A One-Time Password Authentication Method for Low Spec Machines and on Internet Protocols

1. A One-Time Password Authentication Method for Low Spec Machines and on Internet Protocols Author :Takasuke TSUJI,Akihiro SHIMIZU Source :IEICE Transactions on Communications, Vol.E87-B, No 6, June 2004, pp. 1594- 1600 Speaker: Z.Y.Wu(吳紫嫣) Date :2005/01/04

2. Outline • Introduction • SAS-2 • Application for Key-Free Systems • Conclusion

3. Introduction • The SAS (Simple And Secure password authentication protocol) is a one-time password authentication method that the method uses a hash function five times, but it requires high overhead on low spec machines. • In this paper, we propose a new method, SAS-2, which reduces overhead of hash function adaptation by 40%. This method has a mutual authentication phase, which maintains synchronous data communications in its authentication procedure. Moreover, SAS-2 can be applied to key-free systems

4. SAS-2 Protocol • The SAS-2 protocol consists of two phases: the registration phase and the authentication phase. • The registration process is performed only once, and the authentication procedure is executed every time the user login to the system.

5. Definitions • User is the computer user who employs the protocol for authentication. • Server is the server that authenticates users. • ID is the user’s identity. • S is the user’s password. • X, F and H are one-way hash functions. For example,H(x) means x is hashed once. • i is an integer indicating the number of authentication sessions. • Ni represents a random number corresponding to the ith authentication. • + represents the addition operation. • represents a bitwise XOR operation.

6. User Server Inputs ID,S Generates a random number Ni and stores Ni A =X(ID,S⊕Ni) ID,A (Secure channel) Stores ID,A Registration phase of the SAS-2.

7. Server Data storage : ID,A User Data storage : Ni Inputs ID,S A =X(ID,S⊕Ni) Generates a random number Ni+1 , and stores Ni+1 (Then the user can use A instead of Ni+1) C=X(ID,S⊕Ni+1) F(C)=F(ID,C) α=C⊕(F(C)+A) β=F(C)⊕A Authentication phase of the SAS-2(1/2).

8. F(C)=β⊕A C=α⊕(F(C)+A) False F(C)=F(ID,C)？ True Authentication fail A=C γ=F(ID,F(C)) γ False γ=F(ID,F(C))？ Authentication fail True Authentication phase of the SAS-2(2/2).

9. Application for Key-Free Systems • Definitions A lock has its own identity ID, the key’s identity K, and secret key S .

10. Lock Data storages:ID,S,K Key Generates a random number Ni and stores Ni A =X(ID⊕K,S⊕Ni) ID,K,A (Secure channel) Stores ID,K,A Registration phase of the key-free system.

11. Key Data storage : ID,K,A Lock Data storage : ID,S,K,Ni A =X(ID⊕K,S⊕Ni) Generates a random number Ni+1 , and stores Ni+1 (Then the user can use A instead of Ni+1) C=X(ID⊕K,S⊕Ni+1) F(C)=F(ID⊕K,C) α=C⊕(F(C)+A) β=F(C)⊕A ID,α,β The ith authentication phase of the key-free system(1/2). K

12. F(C)=β⊕A C=α⊕(F(C)+A) False F(C)=F(ID⊕K,C)？ True Authentication fail A=C γ=F(ID⊕K,F(C)) γ γ=F(ID⊕K,F(C))？ False Authentication fail True The ith authentication phase of the key-free system(2/2).

13. Conclusion • The SAS-2 method has variations, and we have considered all variations of the SAS-2 and have produced safe combinations. In addition, we suggest here an application for key-free systems using the SAS-2 method.