Vulnerability analysis and the practical implications of a server-challenge-based one-time password system

Purpose - One-time password systems provide great strengths over conventional password systems: protection against over-the-shoulder, eavesdropping, replay, etc. The Grid Data Security authentication system is a server-challenge-based system. It has advantages over other one-time password systems si...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Information management & computer security 2010-01, Vol.18 (2), p.86-100
Hauptverfasser: Yang, Seung S, Choi, Hongsik
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Purpose - One-time password systems provide great strengths over conventional password systems: protection against over-the-shoulder, eavesdropping, replay, etc. The Grid Data Security authentication system is a server-challenge-based system. It has advantages over other one-time password systems since it does not require pre-installed software nor special devices to carry on. However, there are some weaknesses. The purpose of this paper is to analyze the weaknesses of the one-time password system and provide practical guidelines for using the one-time password system.Design methodology approach - This paper statistically analyzes the weakness of the Grid Data Security authentication system and simulates attacks to the system to confirm the discovered weakness. The paper also suggests ways to reduce the discovered vulnerability using mathematical formula and offers practical guideline for using the system. It also identifies the system's strength on access authentication on mobile communication.Findings - The Grid Data Security authentication system which is a server-challenge-based one-time password system has a great weakness when an attacker gains its user-interface screen and its GridCode. The discovered vulnerability can be improved by changing cardinality of the GridCode. This paper creates a formula that can help a system manager to decide the security level and its required cardinality of GridCode and length of password. It also identifies the system's strengths on mobile communication.Originality value - The paper provides a practical tool for security managers to identify requirements of cardinality of GridCode and password length for certain levels of security.
ISSN:0968-5227
2056-4961
1758-5805
2056-497X
DOI:10.1108/09685221011048337