Skip to main content
SpringerLink
Log in

Ubiquitous One-Time Password Service Using the Generic Authentication Architecture

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. The 3rd Generation Partnership Project (3GPP).

  2. The 3rd Generation Partnership Project 2 (3GPP2).

  3. In the GAA specifications [5], the functionality of a GAA-aware application server is referred to as the Network Application Function (NAF).

References

  1. 3rd Generation Partnership Project (3GPP) (2009) 3G security: access secure for IP-based services. Technical Specification TS 33.203, version 9.3.0

  2. 3rd Generation Partnership Project (3GPP) (2009) Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details. Technical Specification TS 24.109, version 9.1.0

  3. 3rd Generation Partnership Project (3GPP) (2009) Generic authentication architecture (GAA); access to network application functions using hypertext transfer protocol over transport layer security (HTTPS). Technical Specification TS 33.222, version 9.1.0

  4. 3rd Generation Partnership Project (3GPP) (2009) Numbering, addressing and identification. Technical Specification TS 23.003, version 9.2.0

  5. 3rd Generation Partnership Project (3GPP) (2009) Technical specification group services and systems aspects, generic authentication architecture (GAA), generic bootstrapping architecture. Technical Specification TS 33.220, version 9.2.0

  6. Alzomai M, Josang A (2010) The mobile phone as a multi OTP device using trusted computing. In: Proceedings of the 4th international conference on network and system security. IEEE Computer Society, Melbourne, Australia, pp 75–82

    Google Scholar 

  7. Boyd C, Mathuria A (2003) Protocols for authentication and key establishment. Springer

  8. Chen C, Mitchell CJ, Tang S (2010) Extending Trusted Computing as a security service. In preparation. A poster of this paper is presented at the 21st Hewlett-Packard Colloquium on Information Security, Royal Holloway, University of London. Available at http://www.isg.rhul.ac.uk/cjm/Papers/etcaas.pdf. Accessed 20 Dec 2010

  9. Franks J, Hallam-Baker PM, Hostetler JL, Lawrence SD, Leach PJ, Luotonen A, Stewart LC (1999) HTTP authentication: basic and digest access authentication. Internet Engineering Task Force, RFC 2617

  10. Hardjono T, Kazmierczak G (2008) Overview of the TPM key management standard. TCG Presentations at the 1st IEEE Key Management Summit, Baltimore MD. Available at http://www.trustedcomputinggroup.org/resources/. 23–24 Sep 2008

  11. Holtmanns S, Niemi V, Ginzboorg P, Laitinen P, Asokan N (2008) Cellular authentication for mobile and internet services. John Wiley and Sons

  12. International Organization for Standardization (1998) ISO/IEC 9798-3:1998/Amd 1:2010, information technology—security techniques—entity authentication—part 3: mechanisms using digital signature techniques. Genève, Switzerland

  13. James L (2006) Phishing exposed. Syngress

  14. Krawczyk H, Bellare M, Canetti R (1997) HMAC: Keyed-hashing for message authentication. Internet Engineering Task Force, RFC 2104 (Informational)

  15. Molva R, Tsudik G (1993) Authentication method with impersonal token cards. In: Proceedings of the 1993 IEEE symposium on security and privacy. IEEE Computer Society, Oakland, California, USA, pp 56–65

    Chapter  Google Scholar 

  16. M’Raihi D, Bellare M, Hoornaert F, Naccache D, Ranen O (2005) HOTP: an HMAC-based one-time password algorithm. Internet Engineering Task Force, RFC 4226 (Informational)

  17. Pearson S (2002) Trusted Computing Platforms, the next security solution. Technical Report HPL-2002-221, Hewlett-Packard Laboratories. Available at http://www.hpl.hp.com/techreports/2002/HPL-2002-221.pdf. Accessed Nov 2002

  18. Trusted Computing Group (2007) TCG mobile reference architecture, TCG Specification, Version 1.0, Revision 1

  19. Trusted Computing Group (2007) TPM main, part 1 design principles. TCG Specification, Version 1.2, Revision 103

  20. Trusted Computing Group (2007) TPM main, part 2 TPM data structures. TCG Specification, Version 1.2, Revision 103

  21. Trusted Computing Group (2007) TPM main, part 3 commands. TCG Specification, Version 1.2, Revision 103

  22. Trusted Computing Group (2010) TCG mobile trusted module specification. TCG Specification, Version 1.0, Revision 7.02

Download references

Acknowledgements

The authors would like to thank Liqun Chen, Zheng Gong and Qiang Tang for their invaluable encouragement and advice.

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, South China University of Technology, Guangzhou, 510641, People’s Republic of China

    Chunhua Chen & Shaohua Tang

  2. Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, UK

    Chris J. Mitchell

Authors
  1. Chunhua Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chris J. Mitchell
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shaohua Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chris J. Mitchell.

Additional information

C. Chen is a PhD student at the South China University of Technology. This work was performed during a visit to the Information Security Group at Royal Holloway, University of London, sponsored by the Chinese Scholarship Council and the Natural Science Foundation of Guangdong Province, China (No. 9351064101000003).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chen, C., Mitchell, C.J. & Tang, S. Ubiquitous One-Time Password Service Using the Generic Authentication Architecture. Mobile Netw Appl 18, 738–747 (2013). https://doi.org/10.1007/s11036-011-0329-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-011-0329-z

Keywords

Search

Navigation