Shulou(Shulou.com)06/01 Report--

RSA is a general asymmetric algorithm in the world, which mainly provides two-factor authentication function. That is, the password is divided into two parts, one is the fixed password set by the user, and the other part comes from the hardware that can display numbers issued by each user. The hardware calculates a dynamic password based on time, device number, and number of seeds. The whole authentication password is composed of fixed password and dynamic password.

A brief description of the way OTP is generated

In order to solve the problem of static password security, dynamic password technology appeared in the 1990s. so far, the application results and general situation of this technology are as follows:

There are mainly two kinds of dynamic password technology: synchronous password technology, → asynchronous password technology, → challenge response.

Synchronization password technology is divided into: time-based synchronization password event-based synchronization password

The main technical comparisons are as follows:

Time synchronization: based on the time synchronization of tokens and servers, consistent dynamic passwords are generated through operations. tokens based on time synchronization generally have an update rate of 60s and generate a new password for every 60s. However, because its synchronization is based on international standard time, its server is required to maintain the correct clock accurately and has strict requirements on the crystal frequency of its tokens. On the other hand, each time the token based on time synchronization is authenticated, the server will detect the clock offset of the token and constantly fine-tune its own time record accordingly, thus ensuring the synchronization of the token and the server, ensuring daily use, but due to the different working environment of the token, in the magnetic field, high temperature, high pressure, shock. In the case of water entry, the uncertain offset and damage of the clock pulse are easy to occur. Therefore, better protection for time synchronization devices is very necessary. for tokens that have lost time synchronization, remote synchronization can be carried out by increasing the offset (plus or minus 10 minutes) to ensure that they can continue to be used. reduce the impact on the application, but for time synchronization tokens that exceed the default (20 minutes in total), you will not be able to continue to use or synchronize remotely Must be returned to the factory or sent back to the server for separate processing. Similarly, for servers based on time synchronization, their system clocks should be better protected and should not be changed at will, so as to avoid synchronization problems, thus affecting all tokens authenticated based on this server.

Event synchronization: a token based on event synchronization, whose principle is to calculate a consistent password in the DES algorithm through a specific event sequence and the same seed value as input. Its operation mechanism determines that the whole workflow is clock-independent and not affected by the clock. There is no time pulse crystal oscillator in the token, but because of the consistency of the algorithm, the password is known in advance, through the token. You can know multiple passwords in the future in advance, so when the token is lost and the PIN code is not used to protect the token, there is a risk of illegal login, so it is very necessary to use the event synchronization token to protect the PIN code. Similarly, tokens based on event synchronization also have the risk of losing synchronization, for example, users generate passwords many times aimlessly. For out-of-step tokens, the server of event synchronization uses the way of increasing offset to resynchronize. The server side will automatically calculate a certain number of passwords backward to synchronize the token and the server. When the out-of-step situation is very serious, a large range is beyond the normal range. By entering the password calculated by the token twice in a row, the server will synchronize the token over a wide range, and in general, no more than three times are required for token synchronization. However, in extreme cases, the possibility of losing synchronization is not excluded, such as power depletion, misoperation during battery replacement, and so on. At this point, the token can still be synchronized remotely by manually entering a set of sequence values generated by the administrator without having to send it back to the server for resynchronization.

Asynchronous password technology:

For asynchronous tokens, because there is no need for synchronization between the token and the server except the same algorithm, it can effectively solve the problem of token out of step and reduce the impact on the application. Another advantage is that there is no transmission of passwords, even dynamic passwords, in the process of network transmission. On the other hand, it greatly increases the security of the system. The disadvantage of the use of asynchronous password is that when in use, the user needs one more step to enter the challenge value, and for the operator, it increases the complexity, so in the application, the password generation method will be selected according to the sensitivity and security requirements of the user's application.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.