Browse > Article

Design of A One-time Password Generator on A Mobile Phone Providing An Additional Authentication for A Particular Transaction  

Park, Jun-Cheol (홍익대학교 컴퓨터공학과)
Publication Information
Journal of KIISE:Information Networking / v.36, no.6, 2009 , pp. 552-557 More about this Journal
Abstract
One-time passwords are used just once and discarded, which makes it more secure than the repeatedly used conventional passwords. This paper proposes a challenge-response based one-time password generator on a user's mobile phone always carried with the user. The generator can provide an additional authentication for a user to issue a money transfer request within his Internet banking session on a PC. A currently used device for Internet banking generates a password that changes every 30 seconds or so, which allows a man-in-the-middle to use it for stealing money within the 30 seconds. Unlike such a device, the proposed generator resists against the man-in-the-middle attack by a novel challenge-response scheme, provides better accessability and protection against stolen devices. As the currently used devices do, it prevents any unauthorized transfer even if the victim's all other credentials are revealed through his PC infected with spyware such as a keyboard logger.
Keywords
OTP; Mobile Phone; Man-In-The-Middle Attack; Internet Banking;
Citations & Related Records
연도 인용수 순위
  • Reference
1 L. Lamport, "Password Authentication with Insecure Communication," Communications of the ACM, vol.24, no.11, pp.770-772, 1981   DOI   ScienceOn
2 N. Haller, C. Metz, P. Nesser, and M. Straw, A One-Time Password System, RFC 2289, IETF, http://www.ietf.org/rfc/rfc2289.txt?number=2289, 1998
3 RSA SecurID, Security Y our Future with Two Factor Authentication, http://www.rsa.com/node.aspx?id=1156/
4 Swivel Authentication Solutions, PINsafe, http://www.swivelsecure.com/?page=pinsafe
5 H. Wu, "A New Stream Cipher HC-256," in Proc. of 11th Int'l Workshop on Fast Software Encryption, LNCS 3017, pp.226-244, 2004
6 MobileID, A mobile, two-way and two-factor authentication, http://www.deepnetsecurity.com/ products2/mobileid.asp
7 Security Fix-Citibank Phish Spoofs 2-Factor Authentication, http://blog.washingtonpost.com/ securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
8 Mobile One Time Passwords, Mobile-OTP v. 1.06, http://motp.sourceforge.net/
9 VeriSign VlP Authentication Services, Trusted and Convenient Log-In and Transactions, http://www.verisign.com/authentication/consumer-authentication/vip-authentication
10 B. Schneier, "Two-Factor Authentication: Too Little, Too Late," Communications of the ACM, vol.48, no.4, April 2005
11 S. Hallsteinsen, I. Jorstad, and D.V. Thanh, "Using the mobile phone as a security token for unified authentication," in Proc. 2nd Int'l Conf. on Systems and Networks Communications, 2007
12 F. Aloul, S. Zahidi, and W. El-Hajj, "Two Factor Authentication Using Mobile Phones," in Proc. of 7th ACS/IEEE Int'l Conf. on Computer Systems and Applications, May 2009
13 VASCO The Authentication Company DIGIPASS, http:// www.vasco.com/products/digipass/digipass_index.aspx#
14 PhoneFactor, PhoneFactor Solutions, http://www.phonefactor.com/ security_tokens/
15 B. Schneier, Man-in-the-Middle Attacks, Schneier on Security Blog, http://www.schneier.com/blog/archives/2008/07/maninthemid이e_1.html, July 2008
16 The Real Solution-Aradiom SolidPass, Security Token, http://www.aradiomcom/SolidPass/ 2fa-OTP-security-token.htm
17 FireID, The Universal Personal Authenticator, http://www.fireid.com/