Cryptography Reference
In-Depth Information
short, a TAN is a piece of authentication information that can be used for one
single authentication process or transaction. It is randomly chosen by the verifier
and provided to the claimant using some secure channel (i.e., a trusted courier). The
use of TANs is simple and straightforward, and as such there are many applications
for them. For example, banks have been using TANs (together with passwords)
to authenticate users and account owners for years. Similarly, many e-government
applications can provide client authentication using TANs (e.g., code voting for
remote Internet voting [7]). If the number of authentication processes or transactions
increases beyond a certain threshold, the generation, distribution, and management
of TANs becomes difficult (i.e., the use of TANs does not scale well). In this
case, it is generally a good idea to use cryptographic techniques to come up with
authentication schemes that make use of secure channels or dynamically changing
information [8]. For example, on the Internet it is common practice today to use
the SSL/TLS protocol [9, 10] to securely transmit a password from a claimant
(typically a browser) to a verifier (typically a Web server). There are some theoretical
attacks against passwords transmitted over SSL/TLS channels if specific symmetric
encryption systems are used in specific modes of operation (e.g., [11, 12]), but for
all practical puposes passwords transmitted over SSL/TLS channels can be made
sufficiently secure.
One-Time Password Schemes
As its name suggests, a one-time password is a password that can be used only
once, meaning that it can be used for only one single authentication process. As
such, a one-time password is conceptually similar to a TAN. The major difference is
that TANs are generated randomly by the verifier and distributed to the claimant
using some secure channel, whereas one-time passwords are typically generated
dynamically and deterministically on either side (i.e., by the claimant and verifier).
As such, a one-time password scheme is an authentication scheme that uses one-time
passwords. There are many one-time password schemes and corresponding systems
available today.
•
SecurID tokens marketed by RSA Security, Inc., are the most important and
most widely deployed one-time password systems in use today. The design
and algorithms of the SecurID tokens are not published. It is known, however,
that every SecurID token contains a cryptographic processor that implements
a symmetric encryption system, a secret key, a local clock that is synchronized
with the verifier (i.e., an ACE/server), and a small display. The one-time
passwords are generated by the token reading out the time from the local
clock and encrypting the corresponding value with the secret key. At each
