1. Field
Disclosed embodiments relate to a technology for security and authentication of a system over a network
2. Discussion of Related Art
A one-time password (OTP) is one of network security technologies, and a security system in which a new password should be used every time a user desires to get authentication. Such a method may prevent critical security drawbacks with leakage of a fixed password in the general ID/password based security system. In the recent years, the OTP is being used in more and more businesses and financial institutions that require a high level of security.
The types of OTP include S/Key OTPs, challenge-response OTPs, and time-synchronized passwords. The time-synchronized passwords are implemented using time in generating an OTP, as its name represents. When a user generates a client-side OTP using a Personal Identification Number (PIN), a user's password and a secret key, and transmits the generated client-side OTP to an authentication server, the authentication server generates a server-side OTP using user authentication information (init_secret and PIN) that matches a client ID and checks whether the generated server-side OTP coincides with the received client-side OTP.
The time-synchronized password requires the authentication server and the user to enter the identical time as an input value of an OTP. Accordingly, if there is a time mismatch between an authentication server token and a user token, a user authentication can only fail. However, it is actually not easy to synchronize time between each user terminal and a server at all times. That is, since an actual operating environment may have a delay in an OTP authentication request and a delay in transmission between a client and an authentication server, an effective range of time is set based on an error in delay time such that authentication is allowed to succeed within the effective range of time. For example, the authentication server sets an effective range of time between a predetermined time interval before an authentication request reception time and a predetermined time interval after the authentication request reception time (for example, −90 seconds to +90 seconds), and if one of a server-side OTPs generated from time information within the effective range of time coincides with a user OTP, it is determined that an authentication succeeds.
However, in this case, depending on the effective range of time, the authentication server may need to generate a plurality of OTP candidates that are then compared, which increases a burden on the server in the authentication process. That is, in the conventional technology, the authentication server sequentially generates OTPs every 10-seconds from −90 seconds before a point of time at which the authentication request is received by the authentication server to +90 seconds after the point of time, and compares the generated OTPs with a client OTP. For example, when the authentication request is received by the authentication server at ten minutes after 10 o'clock, the authentication server generates OTPs between eight minutes thirty seconds after ten o'clock and eight minutes thirty nine seconds after ten o'clock and compares the generated OTPs with the client OTP. If the generated OTPs do not coincide with the client OTP, the authentication server generates OTPs between eight minutes forty seconds after ten o'clock and eight minutes forty nine seconds after ten o'clock and compares the generated OTPs with the client OTP, and such a process is repeated until the authentication succeeds.
In this case, resources of the authentication server are wasted unnecessarily and the unnecessary use of resources may cause overhead that degrades the performance of the authentication server. Accordingly, there is a need for a technology capable of minimizing OTP generation in the authentication server and thus effectively utilizing resources of the authentication server and preventing performance degradation of the authentication server.