Beruflich Dokumente
Kultur Dokumente
IEEEAnnual
34th Annual
IEEE Computer Software and Applications Conference
Fred Cheng
International Technological University and FPC Consultancy
Los Altos Hills, CA USA
fredtcheng@yahoo.com
not a true web-based OTP token, poor interoperability and
weak or no compliance with existing authentication
infrastructures plus poor usability for general public.
In this paper, we propose a novel Rubbing Encryption
Algorithm (REAL) as the baseline technology for a new
secured Web-based OTP Token. REAL can securely encrypt
a short word length data such as an OTP code. REAL can
decrypt the ciphertext without entering encryption key to a
PC or device. Such special feature prevents the revealing of
an encryption key. It also allows REAL to use a highly
complex and dynamic key to achieve a much higher strength
of encryption level. A key bearing hardware token, without
having any electronic component, is used to electronically
rub out (decrypt) plaintext from the ciphertext displayed
on a PC screen. This is why the algorithm gets its name
Rubbing Encryption Algorithm (REAL). But the most
important feature of REAL is its capability to securely
protect the plaintext even when the ciphertext is transmitted
and shown on an insecure public PC or Internet Kiosk.
An OATH (Initiative for Open AuTHentication) [7]
compliant REAL Web-based OTP Token is presented as an
implementation example. We first lay out the screen image
for the ciphertext based on the web page window size and
readability of the text. The designed image of this
ciphertext is called REAL Image as the ciphertext symbol is
of graphic form instead of a simple text. It deters the easy
detection of the ciphertext by a malicious program. REAL
encryption key is embedded on an inexpensive and nonelectronic plastic card. This card is the REAL hardware
token. REAL Web-based OTP Token software consists of
two major components Program File and Data File. Both
files are stored at server. Data File contains database of
each users credential and OTP generation key (K).
Operating a REAL Web-based OTP Token is as follows.
The user initiates an authentication process through a
remote PC. When the server receives a request, the OTP
Generation Program (OGP) retrieves the users key to
generate an OTP code. OGP then encrypts the OTP code
into a REAL Image (ciphertext). This REAL Image is sent
to the remote PC. The user then uses her hardware token to
rub out (decrypt) the OTP code from the REAL Image.
Such OTP code is then entered into the login window to
complete the 2FA process.
We use OATH Time-based OTP algorithm (TOTP) [8]
to generate the OTP code. As the code is generates by
server, it eliminates the counter de-synchronization problem
I.
INTRODUCTION
147
III.
A. Principle
Given an M x N matrix X made up from Y different
symbols, we can use Shannon entropy H(X) to describe
matrix Xs uncertainty [12].
MN
(1)
(2)
(3)
148
a. Front View
b. Rear View
Figure 2. REAL Image
B. Encryption Procedures
REAL allows the encrypted data (REAL Image) to be
displayed in many different spatial form factors. It can be in
the form of a data stream (one dimension) or a two
dimensional matrix or can be of other spatial form with
multiple dimensions. The corresponding encryption key
will be of the same multiple dimensions as well. For ease
of discussion, an M x N matrix X (REAL Image) and
numerals of 0 to 9 plus a tag (denoted as character G) as the
set of symbol are chosen to illustrate the proposed algorithm.
The tag is a colored background bar placed over a symbol.
Fig. 4 shows the pink color tag as an example.
1) Key Generation: With the display window and
symbol font sizes chosen, a REAL Image is designed and
layout first. REAL encryption key is the specific spatial
locations (Wi) where the plaintexts symbols are placed.
Given a REAL Image with size of M x N, we can use a
credit card size plastic card as REAL hardware token. Fig.
1 shows one such example. Transparent windows are
randomly placed on the card surface. For D symbols of
plaintext, we use D+E number of windows as key.
The total number of key (TNC) that can be embedded on
such hardware token with D+E random windows can be
found from the following equation.
I
II
III
W9
D5
3
3
W8
W7
D4
8
8
W6
D3
1
1
W5
W4
D2
2
2
W3
D1
6
6
W2
W1
(4)
W0
D0
9
9
149
CIPHERTEXT_IMAGE_GEN (K, i, R, N)
1 UC = User Credential //input by a user when activates
OTP generating process.
2 Using UC, server retrieves the users OTP secret key
(K) and Wi location data on the REAL Image.
3 OTP = OTP_Generation_Algorithm (K, i).
4 OTP = Concatenate(D_5|D_4| D_3|D_2| D_1|D_0).
5 Sequentially placing D_5 through D_0 into the Wi
locations inside the M x N matrix. Fill other Wi with
tags.
6 Fill the rest of matrix elements with randomly chosen
symbols and tags. So that the symbols used by OTP
code have higher complexity than others. This is
REAL Image.
7 Place REAL Image inside the R x N Ciphertext
Matrix. Fill the rest of matrix elements with randomly
chosen symbols and tags. So that each symbol has the
same occurring frequency and only REAL Image will
display the OTP code. This is Ciphertext matrix.
8 Ciphertext_Image = Ciphertext matrix.
9 End of program.
C. Decrypt Procedure
To decrypt and recover the plaintext, we overlay the
REAL hardware token on the REAL Image. After properly
align the token on the screen, the plaintext (OTP code)
clearly appears through the transparent windows on the card.
Fig. 6 shows such an example. The original OTP code is
recovered and ready for 2FA application. Notice that the
user does not need to enter the REAL decryption key to
decrypt the REAL Image.
IV.
150
(5)
1. Request
OTP
3. Enter
OTP
Send OTP
Server
1. Verify username
and password
2. Fetch Key, Wi &
Markers
3. Generate OTP,
REAL Image
and Ciphertext
Image
4. Complete 2FA
authentication
151
D. User Experience:
Using REAL Web-based OTP Token is very similar to
the operation of a regular software token. It ensures quick
adoption by a new user.
VI.
SECURITY ANALYSIS
152
E. Limitations
Recent MITM attack has gained new technique. It can
work with some Trojan that resides in a PC and has the
capability to perform certain actions transparently without
any users knowledge. In some case, it may redirect the user
to a fraudulent web site to collect a users data, and then
redirects back to the genuine web site after the data
collection. It may imitate a user from users own PC to
interact with genuine web site. Such MITM and Trojan
attacks present new challenges to entire network and data
security industry. 2FA system alone can not solve this issue
[17]. It will require layered security schemes, tools and
disciplines to make up a better protection system. REAL
Web-based OTP Token can then become one of the key
components to make up such a better secured system
solution.
VII.
CONCLUSION
153
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
ACKNOWLEDGMENT
[15]
[16]
REFERENCES
[18]
[1]
[2]
[3]
[4]
[17]
[19]
[20]
[21]
154