Freshness in accessing a web service is a challenge identified

by the security of the website itself. It usually including

advantages and disadvantages on architecture security

and the machine language used by the site. With the recent

technology available completed by sufficient information

about risks thread in web services, there are a lot of

things to be concerned. In this paper, we try to inform

what actually a web service is, what are the risks we will

face, and several techniques in handling web services security.

This paper also propose a new design of authentication

model added with one-time password (OTP) generatorsource

code written in Java, as a technique to enhance its

security

Junatas, Bismar

Suhendra, Adang

Valentine, Vega

Yulianti, Anne

Gunadarma University Repository

WOSOC 2008 - Workshop on Open Source and Open Content, 1-3 December 2008, Bali - Indonesia35Modified Authentication using One Time Password to Support Web ServicesSecurityAdang SuhendraGunadarma UniversityDepartment of Industrial Technology, Software EngineeringJalan Margonda Raya no. 100adang@staff.gunadarma.ac.idAnne Yulianti, Bismar Junatas, and Vega ValentineGunadarma UniversityDepartment of Industrial Technology, Software EngineeringJalan Margonda Raya no. 100anneyulianti, lepen 72, slaved jepun@student.gunadarma.ac.idAbstractFreshness in accessing a web service is a challenge iden-tified by the security of the website itself. It usually includ-ing advantages and disadvantages on architecture securityand the machine language used by the site. With the re-cent technology available completed by sufficient informa-tion about risks thread in web services, there are a lot ofthings to be concerned. In this paper, we try to informwhat actually a web service is, what are the risks we willface, and several techniques in handling web services se-curity. This paper also propose a new design of authentica-tion model added with one-time password (OTP) generator-source code written in Java, as a technique to enhance itssecurity.1. IntroductionThe term web service is used to describe the ability toeasily link programs and data from various sources in a waythat creates a new look at the data or even a new applica-tion [9].Because a Web service relies on some of the same un-derlying HTTP and web-based architecture as common webapplications, it is susceptible to similar threats and vulnera-bilities [2].Web services security is based on several important con-cepts [6], including:• Identification and Authentication. Verifying theidentity of a user, process, or device, often as a prereq-uisite to allowing access to resources in an informationsystem.• Authorization. The permission to use a computer re-source, granted, directly or indirectly, by an applica-tion or system owner.• Integrity. The property that data has not been alteredin an unauthorized manner while in storage, duringprocessing, or in transit.• Non-repudiation. Assurance that the sender of infor-mation is provided with proof of delivery and the re-cipient is provided with proof of the sender’s identity,so neither can later deny having processed the infor-mation.• Confidentiality. Preserving authorized restrictions oninformation access and disclosure, including means forprotecting personal privacy and proprietary informa-tion.• Privacy. Restricting access to subscriber or relyingparty information in accordance with Federal law andorganization policy.We only focus in point 1, which is the authenticationpart. Authentication is the process by which a system candetermine whether or not a given user is who he/she claimsto be. In the context of Java runtime environment, it is theprocess of identifying the user of an executing Java pro-gram [8]. Authentication is the key for information securityWOSOC 2008 - Workshop on Open Source and Open Content, 1-3 December 2008, Bali - Indonesia36since if the authentication mechanism is compromised, therest of the security measures are bypassed as well [4].One-time password (OTP) schemes, where each pass-word is used only once, offer a viable alternative or a sup-plement to traditional password schemes [4]. Variations ofOTP schemes include ”sequentially updated OTPs” wherethere is initially only a single secret password that is sharedand the user creates and transmits the new password whilehe is being authenticated with the previous one, and ”sharedlists of OTPs” where each user uses a set of passwords eachvalid for a single authentication and distributed as a pre-shared list [1].Modifying an authentication technique has already doneby Karl Ackerman, Piers Bowness, John Brainard, andBill Duane from RSA Security Bedford, USA. They wereproposed a technique called Disconnected Authentication(DAUTH) that allows OTPs to be verified without access toa server. The DAUTH scheme allows OTPs to be used forlocal authentication without exposing the long-term secretused to generate the OTP values [5].Kemal Bicakci and Nazife Baykal from Middle EastTechnical University also done some modifications in OTPmethod. They are improving the security and the flexibilityof OTP by using public key techniques. The method theyhave made is called Signature Chain Alternative to Lam-port’s Hash Chain [4].In this paper, we propose a method that combines au-thentication and one-time password which covers eachother disadvantages. We know that authentication is vul-nerable on sniffing or a middle man stealing user password,so that he can use user’s id to do some actions that usu-ally adverse others. By adding the procedure with a methodcalled ’key checking’ that generates one-time password forthe user, we hope that it would improve the security of thewhole authentication process.This design hopefully can be implemented in some orga-nization or institution (such as an office, for the employeesto access certain confidential data, or a university, for thestudent or lecturers to access their personal information inuniversity’s database through the web services) to give trustfor the user, so that they can access the web services freelywithout any anxiousness on sniffing or another irresponsiblethird party.2. Model Design, Analysis, and Implementa-tion2.1. Comparison of Original and OTP-Authentication PrinciplesAuthentication is the process by which a user provestheir identity to a system. This proof can take several forms:• A password known only to the user.• A digital certificate (a secret key contained in a normalfile).• A physical Smart-Card (similar to a Mondex card) in-serted into a special reader.• A biometric measurement such as a fingerprint.OTP schemes, where each password is used only once,offer a viable alternative or a supplement to traditional pass-word schemes. OTP schemes’ advantages depend on whichmode of operation is used. The modes of operation and cor-responding advantages are as follows [4]:1. In the first mode of operation, to facilitate user-friendliness, each user has only (and should memorize)one password just as in traditional passwords. Thispassword is used to authenticate the user to the clientmachine (workstation) and then this machine gener-ates the OTP to be sent to the server. On the network-connecting the client and the server machines, only theOTP is transmitted.2. For applications that require stronger security, it is pos-sible to have the user enter the OTPs without gettingany help from the system. Of course, we cannot expectsomeone to memorize all these OTPs. Now we are ina so-called human and paper environment where OTPsare listed on a piece of paper and carried in the pocket(alternatively, mobile devices such as PDAs and cellu-lar phones can be used for storing the OTP list). This isan inconvenience for the user, but in most applicationsdemanding a high level of security this inconvenienceis tolerable.2.2. Model Design: Original vs. OTP-AuthenticationIn this section, we will show the original authenti-cation model with the one we have made called ’OTP-Authentication’.2.2.1 Original Model: Plain Text PasswordsFigure 1 shows the simplest basic model of authentica-tion named ’Plain Text Password Technique’. This modelexplained by Paul Anderson in his paper ”AuthenticationModels Explained: A Background to Single-Sign-On Issuesfor the University of Edinburgh”.WOSOC 2008 - Workshop on Open Source and Open Content, 1-3 December 2008, Bali - Indonesia37Figure 1. Model design of original authentica-tion techniqueNote: the numbers on the diagram define the sequence ofoperations.Figure 2. Model Design of OTP-Authentication2.2.2 New Model: OTP-AuthenticationFigure 2 shows the modified model of the original authen-tication model. Modifications done by adding two proce-dures after the authentication process confirmed. Severaladdition techniques and mechanisms are:• Encrypted password and key.• Encrypted channel, between services to secure keypassing through the system.• Synchronized key techniques, to do key checking pro-cedure. The key entered by user and the one stored inthe database is synchronized, then database server passit to OTP generator as shown in figure 2 procedure.• OTP generator, generates OTP for users.• Delegation or multiple tiers. For example, the usermay connect to a web server, and the web server maythen connect to a separate database server. Somehow,the web server needs to pass the user’s authenticationon to the database server [9].Details on its mechanism explained in 2.3.2.2.3. Analysis: The Original Model vs.OTP-AuthenticationThe analysis stressed on the sequence of operations andboth advantages and disadvantages of each model to see thedifference, and then see whether the newmodel brings moreadvantages or effectiveness.2.3.1 Original Model: Plain Text Passwords• ProcedureIn this simple case, each remote service as its own au-thentication mechanism and the user types the corre-sponding password when required by the service.• AdvantagesProvided that the user has been sensible enough tochoose separate passwords for the different services,then if one of the passwords is compromised, there isless chance of other services being endangered.• Disadvantages– Remembering the various passwords, match-ing them with their corresponding services, andchanging them, are a problem for the user. Thisoften leads to a bad choice of passwords, or eventhe use of a single password for all services (seebelow).– The passwords can easily be sniffed by anyonewith the ability to connect to the network be-tween the client and server. This is becomingless likely inside the University itself (althoughit is still a problem), but more likely overall, dueto increasing use of remote access (for example,from Internet Cafes).– Account management is difficult since new usersmust be added to every service individually.WOSOC 2008 - Workshop on Open Source and Open Content, 1-3 December 2008, Bali - Indonesia382.3.2 New Model: OTP-Authentication• Procedure– User enters username and password he/she has,then having the confirmation whether the infor-mation sent is true.– If the information were true, then the user hasto enter supporting information called ’key’ cor-responding to the information recorded in thedatabase server. The database server then checkwhether the key entered by user and the one inthe database is equal. This procedure called ’keychecking’.– If both of the key is equal, next step is the serverrole to send this confirmation to the OTP genera-tor to generate OTP for the corresponding user.– User got the OTP, then finally could log on to thenetwork using this OTP and accessing the webservices available in the system.• Advantages– Prevents password sniffing that could be hap-pened in original model, by using encrypted textfor every passwords or keys passes the network,or encrypted channel between services.– It is true that a copy of the password passedthrough client and server machine. But remem-ber that user just uses it as a shield to get OTP, sowe still can say that it is relatively secure.– Each service requires different password or key.This means that if any of these services is com-promised, this system is not in serious danger.– Compromise of any single server will not fullyaffect all services, because not all services are re-lated directly to each other.– Authentication delegation is supported.• Disadvantages– For this to be effective, it is very important thatuser understands the correct procedures for man-agement of the encryption protocol.– It might be quite complicated for the user to dofirst log on procedure (undergo two procedures toget OTP).– User has to memorize the password-e.g. write iton a paper, so the difficulties are still faced.– Special software is required on the client todecrypt the OTP(some free software availableat: http://www.encryptionanddecryption.com/download.html#free).2.4 Implementation of OTP-AuthenticationThis method could be implemented by any organizationsor institutions need a secure data accessing through web ser-vice.For example, Gunadarma University has a lot of hotspotsspread over many locations in the campus. In order toenable only Gunadarma’s staffs and students to use thehotspot, such as to upload or download subject materialsor checking their personal information provided in staff orstudent mails, so the authentication method is needed. Inthis context, authentication is needed to ensure that the useris the real affiliate of Gunadarma.So, to avoid password sniffing by irresponsible thirdparty, we can use the proposed OTP-Authentication. Thismethod could keep the user id and password securely whilepassing over the network and also could generate a trustyOTP which can only be used once-also tells us that the OTPis exclusive and secure.3. ResultFrom the experiment and its analysis, we got the resultthat OTP-Authentication has more ways to protect the sys-tem from threads.In this method, OTP-Authentication encrypt and decryptpasswords, keys, and password’s confirmation from clientto server or server to user. By encrypting and decryptingthe passwords, it is quite secure to againts the thread.Comparing between original authentication and OTP-Authenthification, OTP-Authentication is more superiorthan the original. It is because there is a combination be-tween authentication and OTP. Then, having more ways toprotect the system from threads which using enrcypt anddecrypt each time it delivers the important message fromone sever to another server. Then, every server receive andsending different information of passwords, keys, and pass-word’s confirmation which could flam sniffers.Original authentication does not use OTP generator andin original authentication, the password is in plain text for-mat or have not been hidden by encryption. Besides, thepassword is passed through all server which is the mainweakness of original authentication. It means that if oneof services are hacked then it is easier to stole all client’sinformation.4. ConclusionA Web service security model should address securityissue involved in a request from an end client to a targetservice, including the intermediary services that route theservice requests.WOSOC 2008 - Workshop on Open Source and Open Content, 1-3 December 2008, Bali - Indonesia39In this paper, we have proposed a mechanism, which isa combination between original authentication and OTP ap-plication. This new model hopefully could help the client toprovide authentication data based on the service definitionand, at the same time, help the service provider to retrievethose data.For final completion of the model, we can added a VPN(Virtual Private Network) to ’virtualize’ the network whilethe server delivers a confirmation or keys, instead of en-crypting all data sent.This method can works optimally using several soft-ware support. For the OTP generator, we can use JOTPcalculator written in Java by Harry Mantakos. Wecan get the generator at: http://cs.umd.edu/h˜arry/jotp.And for a software needed to be built in the clientmachine, we can use Encryption and DecryptionPro software, which is a freeware that you can getfrom: http://www.encryptionanddecryption.com/ down-load.html#pro.This design hopefully can be implemented in some orga-nization or institution (such as an office, for the employeesto access certain confidential data, or a university, for thestudent or lecturers to access their personal information inuniversity’s database through the web services) to give trustfor the user, so that they can access the web services freelywithout any anxiousness on sniffing or another irresponsiblethird party.Unfortunately, every security have their weakness andsurplus and we got it back to our thought that every archi-tecture and every methode or way that we use have to de-veloped and upgrade. By developing and upgrading couldhelp us to less the threads.References[1] S. V. A. Menezes, P. Van Oorshot. ”Handbook of AppliedCryptography”. CRC Press, 1996.[2] T. W. A. Singhal and K. Scarfone. Guide to secure web ser-vices. Gaithesburg: NIST Special Publication 800-95, 2007.[3] P. Anderson. ”Authentication Models Explained: A back-ground to single-sign-on issues for the University of Edin-burgh”, volume 1-9. Revision 1.1 edition, 2003.[4] K. Bicakci and N. Baykal. Improving the security and flexi-bility of one-time password by signature chains. Turk J ElecEngin, (3):1–3, 2003.[5] J. B. B. D. K. Ackerman, P. Bowness. Dauth: Secureoffline verification of one-time passwords. RSA Security,MA01730:1–2.[6] R. Kissel. Glossary of key information security terms, infor-mation security handbook: A guide for managers. NationalInstitut of Standard and Technology, NIST IR 7298, NIST SP800-100, pages 1–87.[7] A. N. M. Hondo, N. Nagaratnam. Securing web services. IBMSystem Journal, 41(2):1–2, 2002.[8] Sun Mycrosystem Inc. ”Java Security Overview”, 2005. 10-11.[9] P. J. Windley. ”Enabling Web Services”.http://www.windley.com, 2003.

Modified Authentication using One Time Password to SupportWeb Services Security

Abstract

Similar works

Full text

Available Versions

Gunadarma University Repository