Abstract
The Generic Authentication Architecture (GAA) is a standardised extension to the mobile authentication infrastructure that enables the provision of security services, such as key establishment, to network applications. In this paper we first show how Trusted Computing can be extended in a GAA-like framework to offer new security services. We then propose a general scheme that converts a simple static password authentication mechanism into a one-time password (OTP) system using the GAA key establishment service. The scheme employs a GAA-enabled user device and a GAA-aware server. Most importantly, unlike most OTP systems using a dedicated key-bearing token, the user device does not need to be user or server specific, and can be used in the protocol with no registration or configuration (except for the installation of the necessary application software). We also give two practical instantiations of the general scheme, building firstly on the mobile authentication infrastructure and secondly on Trusted Computing. The practical systems are secure, scalable, fit well to the multi-institution scenario, and enable the provision of ubiquitous and on-demand OTP services.
Similar content being viewed by others
Notes
The 3rd Generation Partnership Project (3GPP).
The 3rd Generation Partnership Project 2 (3GPP2).
In the GAA specifications [5], the functionality of a GAA-aware application server is referred to as the Network Application Function (NAF).
References
3rd Generation Partnership Project (3GPP) (2009) 3G security: access secure for IP-based services. Technical Specification TS 33.203, version 9.3.0
3rd Generation Partnership Project (3GPP) (2009) Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details. Technical Specification TS 24.109, version 9.1.0
3rd Generation Partnership Project (3GPP) (2009) Generic authentication architecture (GAA); access to network application functions using hypertext transfer protocol over transport layer security (HTTPS). Technical Specification TS 33.222, version 9.1.0
3rd Generation Partnership Project (3GPP) (2009) Numbering, addressing and identification. Technical Specification TS 23.003, version 9.2.0
3rd Generation Partnership Project (3GPP) (2009) Technical specification group services and systems aspects, generic authentication architecture (GAA), generic bootstrapping architecture. Technical Specification TS 33.220, version 9.2.0
Alzomai M, Josang A (2010) The mobile phone as a multi OTP device using trusted computing. In: Proceedings of the 4th international conference on network and system security. IEEE Computer Society, Melbourne, Australia, pp 75–82
Boyd C, Mathuria A (2003) Protocols for authentication and key establishment. Springer
Chen C, Mitchell CJ, Tang S (2010) Extending Trusted Computing as a security service. In preparation. A poster of this paper is presented at the 21st Hewlett-Packard Colloquium on Information Security, Royal Holloway, University of London. Available at http://www.isg.rhul.ac.uk/cjm/Papers/etcaas.pdf. Accessed 20 Dec 2010
Franks J, Hallam-Baker PM, Hostetler JL, Lawrence SD, Leach PJ, Luotonen A, Stewart LC (1999) HTTP authentication: basic and digest access authentication. Internet Engineering Task Force, RFC 2617
Hardjono T, Kazmierczak G (2008) Overview of the TPM key management standard. TCG Presentations at the 1st IEEE Key Management Summit, Baltimore MD. Available at http://www.trustedcomputinggroup.org/resources/. 23–24 Sep 2008
Holtmanns S, Niemi V, Ginzboorg P, Laitinen P, Asokan N (2008) Cellular authentication for mobile and internet services. John Wiley and Sons
International Organization for Standardization (1998) ISO/IEC 9798-3:1998/Amd 1:2010, information technology—security techniques—entity authentication—part 3: mechanisms using digital signature techniques. Genève, Switzerland
James L (2006) Phishing exposed. Syngress
Krawczyk H, Bellare M, Canetti R (1997) HMAC: Keyed-hashing for message authentication. Internet Engineering Task Force, RFC 2104 (Informational)
Molva R, Tsudik G (1993) Authentication method with impersonal token cards. In: Proceedings of the 1993 IEEE symposium on security and privacy. IEEE Computer Society, Oakland, California, USA, pp 56–65
M’Raihi D, Bellare M, Hoornaert F, Naccache D, Ranen O (2005) HOTP: an HMAC-based one-time password algorithm. Internet Engineering Task Force, RFC 4226 (Informational)
Pearson S (2002) Trusted Computing Platforms, the next security solution. Technical Report HPL-2002-221, Hewlett-Packard Laboratories. Available at http://www.hpl.hp.com/techreports/2002/HPL-2002-221.pdf. Accessed Nov 2002
Trusted Computing Group (2007) TCG mobile reference architecture, TCG Specification, Version 1.0, Revision 1
Trusted Computing Group (2007) TPM main, part 1 design principles. TCG Specification, Version 1.2, Revision 103
Trusted Computing Group (2007) TPM main, part 2 TPM data structures. TCG Specification, Version 1.2, Revision 103
Trusted Computing Group (2007) TPM main, part 3 commands. TCG Specification, Version 1.2, Revision 103
Trusted Computing Group (2010) TCG mobile trusted module specification. TCG Specification, Version 1.0, Revision 7.02
Acknowledgements
The authors would like to thank Liqun Chen, Zheng Gong and Qiang Tang for their invaluable encouragement and advice.
Author information
Authors and Affiliations
Corresponding author
Additional information
C. Chen is a PhD student at the South China University of Technology. This work was performed during a visit to the Information Security Group at Royal Holloway, University of London, sponsored by the Chinese Scholarship Council and the Natural Science Foundation of Guangdong Province, China (No. 9351064101000003).
Rights and permissions
About this article
Cite this article
Chen, C., Mitchell, C.J. & Tang, S. Ubiquitous One-Time Password Service Using the Generic Authentication Architecture. Mobile Netw Appl 18, 738–747 (2013). https://doi.org/10.1007/s11036-011-0329-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11036-011-0329-z