TY - GEN
T1 - Contextual OTP
T2 - 10th International Conference on Applied Cryptography and Network Security, ACNS 2012
AU - Ben-David, Assaf
AU - Berkman, Omer
AU - Matias, Yossi
AU - Patel, Sarvar
AU - Paya, Cem
AU - Yung, Moti
PY - 2012
Y1 - 2012
N2 - OTP (One Time Password) devices are highly deployed trust enhancing (password entropy increasing) devices which are used to authenticate a user with a second factor (a pseudorandom sequence of digits produced by a device the user owns) and to cope with off-line phishing of password information. Wireless connection adds usability to OTP protocols in an obvious way: instead of the person copying the information between machines, the wireless (say, Bluetooth) mechanism can transfer the value directly. Indeed, OTP devices implemented in a smartphone and communicating with the browser over Bluetooth can act in usable fashion (and this extension was implemented in our organization and got very positive usability feedback). What we then noticed as a key observation is that this mode of OTP wireless transfer has turned the "man to machine" nature of the OTP tokens to a "(mobile) device to machine (the browser on the computer)" method, so we can now employ protocols between the two interacting computers. Thus, we asked what can this new mode contribute to security (rather than to usability only) and cope with increased set of attacks. Specifically, the question we are dealing with is whether wireless OTP devices (i.e., smartphones) can be hardened at a reasonable cost (i.e., without costly OTP infrastructural changes, public-key infrastructure/ operations, and with small modification to browsers) so as to be useful against one type of interesting and currently growing and highly publicized Man in the Middle (MITM) attacks. The work herein summarizes our study which is based on our proposed new notion of Contextual OTP (XOTP for short), which exploits session contexts to break the symmetry between the "user-MITM" and the "MITM-server" sessions.
AB - OTP (One Time Password) devices are highly deployed trust enhancing (password entropy increasing) devices which are used to authenticate a user with a second factor (a pseudorandom sequence of digits produced by a device the user owns) and to cope with off-line phishing of password information. Wireless connection adds usability to OTP protocols in an obvious way: instead of the person copying the information between machines, the wireless (say, Bluetooth) mechanism can transfer the value directly. Indeed, OTP devices implemented in a smartphone and communicating with the browser over Bluetooth can act in usable fashion (and this extension was implemented in our organization and got very positive usability feedback). What we then noticed as a key observation is that this mode of OTP wireless transfer has turned the "man to machine" nature of the OTP tokens to a "(mobile) device to machine (the browser on the computer)" method, so we can now employ protocols between the two interacting computers. Thus, we asked what can this new mode contribute to security (rather than to usability only) and cope with increased set of attacks. Specifically, the question we are dealing with is whether wireless OTP devices (i.e., smartphones) can be hardened at a reasonable cost (i.e., without costly OTP infrastructural changes, public-key infrastructure/ operations, and with small modification to browsers) so as to be useful against one type of interesting and currently growing and highly publicized Man in the Middle (MITM) attacks. The work herein summarizes our study which is based on our proposed new notion of Contextual OTP (XOTP for short), which exploits session contexts to break the symmetry between the "user-MITM" and the "MITM-server" sessions.
UR - http://www.scopus.com/inward/record.url?scp=84863486043&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-31284-7_3
DO - 10.1007/978-3-642-31284-7_3
M3 - منشور من مؤتمر
SN - 9783642312830
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 30
EP - 47
BT - Applied Cryptography and Network Security - 10th International Conference, ACNS 2012, Proceedings
Y2 - 26 June 2012 through 29 June 2012
ER -