In order to gain access to applications or other resources via a computer or another user device, users are often required to authenticate themselves by entering authentication information. Such authentication information may include, for example, passwords that are generated by a security token carried by a user. These passwords may be, for example, one-time passwords that are generated using a time-synchronous or event-based algorithm.
In most existing token-based user authentication systems, a token belonging to a user U generates a one-time passcode for consumption by a single server S. In a symmetric-key-based scheme, secret cryptographic keys from the token are shared with an authentication server. In symmetric-key-based schemes, however, an adversary that compromises server S can impersonate user U by stealing the user's credentials from server S. Such an attack requires only transient server compromise; that is, the adversary need only learn the state of server S, and need not alter the operation of server S. In other attacks, the adversary can control the operation of server S over an extended period of time. Such an adversary can subvert the authentication process, impersonating user U even if the user's credentials are periodically refreshed, and even if authentication relies on public-key operations.
Some user authentication systems include the use of challenge-response tokens, which can store, for example, a secret key κ. In such a system, in response to a challenge c, the token outputs a response r=ƒ(κ; c), for some cryptographic function ƒ (for example, a hash function).
Additionally, other user authentication systems can include the use of stored-passcode (SP) tokens. In contrast to challenge-response tokens noted above, an SP token is pre-loaded with a collection of passcodes P1, . . . , Pn. In such a system, in response to an input t, the token outputs Pt. By way of example, the value t can represent the current time (as determined by an internal or external clock) or a counter value maintained by the token.
An SP token can offer advantages over a token that computes passcodes on-the-fly. For example, SP tokens require little computation, and thus require minimal computational circuitry and draw small amounts of power. This can render SP tokens an attractive design option for stand-alone authentication devices. Also, SP tokens can avoid vulnerabilities to side-channel attacks associated with online cryptographic computation, an attractive feature for many tokens, including tokens that are to be implemented in a general-purpose computational device (such as a mobile phone, for example).
SP tokens, on the other hand, do not perform online computation. Accordingly, SP tokens cannot operate in a conventional challenge-response mode, and challenge-response authentication schemes can carry security advantages over counter-based schemes that are vulnerable to passcode harvesting and re-use by attackers. Challenge-response authentication schemes, moreover, can be preferable to time-based schemes in that challenge-response authentication schemes avoid the need for the authentication token to maintain the current time and provide reliable synchronization with authentication servers.
Consequently, a need exists for enabling SP tokens capable of operating in a challenge-response mode.