Chapter 4 - 02 - Discuss Identity and Access Management (IAM) - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 Two-factor Authentication Techniques: OATH O Open Authentication (OATH) is a reference architecture designed by a group of companies with the aim of developing an open strong authentication technology that supports a wide variety of networks O Its main goal is to provide safe and secure online transactions for users based on two-factor authentication O 1t has introduced three algorithms, namely, HOTP, OCRA, and TOTP, for implementing OTP authentication d w HMAC-based One-time Password (HOTP) @" (S ¥ AnHOTP is an event-based OTP, y) fi where the input seed is static, and the e s gessasesy. Secret Key moving factor is based on a counter o' | an. o ‘ il ol 4n Moving Factor (Counter) v" When an HOTP is requested, the moving factor is incremented based v v 5 B - on a counter > § 0|« - oTpP Copyright© by EC-Council All Rights Reserved, Reproduction is Strictly Prohibited ‘ Two-factor Authentication Techniques: OATH (Cont’d) ‘ OATH Challenge-Response Algorithm (OCRA) 1 * Time-based One-time Password (TOTP) O OCRA is challenge-response mode of authentication based on HOTP QO TOTP s a time-based OTP, where the input seed is static, and the moving factor is time O OCRA is an extension to HOTP with a challenge mode QO In TOTP, the time is incremented, and the increment for verifying HOTP tokens based on random questions is called the timestep —_— U Moving Factor (Counter) =— ] OCRA | 2 eeeessssens > 3 m B 3 — P9 b....... R ) Secret Key B B. 0 Moving Factor (Time) v @ 1@ L k@ g > I ToTP Copyright © by = @ H m o EC-{ L All Rights Reserved. ts Reproduction is Strictly Prohibited Open Authentication (OATH) The Open Authentication (OATH) is a reference architecture designed by a group of companies with the aim of developing an open strong authentication technology that supports a wide variety of networks. Its main goal is to provide safe and secure online transactions for users based on two-factor authentication. For implementing one-time password (OTP) authentication, OATH has introduced three algorithms, namely, hash- Module 04 Page 479 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization based message authentication code (HMAC)-based OTP response algorithm (OCRA), and time-based OTP (TOTP). o (HOTP), OATH challenge- HMAC-based one-time password (HOTP) An HOTP is an event-based OTP that depends on two inputs: one is a secret key called seed, and the other is the moving factor. In HOTP, the seed is static, and the moving factor in the OTP code is based on a counter that is stored in the token and on the server. When the HOTP receives a user request, after validation, the moving factor is incremented based on a counter. The authentication server validates the generated OTP, which is valid till the user requests for a new OTP. When the code validation process is performed, the OTP generator and server are synchronized, thereby providing access to the user. HOTP utilizes the SHA-1 hash function in the HMAC, and the token displays the generated 160-bit value, which is then reduced to 6 or 8 decimal digits. One example of an OTP generator that follows the HOTP technique is Yubiko’s Yubikey. graneses S112 Secret Key 18 12315 12 Moving Factor (Counter) (o] [ o > n O g H|Q — oTP Figure 4.12: HMAC-based one-time password (HOTP) o OATH challenge-response algorithm (OCRA) The OCRA is a challenge-response mode of authentication based on HOTP. OATH has introduced OCRA as an extension to HOTP with the challenge mode for verifying HOTP tokens based on random questions. The main intention in introducing OCRA is to enhance the security of e-commerce applications. Module 04 Page 480 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Challenge - 203008 123456 Moving Factor (Counter) OCRA oTP Figure 4.13: OATH challenge-response algorithm (OCRA) o Time-based one-time password (TOTP) In a TOTP, the input seed is static, as in HOTP, but the input moving factor is time, instead of a counter. In TOTP, the time is incremented by a value called the timestep. The timestep is the amount of time the password is valid for and tends to be 30 or 60 s. Once the timestep is exhausted, the password is no longer valid, and the user must request for a new one to obtain access. ------ s !/ \J Secret Key gesssssssssssssnnnns :. : 1§ Moving Factor (Time)................... TOTP I > <. (¢2] o i o Figure 4.14: Time-based one-time password (TOTP) Module 04 Page 481 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.