OTP algorithms are based on the use of a secret key shared between a client, generally implemented in a user device to generate OTP, and a server, that will validate OTP. Each OTP generator has a different secret OTP key.
OTP algorithm must also be sequence or counter based and thus use an incremental parameter synchronized between the OTP generator, generally a client inside a user device, and the OTP validator, generally a server.
The OTP is thus generally produced using a synchronized incremental parameter, generally of the counter type. It has to be noted here that the incremental parameter can be incremented or decremented depending on the implementation without departing from the scope of the invention, the essential feature being the synchronization of the counter on both sides using the OTP.
Advantageously, a throttling parameter TH is also used for the server to refuse connections from a user after TH unsuccessful authentication attempts.
Generally, to protect a key used in OTP algorithms such as CAP and OATH in unsafe environments, such as encountered in mobile device, a common protection mechanism is to derive a symmetric key, KEK, from the user PIN.
In this case KEK=KDF(PIN), where KDF is a Key Derivation Function.
The OTP key, TOK, is then encrypted with the KEK and stored in a potentially unsafe storage:
(TOK)KEK=CIPHER(KEK, TOK), where CIPHER is a symmetric cipher such as 3DES or AES.
Then the use of the PIN is distinct from the one used in smart cards or other secure tokens. The security model for software-based OTP on mobile devices, like mobile phones or tablets with or without secure element, is based on the use of the PIN to derive a key used to encrypt the OTP key.
Indeed the PIN is not used to grant access to OTP services but the OTP key is instead encrypted with a key derived from user's PIN. If a wrong PIN is used the decryption process is performed, generating a bad OTP key.
As normal used PIN lengths are typically 4 decimal digits, an attacker can brute-force decrypt the TOK using all the possible 10 000 PIN combinations (0000-9999). As the TOK is carefully created to ensure it is completely random and has no stop conditions like parity bits or others, the attacker will have 10 000 possible valid TOK values but with no stop condition, i.e. no way to distinguish the valid TOK from the invalid ones.
If someone gets access to the encrypted OTP key it is easy to list all the possible plaintext keys as the number of different PIN is very limited, typically PIN are 4-digits long.
Therefore the security of the solution relies on one single principle: it should be not possible for an attacker to distinguish between the good plaintext key and the others generated by wrong PINs. Only the server can distinguish it and implements a try counter to mitigate brute force.
However, this principle is valid until an attacker can find a “stop condition” allowing the distinction between the good key and the others. Ilf the attacker at this point gains access to a valid OTP and also can guess a small range of either the event counter C or the number of time steps T, an attack can be made using the calculation of possible OTP_P:OTP_P=OTP_algo(TOK, C|T), where OTP_algo is the used OTP algorithm.
The calculation is done over all possible TOK values, ranges of C or T and stopped when OTP_P is equal to the known valid OTP. If the possible range of C|T is small, the attack will quickly yield exactly one possible TOK.
Knowing a genuine OTP value, i.e. generated with the correct PIN, is a “stop condition”. To forge a brute force, the attacker needs to have the encrypted OTP key, the genuine OTP and try to guess the couple (PIN, counter). Counter is an input to compute the OTP. Any old genuine OTP can be used.
Thus, if an OTP key encrypted with the PIN-derived key is available, a valid OTP is available and a counter or current time range is known, a brute-force attacker will be able to access the OTP key.
Further alternative and advantageous solutions would, accordingly, be desirable in the art in order to protect PIN encrypted key.