Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » eft review  

Subscribe to Galexia news and announcements.
More information »

Identity Management and Authentication - Strategic Consulting: Galexia’s expertise on identity management includes consideration of the policy context as well as technical design issues, legal compliance, political considerations and community attitudes. Our background in law, technology and public relations makes Galexia uniquely suited to delivering strategic advice on identity management. Find out more »

[2018 Global Cloud Computing Readiness Scorecard]

2018 Global Cloud Computing Readiness Scorecard
Find out more »

Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

[« previous] [next »] [up] [title page] [full contents]

Challenge/Response Mechanisms

An illustration of the application of challenge / response techniques to website authentication is provided by examining the work of the initiative for open authentication (OATH).[48] OATH is built around-the Industry Roadmap for Open Strong Authentication.

OATH has created a one-time password technology called HOTP to facilitate two-factor authentication. HOTP is based on the HMAC-SHA-1 cryptographic standard. A client can generate a one-time password using the HOTP algorithm when it is combined with a secret key (shared by both the server and client) and a counter value which increments every time a password is required. The server can verify the password is correct by applying the HOTP algorithm to its own copy of the key and counter value. One of the key advantages of this approach is that HOTP is not a proprietary model but an attempt to establish an industry standard for authentication. It also potentially avoids the expense of rollouts associated with hardware-based technology, although several vendors still employ OATH’s HOTP algorithm in hardware tokens.

The Mutual OATH: HOTP Extensions for mutual authentication[49] discusses possible ways in which the HOTP algorithm can be adapted for mutual-authentication (see in particular section 4.3). One way the document suggests this could be achieved is by replacing the incrementing counter value with a challenge / response mechanism. For example, a financial institution’s server could issue a challenge to the client. The client uses the challenge, in combination with the shared secret key, to generate a response via the HOTP algorithm. If the server is satisfied with the response, the client can then issue its own challenge to the server.

Another method which could be used to achieve mutual authentication would involve the creation of two keys, K1 and K2. K1 is used by Party A to check responses and K2 is used to produce responses to a challenge. Party B uses the keys for the reciprocal purpose. Party A can then issue a challenge to Party B, and B computes the response using K1 and the HOTP algorithm. Party A checks the validity of the response using K1 and then is issued its own challenge by Party B using K2.

OATH has been subjected to claims that the security of its HOTP technology is questionable because the SHA-1 algorithm upon which it is based has been compromised.[50] These claims are however debatable primarily because the computing resources required to mount an attack on SHA-1 are exorbitant.[51] HOTP could also be modified to use more complex algorithms which would be even more difficult to crack.

[48] Open Authentication Initiative, OATH Reference Architecture Release 1.0, 2005, <http://openauthentication.org/OATHReferenceArchitecturev1.pdf>.

[49] Open Authentication Initiative, Mutual OATH: HOTP Extensions for mutual authentication, December 2005, <http://openauthentication.org/pdfs/draft-mraihi-mutual-oath-hotp-variants-00.pdf>.

[50] Merritt R, Crack in SHA-1 code 'stuns' security gurus, EETimes, February 2005, <http://eetimes.com/news/latest/showArticle.jhtml?articleID=60402150>.

[51] Bellare M, Attacks on SHA-1, OATH, March 2005, <http://www.openauthentication.org/pdfs/Attacks on SHA-1.pdf>.

[« previous] [next »] [up] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]