INFORMATION SECURITY

A Comparative Analysis of HOTP and TOTP Authentication Algorithms. Which one to choose?

  • 1 Faculty of Computer Science & Eng. Ss. Cyril and Methodius University Skopje, R. N. Macedonia

Abstract

Giving the right access, limiting resources, and recognizing a user’s identity are important steps that need to be taken into consideration before entering a certain network. These steps are executed by authentication and authorization. In this paper, we put our focus on authentication algorithms HOTP and TOTP as two algorithms for generating one-time passwords. A one-time password is an automatically generated string of characters – a password that is meant to be used only once. This password is only valid for one login session or transaction. Due to its randomness and usage (only once), it leads to higher security outputs, and that is why this type of password is used in authentication algorithms. We will analyse both algorithms and their working way and will present the obtained results and their usage in practice. The main characteristic is that the HOTP algorithm uses only hash functions and the TOTP algorithm uses time above the hash. To check when each algorithm is better to use, we need to know the given environment and circumstances. In this paper, we will try to answer the question” Which one is better at a particular time?”. Depending on many factors that we analyse through the sections, we are going to make conclusions that will be useful for future planning of good security passwords.

Keywords

References

  1. Authentication Vs Authorization- What’s The Difference?https://www.ilantus.com/blog/authentication-vs-authorization-whats-the-difference/. Accessed: 23.11.2021.
  2. Authentication devices. https://www.hidglobal.com/system/files/doc_eol_expire d_files/iam-activid-otp-tokens-br-en.pdf Accessed: 20.11.2021.
  3. Marc Briceno et al. Advanced authentication techniques and applications. US Patent 10,270,748. Apr. 2019.
  4. HOTP vs TOTP: What’s the Difference? https://www. microcosm.com/blog/hotp-totp-what-is-the-difference. Accessed: 20.11.2021.
  5. Christophe Kiennert, Samia Bouzefrane, and Pascal Thoniel. “Authentication systems”. In: Digital identity management. Elsevier, 2015, pp. 95–135.
  6. Hugo Krawczyk, Mihir Bellare, and Ran Canetti. HMAC: Keyed hashing for message authentication. 1997.
  7. Ricardo Margarito Ledesma. Systems and methods for one-time password authentication. US Patent 10,587,613. Mar. 2020.
  8. Chung-Huei Ling et al. “A Secure and Efficient One-time Password Authentication Scheme for WSN.” In: Int. J. Netw. Secur. 19.2 (2017), pp. 177–181.
  9. David M’Raihi et al. “Hotp: An hmac-based one-time password algorithm”. In: The Internet Society, Network Working Group. RFC4226 (2005).
  10. David M’Raihi et al. “Hotp: An hmac-based one-time password algorithm”. In: The Internet Society, Network Working Group. RFC4226 (2005).
  11. David M’Raihi et al. “Totp: Time-based one-time pass-word algorithm”. In: Internet Request for Comments (2011).
  12. David M’Raihi et al. “Totp: Time-based one-time pass-word algorithm”. In: Internet Request for Comments (2011).
  13. Matthew Nichols. Generation of randomized passwords for one-time usage. US Patent 10,282,526. May 2019.
  14. NIST Lightweight Cryptography Standardization Pro-cess. https://csrc.nist.gov/Projects/lightweight-cryptography/finalists. Accessed: 20.11.2021.
  15. OATH Authentication Tokens. https:// cpl. thalesgroup. com / access - management / authenticators / oath - tokens. Accessed: 20.11.2021.
  16. Aleksandr Ometov et al. “Multi-factor authentication: A survey”. In: Cryptography 2.1 (2018), p. 1.
  17. One Time Password (OTP, TOTP) : definition, examples. https://www.thalesgroup.com/en/markets/digital-identity-and-security/technology/otp. Accessed: 20.11.2021.
  18. Ronald L Rivest. “The MD4 message digest algorithm”. In: Conference on the Theory and Application of Cryp-tography. Springer. 1990, pp. 303–311.
  19. M Rogobete and O Tarabuta. “Hashing and Message Authentication Code Implementation. An Embedded Approach”. In: Scientific Bulletin” Mircea cel Batran” Naval Academy 22.2 (2019), 296A–304.
  20. Marc Stevens. “Real-world Cryptanalysis”. Second AMSec Workshop (2019). https://www.amsec.org/wp-content/uploads/2019/10/Stevens.pdf Accessed: 23.112021
  21. Marc Stevens, Pierre Karpman, and Thomas Peyrin “Freestart collision for full SHA-1”. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer. 2016, pp. 459– 483.
  22. TOTP Algorithm Explained. https://www.protectimus. com / blog / totp - algorithm - explained/. Accessed: 23.11.2021.
  23. Suratose Tritilanunt, Napat Thanyamanorot, and Nattawut Ritdecha. “A secure authentication protocol using HOTP on USB storage devices”. In: 2014 International Conference on Information Science, Electronics and Electrical Engineering. Vol. 3. IEEE. 2014, pp. 1908–1912.
  24. Mariano Luis T Uymatiao and William Emmanuel S Yu. “Time-based OTP authentication via secure tunnel (TOAST): A mobile TOTP scheme using TLS seed exchange and encrypted offline keystore”. In: 2014 4th IEEE International Conference on Information Science and Technology. IEEE. 2014, pp. 225–229.
  25. Andrea Visconti and Federico Gorla. “Explo iting an HMAC-SHA-1 optimization to speed up PBKDF2”. In: IEEE Transactions on Dependable and Secure Computing 17.4 (2018), pp. 775–781.
  26. What is a hash function? Definition, usage, and examples.https://www.ionos.com/digitalguide/

Article full text

Download PDF