One-time passwords (OTPs) has become a mainstay in our procedures for secure user verification in sensitive applications, such as government and financial services.

Typically found in multi-factor authentication schemes, a standard OTP resists hacking attempts by imposing a time limit for users to input the given password. That is when you read or hear the phrase: “Please enter the code within the next two minutes.”

However, in the face of increasing cyberthreats, current OTP protocols will slowly become obsolete. Designing a better protocol to enforce the security and privacy of user information is no mean task. Professor Zhou Jianying from the Singapore University of Technology and Design (SUTD) and his collaborators recently proposed a new scheme that addresses some of the shortcomings of existing OTP methods.

There are several standard approaches to implementing OTP schemes. One approach, called RFC 6238, stores symmetric keys to generate these transient passcodes which should end up shared with the institution’s server. Another, the Lamport’81 scheme, requires the user device and server to have separate password verification keys. However, each approach comes with its own vulnerabilities – RFC 6238 is vulnerable to breaches to the server, while the Lamport’81 scheme cannot prevent the malicious tracking of each user’s identity. This presents an alluring treasure trove for threat actors: If they can pry a crack open into the server, security information for all users are theirs for the taking.

Random Tree Shuffling
Developments in the cryptographic scene have proposed various means to close the lid on this vulnerability. Zhou highlighted one particular group time-based OTP (GTOTP) scheme proposed earlier with his collaborators. This scheme involves a random shuffling tree-like structure, with users tagged to each leaf on the tree for verification. “Its ability to provide user identity privacy while ensuring security and scalability is desirable in many real-world applications,” Zhou said.

Schneider Bold

The arboreal algorithm structure, however, cannot change after planting it. All users that participate in the identity verification must be present from the start – they cannot leave nor can new users join.

“The static nature of group structures assumed by previous schemes didn’t reflect the fluidity often seen in memberships, whether in business contexts, collaborative projects, or community settings,” Zhou said.

In the latest work, Zhou and his collaborators studied a new scheme called dynamic GTOTP (DGTOTP) that can end up implemented in practical situations. The researchers focused on two hurdles to overcome the difficulty of dynamic user environments: (1) fast and efficient algorithms for small devices, and (2) group management of the malleable pool of users.

High-level Merkle Tree Structure which is a random shuffling tree-like structure, with users tagged to each leaf on the tree for verification.
Source: SUTD

Modern handheld devices are typically small and do not have large computational prowess. Any algorithm running on the device should be kept compact and efficient. The researchers suggest a three-fold approach to reduce computational overhead.

Reducing Computational Burden
“The DGTOTP scheme employs outsourcing solutions for tasks like password generation and management to reduce the computational burden on group members. Furthermore, it addresses secure integration challenges by enhancing message authentication features,” said Zhou, highlighting the lightweight anonymous client authentication approach.

Additionally, the scheme uses an issue-first-and-join-later (IFJL) strategy which allows for the seamless handling of joining operations without disrupting other group members’ local states.

This dynamic scheme can end up applied to real-world scenarios where secure and efficient authentication within dynamic group settings is crucial. For instance, collaborative work environments where teams often change members or work with external partners would benefit from having a secure access to shared resources while facilitating secure onboarding and offloading. In online communities and forums, moderators may choose to restrict access to certain sections or features.

Zhou’s proposal is just the first step to enhancing privacy and security, with many paths to explore. There are still some ways to go before witnessing widespread adoption.

“For practical applications, an extension of our concept to securely integrate transport layer security (TLS) and DGTOTP could lead to the development of a protocol for mutual anonymous authenticated credential channel establishment,” he said.


Pin It on Pinterest

Share This