Improving the security and flexibility of one-time passwords by signature chains

Bıçakçı, Kemal
Baykal, Nazife
While the classical attack of ``monitor the network and intercept the password'' can be avoided by advanced protocols like SSH, one-time passwords are still considered a viable alternative or a supplement for software authentica since they are the only ones that safeguard against attacks on insecure client machines. In this paper by using public-key techniques we present a method called signature chain alternative to Lamport's hash chain to improve security and flexibility of one-time passwords. Our proposition improves the security because first, like other public-key authentication protocols, the server and the user do not share a secret, thereby eliminating attacks on the server side. Second, from any incorrectly revealed one-time password, unspent passwords cannot be calculated if a signature chain is preferred. Having an infinite length, the chain in our proposition is more flexible and facilitates using the protocol without the complexity of restarting. On the other hand, the disadvantage of signature chain is the longer verification time with respect to hash chain based approaches.
Turkish Journal of Electrical Engineering and Computer SciencesTurkish Journal of Electrical Engineering and Computer Sciences


Using Assurance Cases to Develop Iteratively Security Features Using Scrum
BEN OTHMANE, Lotfi; Angın, Pelin; BHARGAVA, Bharat (2014-09-12)
A security feature is a customer-valued capability of software for mitigating a set of security threats. Incremental development of security features, using the Scrum method, often leads to developing ineffective features in addressing the threats they target due to factors such as incomplete security tests. This paper proposes the use of security assurance cases to maintain a global view of the security claims as the feature is being developed iteratively and a process that enables the incremental developm...
Truncated Impossible and Improbable Differential Analysis of ASCON
Tezcan, Cihangir (2016-02-01)
Ascon is an authenticated encryption algorithm which is recently qualified for the second-round of the Competition for Authenticated Encryption: Security, Applicability, and Robustness. So far, successful differential, differential-linear, and cube-like attacks on the reduced-round Ascon are provided. In this work, we provide the inverse of Ascon's linear layer in terms of rotations which can be used for constructing impossible differentials. We show that Ascon's S-box contains 35 undisturbed bits and we us...
A Decision Support System for Optimal Selection of Enterprise Information Security Preventative Actions
Sonmez, Ferda Ozdemir; Günel Kılıç, Banu (2021-09-01)
Types and complexity of information security related vulnerabilities are growing rapidly and present numerous challenges to the enterprises. One of the key challenges is to identify the optimal set of precautions with limited budget. Despite the fact that majority of enterprises have a budget constraint for installing and maintaining the protection systems, the majority of the previous work only focus on prioritization of security targets and do not consider the preventative actions and budget constraints. ...
Malicious user input detection on web-based attacks with the negative selection algorithm
Karataş, Mustafa Mer; Acar, Aybar Can; Department of Cyber Security (2019)
In the cyber security domain, detection and prevention of intrusions is a crucial task. Intrusion attempts exploiting vulnerabilities in an organization’s servers or applications may lead to devastating consequences. The malicious actor may obtain sensitive information from the application, seize database records or take over the servers completely. While protecting web applications/services, discrimination of legitimate user inputs from malicious payloads must be done. Taking inspiration from the Human Imm...
One-time passwords: Security analysis using BAN logic and integrating with smartcard authentication
Bicakci, K; Baykal, Nazife (2003-01-01)
In this paper we make a formal analysis of one-time password protocols using BAN logic and provide some guidelines to integrate securely one-time passwords with smartcard based authentication. We also propose some extensions to the BAN logic to facilitate analyzing hash chain based authentication protocols.
Citation Formats
K. Bıçakçı and N. Baykal, “Improving the security and flexibility of one-time passwords by signature chains,” Turkish Journal of Electrical Engineering and Computer SciencesTurkish Journal of Electrical Engineering and Computer Sciences, pp. 223–236, 2003, Accessed: 00, 2020. [Online]. Available: