ASTAP-24/INF-12

/ ASIA-PACIFIC TELECOMMUNITY
The 24th APT Standardization Program Forum
(ASTAP-24) / Document
ASTAP-24/INF-12
27 – 29August 2014, Bangkok, Thailand /

18August 2014

ETRI, Republic of Korea

Requirements of SECURE One-Time Password generation in MoBIle Devices

1. Introduction

This contribution provides the requirements forsecure one-time password generationin mobile devices as informative items or further studies.

2. Background and Motivation

With the increase of user authentication service and that of attacks to the traditional authentication method,the need for improvedsecurity of user authentication method grows. Traditionalstatic password authentication methodsare widely used due to their convenience.However, theyoften suffer from eavedropping, replaying, guessing attack and so on. As a way to free from any of them, OTP (one-time password) authentication service is usually adopted to support2-factor authentication for various fields such as financial, portal, game and so on.

One-time password authentication, by default, requires a user-side OTP generator, called token, for the generation of dynamic passwords. Recently, the OTP generation in mobile devices is being increasingly used as a way to facilitateOTP authenticationwithout dedicated OTP hardware token.This is referred to as mOTP(mobile one-time password) token.

There are two kinds of mOTPtokens for user authentication in mobile devices. One is the software-based mOTPtoken in the mobile device itself. The other is the hardware-based mOTPtoken embedded on the secure hardware in mobile devices such as USIM, SE(secure element), secure MicroSD and etc. In terms of two critical factors, security and user convenience, the hardware-based mOTPtokenis more secure but less convenientthan the software-based mOTPtoken.

By the way, there are two major events of the OTP authentication: user authentication and transaction authentication. One is to authenticate users who are togain access to services and the other is to confirm whether the transmitted data is true and correct. Transaction authentication is mainly used in financial service like banking or e-commerce and is always preceded by user authentication. That is why the transaction authentication should be more secure. In contrast, user authentication in non-financial service like portal should be more convenient in order for users to access the service easily.

In conclusion, it is necessary to choose the appropriate mobile OTP generation method to achieve the high security and user convenience when an OTP authentication event occurs.

Figure 1. Architecture forsecure mobile OTP authentication system

3. The secure mobile OTP authentication system

In general, there are two main entities in mobile OTP authentication system; mOTP token based on hardware or software and OTP authentication server to verify a one-time password from themOTP token. In order to develop the secure mobile OTP authentication system, some components should be added to each of entities as shown in figure 1 above.

System Requirements

  • Authentication event generation

At the beginning of mobile OTP generation, one of the two OTP authentication eventsis generatedaccording to the type of service requests the OTP generation. There are 2 possible events such as user authentication and transaction authentication.

-User authentication event is required to be generated.

-Transaction authentication event is required to be generated.

-Pre-specified criteria for event generation are required.

-The results of event generation should be provided to the policy classification.

  • Authentication Event classification

The goal ofauthentication event classification is to generate eventclassifiers based on the results of authentication event generation to select an mOTPtoken efficiently. There are 3 possible classifiers in combination with the type of service given as follows:

-Hardware-based mobile OTP generation is required, if atransaction event occurs.

-Software-based mobile OTP generation is required, if a user authentication event occurs when a high convenience service requests the OTP generation.

-Hardware-based mobile OTP generation is required, if a user authentication event occurswhen a high security service requests the OTP generation.

  • Mobile OTPgeneration

According to classifiers from authentication event classification, an OTP is generated using the same key materials and crypto functionsshared between mOTP token and mOTP authentication server. As a result, either software-based mOTP token or hardware-based mOTP token can be selected in a mobile device.

-Classifiers from authentication eventclassification are required to select an appropriate mOTP token.

-The same key materials and crypto functions shared between mOTP token and mOTP authentication server are required.

-Software-based mOTPtokenfollows security requirements for the mobile device.

-Hardware-based mOTPtoken follows security requirements for the secure hardware in mobile devices.

  • OTP validation

First, OTP authentication server receives the generated OTP, the user information and the classifier if provided. Next, using these data and the crypto functions identical to the mOTPtoken, it generates an OTP. Finally, it confirms the received OTP.

-The generated OTP, the user information and the classifier should be provided to OTP authentication server.

-It is necessary to confirm the generated OTP usingthe received data and the crypto functions identical to the mOTP token.

4. Summary

In this contribution we have described the requirements for secure OTP generation in mobile devices for user authentication system. It explains the requirements of mobile OTP generation and provides the secure mobile OTP authentication system to meet the requirements as effectively as possible.

References

[1] ITU-T X.1153, Management framework of a one time password-based authentication service(2011).

[2] N.M. Haller, A One-time Password System, RFC 2289, 1998.

[3] N.M. Haller, The S/KEY One-time Password System, RFC 1760, 1995.

Page 1 of 3