|
|||
|
* @return the checksum of num
|
|||
|
*/
|
|||
|
public static int calcChecksum(long num, int digits) {
|
|||
|
boolean doubleDigit = true;
|
|||
|
int total = 0;
|
|||
|
while (0 < digits--) {
|
|||
|
int digit = (int) (num % 10);
|
|||
|
num /= 10;
|
|||
|
if (doubleDigit) {
|
|||
|
digit = doubleDigits[digit];
|
|||
|
}
|
|||
|
total += digit;
|
|||
|
doubleDigit = !doubleDigit;
|
|||
|
}
|
|||
|
int result = total % 10;
|
|||
|
if (result > 0) {
|
|||
|
result = 10 - result;
|
|||
|
}
|
|||
|
return result;
|
|||
|
}
|
|||
|
|
|||
|
/**
|
|||
|
* This method uses the JCE to provide the HMAC-SHA-1
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 28]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
* algorithm.
|
|||
|
* HMAC computes a Hashed Message Authentication Code and
|
|||
|
* in this case SHA1 is the hash algorithm used.
|
|||
|
*
|
|||
|
* @param keyBytes the bytes to use for the HMAC-SHA-1 key
|
|||
|
* @param text the message or text to be authenticated.
|
|||
|
*
|
|||
|
* @throws NoSuchAlgorithmException if no provider makes
|
|||
|
* either HmacSHA1 or HMAC-SHA-1
|
|||
|
* digest algorithms available.
|
|||
|
* @throws InvalidKeyException
|
|||
|
* The secret provided was not a valid HMAC-SHA-1 key.
|
|||
|
*
|
|||
|
*/
|
|||
|
|
|||
|
public static byte[] hmac_sha1(byte[] keyBytes, byte[] text)
|
|||
|
throws NoSuchAlgorithmException, InvalidKeyException
|
|||
|
{
|
|||
|
// try {
|
|||
|
Mac hmacSha1;
|
|||
|
try {
|
|||
|
hmacSha1 = Mac.getInstance("HmacSHA1");
|
|||
|
} catch (NoSuchAlgorithmException nsae) {
|
|||
|
hmacSha1 = Mac.getInstance("HMAC-SHA-1");
|
|||
|
}
|
|||
|
SecretKeySpec macKey =
|
|||
|
new SecretKeySpec(keyBytes, "RAW");
|
|||
|
hmacSha1.init(macKey);
|
|||
|
return hmacSha1.doFinal(text);
|
|||
|
// } catch (GeneralSecurityException gse) {
|
|||
|
// throw new UndeclaredThrowableException(gse);
|
|||
|
// }
|
|||
|
}
|
|||
|
|
|||
|
private static final int[] DIGITS_POWER
|
|||
|
// 0 1 2 3 4 5 6 7 8
|
|||
|
= {1,10,100,1000,10000,100000,1000000,10000000,100000000};
|
|||
|
|
|||
|
/**
|
|||
|
* This method generates an OTP value for the given
|
|||
|
* set of parameters.
|
|||
|
*
|
|||
|
* @param secret the shared secret
|
|||
|
* @param movingFactor the counter, time, or other value that
|
|||
|
* changes on a per use basis.
|
|||
|
* @param codeDigits the number of digits in the OTP, not
|
|||
|
* including the checksum, if any.
|
|||
|
* @param addChecksum a flag that indicates if a checksum digit
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 29]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
* should be appended to the OTP.
|
|||
|
* @param truncationOffset the offset into the MAC result to
|
|||
|
* begin truncation. If this value is out of
|
|||
|
* the range of 0 ... 15, then dynamic
|
|||
|
* truncation will be used.
|
|||
|
* Dynamic truncation is when the last 4
|
|||
|
* bits of the last byte of the MAC are
|
|||
|
* used to determine the start offset.
|
|||
|
* @throws NoSuchAlgorithmException if no provider makes
|
|||
|
* either HmacSHA1 or HMAC-SHA-1
|
|||
|
* digest algorithms available.
|
|||
|
* @throws InvalidKeyException
|
|||
|
* The secret provided was not
|
|||
|
* a valid HMAC-SHA-1 key.
|
|||
|
*
|
|||
|
* @return A numeric String in base 10 that includes
|
|||
|
* {@link codeDigits} digits plus the optional checksum
|
|||
|
* digit if requested.
|
|||
|
*/
|
|||
|
static public String generateOTP(byte[] secret,
|
|||
|
long movingFactor,
|
|||
|
int codeDigits,
|
|||
|
boolean addChecksum,
|
|||
|
int truncationOffset)
|
|||
|
throws NoSuchAlgorithmException, InvalidKeyException
|
|||
|
{
|
|||
|
// put movingFactor value into text byte array
|
|||
|
String result = null;
|
|||
|
int digits = addChecksum ? (codeDigits + 1) : codeDigits;
|
|||
|
byte[] text = new byte[8];
|
|||
|
for (int i = text.length - 1; i >= 0; i--) {
|
|||
|
text[i] = (byte) (movingFactor & 0xff);
|
|||
|
movingFactor >>= 8;
|
|||
|
}
|
|||
|
|
|||
|
// compute hmac hash
|
|||
|
byte[] hash = hmac_sha1(secret, text);
|
|||
|
|
|||
|
// put selected bytes into result int
|
|||
|
int offset = hash[hash.length - 1] & 0xf;
|
|||
|
if ( (0<=truncationOffset) &&
|
|||
|
(truncationOffset<(hash.length-4)) ) {
|
|||
|
offset = truncationOffset;
|
|||
|
}
|
|||
|
int binary =
|
|||
|
((hash[offset] & 0x7f) << 24)
|
|||
|
| ((hash[offset + 1] & 0xff) << 16)
|
|||
|
| ((hash[offset + 2] & 0xff) << 8)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 30]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
| (hash[offset + 3] & 0xff);
|
|||
|
|
|||
|
int otp = binary % DIGITS_POWER[codeDigits];
|
|||
|
if (addChecksum) {
|
|||
|
otp = (otp * 10) + calcChecksum(otp, codeDigits);
|
|||
|
}
|
|||
|
result = Integer.toString(otp);
|
|||
|
while (result.length() < digits) {
|
|||
|
result = "0" + result;
|
|||
|
}
|
|||
|
return result;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 31]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Appendix D - HOTP Algorithm: Test Values
|
|||
|
|
|||
|
The following test data uses the ASCII string
|
|||
|
"12345678901234567890" for the secret:
|
|||
|
|
|||
|
Secret = 0x3132333435363738393031323334353637383930
|
|||
|
|
|||
|
Table 1 details for each count, the intermediate HMAC value.
|
|||
|
|
|||
|
Count Hexadecimal HMAC-SHA-1(secret, count)
|
|||
|
0 cc93cf18508d94934c64b65d8ba7667fb7cde4b0
|
|||
|
1 75a48a19d4cbe100644e8ac1397eea747a2d33ab
|
|||
|
2 0bacb7fa082fef30782211938bc1c5e70416ff44
|
|||
|
3 66c28227d03a2d5529262ff016a1e6ef76557ece
|
|||
|
4 a904c900a64b35909874b33e61c5938a8e15ed1c
|
|||
|
5 a37e783d7b7233c083d4f62926c7a25f238d0316
|
|||
|
6 bc9cd28561042c83f219324d3c607256c03272ae
|
|||
|
7 a4fb960c0bc06e1eabb804e5b397cdc4b45596fa
|
|||
|
8 1b3c89f65e6c9e883012052823443f048b4332db
|
|||
|
9 1637409809a679dc698207310c8c7fc07290d9e5
|
|||
|
|
|||
|
Table 2 details for each count the truncated values (both in
|
|||
|
hexadecimal and decimal) and then the HOTP value.
|
|||
|
|
|||
|
Truncated
|
|||
|
Count Hexadecimal Decimal HOTP
|
|||
|
0 4c93cf18 1284755224 755224
|
|||
|
1 41397eea 1094287082 287082
|
|||
|
2 82fef30 137359152 359152
|
|||
|
3 66ef7655 1726969429 969429
|
|||
|
4 61c5938a 1640338314 338314
|
|||
|
5 33c083d4 868254676 254676
|
|||
|
6 7256c032 1918287922 287922
|
|||
|
7 4e5b397 82162583 162583
|
|||
|
8 2823443f 673399871 399871
|
|||
|
9 2679dc69 645520489 520489
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 32]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Appendix E - Extensions
|
|||
|
|
|||
|
|
|||
|
We introduce in this section several enhancements to the HOTP
|
|||
|
algorithm. These are not recommended extensions or part of the
|
|||
|
standard algorithm, but merely variations that could be used for
|
|||
|
customized implementations.
|
|||
|
|
|||
|
E.1. Number of Digits
|
|||
|
|
|||
|
A simple enhancement in terms of security would be to extract more
|
|||
|
digits from the HMAC-SHA-1 value.
|
|||
|
|
|||
|
For instance, calculating the HOTP value modulo 10^8 to build an 8-
|
|||
|
digit HOTP value would reduce the probability of success of the
|
|||
|
adversary from sv/10^6 to sv/10^8.
|
|||
|
|
|||
|
This could give the opportunity to improve usability, e.g., by
|
|||
|
increasing T and/or s, while still achieving a better security
|
|||
|
overall. For instance, s = 10 and 10v/10^8 = v/10^7 < v/10^6 which
|
|||
|
is the theoretical optimum for 6-digit code when s = 1.
|
|||
|
|
|||
|
E.2. Alphanumeric Values
|
|||
|
|
|||
|
Another option is to use A-Z and 0-9 values; or rather a subset of 32
|
|||
|
symbols taken from the alphanumerical alphabet in order to avoid any
|
|||
|
confusion between characters: 0, O, and Q as well as l, 1, and I are
|
|||
|
very similar, and can look the same on a small display.
|
|||
|
|
|||
|
The immediate consequence is that the security is now in the order of
|
|||
|
sv/32^6 for a 6-digit HOTP value and sv/32^8 for an 8-digit HOTP
|
|||
|
value.
|
|||
|
|
|||
|
32^6 > 10^9 so the security of a 6-alphanumeric HOTP code is slightly
|
|||
|
better than a 9-digit HOTP value, which is the maximum length of an
|
|||
|
HOTP code supported by the proposed algorithm.
|
|||
|
|
|||
|
32^8 > 10^12 so the security of an 8-alphanumeric HOTP code is
|
|||
|
significantly better than a 9-digit HOTP value.
|
|||
|
|
|||
|
Depending on the application and token/interface used for displaying
|
|||
|
and entering the HOTP value, the choice of alphanumeric values could
|
|||
|
be a simple and efficient way to improve security at a reduced cost
|
|||
|
and impact on users.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 33]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
E.3. Sequence of HOTP Values
|
|||
|
|
|||
|
As we suggested for the resynchronization to enter a short sequence
|
|||
|
(say, 2 or 3) of HOTP values, we could generalize the concept to the
|
|||
|
protocol, and add a parameter L that would define the length of the
|
|||
|
HOTP sequence to enter.
|
|||
|
|
|||
|
Per default, the value L SHOULD be set to 1, but if security needs to
|
|||
|
be increased, users might be asked (possibly for a short period of
|
|||
|
time, or a specific operation) to enter L HOTP values.
|
|||
|
|
|||
|
This is another way, without increasing the HOTP length or using
|
|||
|
alphanumeric values to tighten security.
|
|||
|
|
|||
|
Note: The system MAY also be programmed to request synchronization on
|
|||
|
a regular basis (e.g., every night, twice a week, etc.) and to
|
|||
|
achieve this purpose, ask for a sequence of L HOTP values.
|
|||
|
|
|||
|
E.4. A Counter-Based Resynchronization Method
|
|||
|
|
|||
|
In this case, we assume that the client can access and send not only
|
|||
|
the HOTP value but also other information, more specifically, the
|
|||
|
counter value.
|
|||
|
|
|||
|
A more efficient and secure method for resynchronization is possible
|
|||
|
in this case. The client application will not send the HOTP-client
|
|||
|
value only, but the HOTP-client and the related C-client counter
|
|||
|
value, the HOTP value acting as a message authentication code of the
|
|||
|
counter.
|
|||
|
|
|||
|
Resynchronization Counter-based Protocol (RCP)
|
|||
|
----------------------------------------------
|
|||
|
|
|||
|
The server accepts if the following are all true, where C-server is
|
|||
|
its own current counter value:
|
|||
|
|
|||
|
1) C-client >= C-server
|
|||
|
2) C-client - C-server <= s
|
|||
|
3) Check that HOTP client is valid HOTP(K,C-Client)
|
|||
|
4) If true, the server sets C to C-client + 1 and client is
|
|||
|
authenticated
|
|||
|
|
|||
|
In this case, there is no need for managing a look-ahead window
|
|||
|
anymore. The probability of success of the adversary is only v/10^6
|
|||
|
or roughly v in one million. A side benefit is obviously to be able
|
|||
|
to increase s "infinitely" and therefore improve the system usability
|
|||
|
without impacting the security.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 34]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
This resynchronization protocol SHOULD be used whenever the related
|
|||
|
impact on the client and server applications is deemed acceptable.
|
|||
|
|
|||
|
E.5. Data Field
|
|||
|
|
|||
|
Another interesting option is the introduction of a Data field, which
|
|||
|
would be used for generating the One-Time Password values: HOTP (K,
|
|||
|
C, [Data]) where Data is an optional field that can be the
|
|||
|
concatenation of various pieces of identity-related information,
|
|||
|
e.g., Data = Address | PIN.
|
|||
|
|
|||
|
We could also use a Timer, either as the only moving factor or in
|
|||
|
combination with the Counter -- in this case, e.g., Data = Timer,
|
|||
|
where Timer could be the UNIX-time (GMT seconds since 1/1/1970)
|
|||
|
divided by some factor (8, 16, 32, etc.) in order to give a specific
|
|||
|
time step. The time window for the One-Time Password is then equal
|
|||
|
to the time step multiplied by the resynchronization parameter as
|
|||
|
defined before. For example, if we take 64 seconds as the time step
|
|||
|
and 7 for the resynchronization parameter, we obtain an acceptance
|
|||
|
window of +/- 3 minutes.
|
|||
|
|
|||
|
Using a Data field opens for more flexibility in the algorithm
|
|||
|
implementation, provided that the Data field is clearly specified.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 35]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Authors' Addresses
|
|||
|
|
|||
|
David M'Raihi (primary contact for sending comments and questions)
|
|||
|
VeriSign, Inc.
|
|||
|
685 E. Middlefield Road
|
|||
|
Mountain View, CA 94043 USA
|
|||
|
|
|||
|
Phone: 1-650-426-3832
|
|||
|
EMail: dmraihi@verisign.com
|
|||
|
|
|||
|
|
|||
|
Mihir Bellare
|
|||
|
Dept of Computer Science and Engineering, Mail Code 0114
|
|||
|
University of California at San Diego
|
|||
|
9500 Gilman Drive
|
|||
|
La Jolla, CA 92093, USA
|
|||
|
|
|||
|
EMail: mihir@cs.ucsd.edu
|
|||
|
|
|||
|
|
|||
|
Frank Hoornaert
|
|||
|
VASCO Data Security, Inc.
|
|||
|
Koningin Astridlaan 164
|
|||
|
1780 Wemmel, Belgium
|
|||
|
|
|||
|
EMail: frh@vasco.com
|
|||
|
|
|||
|
|
|||
|
David Naccache
|
|||
|
Gemplus Innovation
|
|||
|
34 rue Guynemer, 92447,
|
|||
|
Issy les Moulineaux, France
|
|||
|
and
|
|||
|
Information Security Group,
|
|||
|
Royal Holloway,
|
|||
|
University of London, Egham,
|
|||
|
Surrey TW20 0EX, UK
|
|||
|
|
|||
|
EMail: david.naccache@gemplus.com, david.naccache@rhul.ac.uk
|
|||
|
|
|||
|
|
|||
|
Ohad Ranen
|
|||
|
Aladdin Knowledge Systems Ltd.
|
|||
|
15 Beit Oved Street
|
|||
|
Tel Aviv, Israel 61110
|
|||
|
|
|||
|
EMail: Ohad.Ranen@ealaddin.com
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 36]
|
|||
|
|
|||
|
RFC 4226 HOTP Algorithm December 2005
|
|||
|
|
|||
|
|
|||
|
Full Copyright Statement
|
|||
|
|
|||
|
Copyright (C) The Internet Society (2005).
|
|||
|
|
|||
|
This document is subject to the rights, licenses and restrictions
|
|||
|
contained in BCP 78, and except as set forth therein, the authors
|
|||
|
retain all their rights.
|
|||
|
|
|||
|
This document and the information contained herein are provided on an
|
|||
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|||
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|||
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|||
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|||
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|||
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|||
|
|
|||
|
Intellectual Property
|
|||
|
|
|||
|
The IETF takes no position regarding the validity or scope of any
|
|||
|
Intellectual Property Rights or other rights that might be claimed to
|
|||
|
pertain to the implementation or use of the technology described in
|
|||
|
this document or the extent to which any license under such rights
|
|||
|
might or might not be available; nor does it represent that it has
|
|||
|
made any independent effort to identify any such rights. Information
|
|||
|
on the procedures with respect to rights in RFC documents can be
|
|||
|
found in BCP 78 and BCP 79.
|
|||
|
|
|||
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|||
|
assurances of licenses to be made available, or the result of an
|
|||
|
attempt made to obtain a general license or permission for the use of
|
|||
|
such proprietary rights by implementers or users of this
|
|||
|
specification can be obtained from the IETF on-line IPR repository at
|
|||
|
http://www.ietf.org/ipr.
|
|||
|
|
|||
|
The IETF invites any interested party to bring to its attention any
|
|||
|
copyrights, patents or patent applications, or other proprietary
|
|||
|
rights that may cover technology that may be required to implement
|
|||
|
this standard. Please address the information to the IETF at ietf-
|
|||
|
ipr@ietf.org.
|
|||
|
|
|||
|
Acknowledgement
|
|||
|
|
|||
|
Funding for the RFC Editor function is currently provided by the
|
|||
|
Internet Society.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
M'Raihi, et al. Informational [Page 37]
|
|||
|
|