One-time passwords. Where? What for? How?
When I first heard the phrase “one-time password,” I was at a loss. How is this disposable? Who will use passwords that are valid only once? how many passwords do you need to remember to throw it away after the first use? And in general, who needs it, because there are also normal long-lived passwords.
If you as well as I fall into some confusion at the phrase “one-time password”, then I will try to tell what it is, what they can be used for and how they work.
Imagine that you were on a business trip in a foreign city, and you had a broken laptop, or you didn’t have one at all, and you urgently needed to go to corporate email or get access to the corporate portal. What are you going to do? That's right, most of us will go to the public internet site: an internet cafe / gaming club / post office. You came, sat down at a computer, opened a browser, entered an address, an authentication page appeared and ... STOP! This is a public computer, and if you now enter your username and password, then where is the guarantee that they will not immediately fall into the hands of third parties? What to do? This is the task that one-time passwords will help solve. You enter a login, enter a one-time password, and get access to the resource you need. Why is it more secure than regular password? Yes, because next time, to access corporate resources, you will have to enter a completely different password.
All of the above sounds nice, but the question remains: from where do you get the next password? Maybe you will need to change it before leaving the system? Can the administrator track that you have already used the password once, will change it and send you an SMS? Or maybe you have a list of these one-time passwords? No, everything is much simpler - there is a one-time password generator, which may look like a key ring, a USB flash drive, a credit card, or a small calculator. In order to generate a one-time password, just press one (or several, in the case of the “calculator”) buttons and a new password will be displayed on the screen. We enter this password and get access to the necessary information, and we are not afraid that the password was stolen or viewed, because next time a completely different password will be generated.
')
Well, the most interesting, but how does it all work? Everything is very simple. There are two components of this solution, the client (this is the one-time password generator, in the form of a keychain / flash drive / calculator that is given to the user) and a server (a software part that checks if the user has entered the correct password). At the time of initialization of the one-time password generator, two values are written into it: a random number (it is clear that the larger this number is, the better), which is called the initialization vector, and a counter. The same data is stored on the server. When a button is pressed on the generator of one-time passwords, the initialization vector and the counter are converted using a hash function to a certain value, which will be a one-time password (in fact, it is somewhat more complicated, but it is enough to understand the principle of operation). Since the hash function is irreversible, it is practically impossible to recover the initial values from the obtained value. Since each generation counter increases, each time the value of a one-time password will be different. The same situation occurs on the server, having received the user login, the server determines which initialization vector and which counter value should be used for calculations, using the same hash function, the server receives a one-time password. If the passwords match, the user is authenticated and can access the resources.
In case you accidentally clicked on a button several times and there was an out of sync, then there are methods for synchronizing the generator and the server.
The described scheme of work is greatly simplified, there are more complex schemes, for example, when the server sends us a value, we enter it into the crypto calculator, get another “response value” and enter it into the authentication form as a password.
The described schemes of work are tied to events, that is, at the touch of a button, there are also schemes of work tied to time.
The above scheme of one-time passwords is somewhat simplified, but in my opinion reveals the basic principles of work. More details about the implementation of one-time passwords can be found in RFC 4226.
PS This is my first article on Habré, but I hope not the last ...
When the generator of one-time passwords is issued to the user, his serial number is tied to the user's login, thus, having received the user's login, the server knows for sure what values of the initialization vector and the counter should be used. What happens to these
If you as well as I fall into some confusion at the phrase “one-time password”, then I will try to tell what it is, what they can be used for and how they work.
Imagine that you were on a business trip in a foreign city, and you had a broken laptop, or you didn’t have one at all, and you urgently needed to go to corporate email or get access to the corporate portal. What are you going to do? That's right, most of us will go to the public internet site: an internet cafe / gaming club / post office. You came, sat down at a computer, opened a browser, entered an address, an authentication page appeared and ... STOP! This is a public computer, and if you now enter your username and password, then where is the guarantee that they will not immediately fall into the hands of third parties? What to do? This is the task that one-time passwords will help solve. You enter a login, enter a one-time password, and get access to the resource you need. Why is it more secure than regular password? Yes, because next time, to access corporate resources, you will have to enter a completely different password.
All of the above sounds nice, but the question remains: from where do you get the next password? Maybe you will need to change it before leaving the system? Can the administrator track that you have already used the password once, will change it and send you an SMS? Or maybe you have a list of these one-time passwords? No, everything is much simpler - there is a one-time password generator, which may look like a key ring, a USB flash drive, a credit card, or a small calculator. In order to generate a one-time password, just press one (or several, in the case of the “calculator”) buttons and a new password will be displayed on the screen. We enter this password and get access to the necessary information, and we are not afraid that the password was stolen or viewed, because next time a completely different password will be generated.
')
Well, the most interesting, but how does it all work? Everything is very simple. There are two components of this solution, the client (this is the one-time password generator, in the form of a keychain / flash drive / calculator that is given to the user) and a server (a software part that checks if the user has entered the correct password). At the time of initialization of the one-time password generator, two values are written into it: a random number (it is clear that the larger this number is, the better), which is called the initialization vector, and a counter. The same data is stored on the server. When a button is pressed on the generator of one-time passwords, the initialization vector and the counter are converted using a hash function to a certain value, which will be a one-time password (in fact, it is somewhat more complicated, but it is enough to understand the principle of operation). Since the hash function is irreversible, it is practically impossible to recover the initial values from the obtained value. Since each generation counter increases, each time the value of a one-time password will be different. The same situation occurs on the server, having received the user login, the server determines which initialization vector and which counter value should be used for calculations, using the same hash function, the server receives a one-time password. If the passwords match, the user is authenticated and can access the resources.
In case you accidentally clicked on a button several times and there was an out of sync, then there are methods for synchronizing the generator and the server.
The described scheme of work is greatly simplified, there are more complex schemes, for example, when the server sends us a value, we enter it into the crypto calculator, get another “response value” and enter it into the authentication form as a password.
The described schemes of work are tied to events, that is, at the touch of a button, there are also schemes of work tied to time.
The above scheme of one-time passwords is somewhat simplified, but in my opinion reveals the basic principles of work. More details about the implementation of one-time passwords can be found in RFC 4226.
PS This is my first article on Habré, but I hope not the last ...
When the generator of one-time passwords is issued to the user, his serial number is tied to the user's login, thus, having received the user's login, the server knows for sure what values of the initialization vector and the counter should be used. What happens to these
Source: https://habr.com/ru/post/67218/
All Articles