NO SECURITY BY OBSCURITY – WHY TWO FACTOR AUTHENTICATION SHOULD BE BASED ON AN OPEN DESIGN

Jinying Yu, Philipp Brune

Abstract

The recently reported security issue possibly compromising the security tokens sold by a major vendor of two factor authentication (2FA) solutions (Schneier, 2011) demonstrates the importance of the basic principle of using an open design for security solutions (Saltzer and Schroeder, 1974). In particular, the safety of such devices should not be based on the use of a secret algorithm or seed value to generate a sequence of one-time passwords (OTP) inside the security token. Instead, we argue in favour of using an open design using pre-generated sequences of OTP that are stored encrypted on the security token. Here, the safety of the solution only relies on the confidentiality of the decryption key and not the design of the solution itself. We illustrate our argumentation by describing a respective authentication scheme and a prototype based on an open design, the latter being used as the basis for the security analysis.

References

  1. Geambasu, R., Kohno, T., Levy, A., Levy, H. M. (2009). Vanish: Increasing Data Privacy with Self-Destructing Data. In Proceedings of the USENIX Security Symposium. Montreal, Canada.
  2. Ku, W. C. (2004). A Hash-Based Strong-Password Authentication Scheme without Using Smart Cards. SIGOPS Operating Systems Review, 38(1), 29-34.
  3. Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770-772.
  4. Lin, C. L., Sun, H. M., Hwang, T. (2001). Attacks and Solutions on Strong-Password Authentication. IEICE Transactions on Communications, E84-B(9), 2622- 2627.
  5. M'Raihi, D. Bellare, M., Hoornaert, F., Naccache, D., Ranen, O. (2005). HOTP: An HMAC-Based OneTime Password Algorithm. In Request for Comments, 4226. Internet Engineering Task Force. Retrieved May 15, 2011, from http://www.ietf.org/rfc/rfc4226.txt
  6. Saltzer, J. H., Schroeder, M. D. (1974). The Protection of Information in Computer Systems. Communications of the ACM, 17(7).
  7. Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C. (1998). Twofish: A 128-Bit Block Cipher. AES-Submission.
  8. Schneier, B. (2011). Schneier on Security (Blog). Retrieved April 8, 2011, from http://www.schneier.com/blog/archives/2011/03/rsa_s ecurity_in.html
  9. Sood, S. K., Sarje, A. K., Singh, K. (2010). An Improvement of Xu et al.'s Authentication Scheme using Smart Cards. In COMPUTE 7810, Proceedings of the Third Annual ACM Bangalore Conference. ACM.
  10. Yang, G., Wong, D., Wang, H., Deng, X. (2006). Formal Analysis and Systematic Construction of Two-Factor Authentication Scheme. In Information and Communications Security (Lecture Notes in Computer Science) (pp. 82-91). Berlin / Heidelberg: Springer.
  11. Yang, W. H., Shieh, S. P. (1999). Password Authentication with Smart Cards. Computers & Security, 18(8), 727-733.
Download


Paper Citation


in Harvard Style

Yu J. and Brune P. (2011). NO SECURITY BY OBSCURITY – WHY TWO FACTOR AUTHENTICATION SHOULD BE BASED ON AN OPEN DESIGN . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 418-421. DOI: 10.5220/0003610004180421


in Bibtex Style

@conference{secrypt11,
author={Jinying Yu and Philipp Brune},
title={NO SECURITY BY OBSCURITY – WHY TWO FACTOR AUTHENTICATION SHOULD BE BASED ON AN OPEN DESIGN},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={418-421},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003610004180421},
isbn={978-989-8425-71-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - NO SECURITY BY OBSCURITY – WHY TWO FACTOR AUTHENTICATION SHOULD BE BASED ON AN OPEN DESIGN
SN - 978-989-8425-71-3
AU - Yu J.
AU - Brune P.
PY - 2011
SP - 418
EP - 421
DO - 10.5220/0003610004180421