One-Time Passwords from Your Watch

Passwords establish the identity of a user, and they are an essential component of modern information technology. In this article, I describe one-time passwords: passwords that you use once and then never again. Because they’re used only once, you don’t have to remember them. I describe how to implement one-time passwords with a Texas Instruments (TI) eZ430-Chronos wireless development tool in a watch and how to use them to log in to existing web services such as Google Gmail (see Photo 1).

Photo 1—The Texas Instruments eZ430 Chronos watch displays a unique code that enables logging into Google Gmail. The code is derived from the current time and a secret value embedded in the watch.

To help me get around on the Internet, I use a list of about 80 passwords (at the latest count). Almost any online service I use requires a password: reading e-mail, banking, shopping, checking reservations, and so on. Many of these Internet-based services have Draconian password rules. For example, some sites require a password of at least eight characters with at least two capitals or numbers and two punctuation characters. The sheer number of passwords, and their complexity, makes it impossible to remember all of them.

What are the alternatives? There are three different ways of verifying the identity of a remote user. The most prevailing one, the password, tests something that a user knows. A second method tests something that the user has, such as a secure token. Finally, we can make use of biometrics, testing a unique user property, such as a fingerprint or an eye iris pattern.

Each of these three methods comes with advantages and disadvantages. The first method (passwords) is inexpensive, but it relies on the user’s memory. The second method (secure token) replaces the password with a small amount of embedded hardware. To help the user to log on, the token provides a unique code. Since it’s possible for a secure token to get lost, it must be possible to revoke the token. The third method (biometrics) requires the user to enroll a biometric, such as a fingerprint. Upon login, the user’s fingerprint is measured again and tested against the enrolled fingerprint. The enrollment has potential privacy issues. And, unlike a secure token, it’s not possible to revoke something that is biometric.

The one-time password design in this article belongs to the second category. A compelling motivation for this choice is that a standard, open proposal for one-time passwords is available. The Initiative for Open Authentication (OATH) is an industry consortium that works on a universal authentication mechanism for Internet users. They have developed several proposals for user authentication methods, and they have submitted these to the Internet Engineering Task Force (IETF). I’ll be relying on these proposals to demonstrate one-time passwords using a eZ430-Chronos watch. The eZ430-Chronos watch, which I’ll be using as a secure token, is a wearable embedded development platform with a 16-bit Texas Instruments MSP430 microcontroller.

ONE-TIME PASSWORD LOGON

Figure 1 demonstrates how one-time passwords work. Let’s assume a user—let’s call him Frank—is about to log on to a server. Frank will generate a one-time password using two pieces of information: a secret value unique to Frank and a counter value that increments after each authentication. The secret, as well as the counter, is stored in a secure token. To transform the counter and the secret into a one-time password, a cryptographic hash algorithm is used. Meanwhile, the server will generate the one-time password it is expecting to see from Frank. The server has a user table that keeps track of Frank’s secret and his counter value. When both the server and Frank obtain the same output, the server will authenticate Frank. Because Frank will use each password only once, it’s not a problem if an attacker intercepts the communication between Frank and the server.

Figure 1—A one-time password is formed by passing the value of a personal secret and a counter through a cryptographic hash (1). The server obtains Frank’s secret and counter value from a user table and generates the same one-time password (2). The two passwords must match to authenticate Frank (3). After each authentication, Frank’s counter is incremented, ensuring a different password the next time (4).

After each logon attempt, Frank will update his copy of the counter in the secure token. The server, however, will only update Frank’s counter in the user table when the logon was successful. This will intercept false logon attempts. Of course, it is possible that Frank’s counter value in the secure token gets out of sync with Frank’s counter value in the server. To adjust for that possibility, the server will use a synchronization algorithm. The server will attempt a window of counter values before rejecting Frank’s logon. The window chosen should be small (i.e., five). It should only cover for the occasional failed logon performed by Frank. As an alternate mechanism to counter synchronization, Frank could also send the value of his counter directly to the server. This is safe because of the properties of a cryptographic hash: the secret value cannot be computed from the one-time password, even if one knows the counter value.

You see that, similar to the classic password, the one-time password scheme still relies on a shared secret between Frank and the server. However, the shared secret is not communicated directly from the user to the server, it is only tested indirectly through the use of a cryptographic hash. The security of a one-time password therefore stands or falls with the security of the cryptographic hash, so it’s worthwhile to look further into this operation.

CRYPTOGRAPHIC HASH

A cryptographic hash is a one-way function that calculates a fixed-length output, called the digest, from an arbitrary-length input, called the message. The one-way property means that, given the message, it’s easy to calculate the digest. But, given the digest, one cannot find back the message.

The one-way property of a good cryptographic hash implies that no information is leaked from the message into the digest. For example, a small change in the input message may cause a large and seemingly random change in the digest. For the one-time password system, this property is important. It ensures that each one-time password will look very different from one authentication to the next.

The one-time password algorithm makes use of the SHA-1 cryptographic hash algorithm. This algorithm produces a digest of 160 bits. By today’s Internet standards, SHA-1 is considered old. It was developed by Ronald L. Rivest and published as a standard in 1995.

Is SHA-1 still adequate to create one-time passwords? Let’s consider the problem that an attacker must solve to break the one-time password system. Assume an attacker knows the SHA-1 digest of Frank’s last logon attempt. The attacker could now try to find a message that matches the observed digest. Indeed, knowing the message implies knowing a value of Frank’s secret and the counter. Such an attack is called a pre-image attack.

Fortunately, for SHA-1, there are no known (published) pre-image attacks that are more efficient than brute force trying all possible messages. It’s easy to see that this requires an astronomical number of messages values. For a 160-bit digest, the attacker can expect to test on the order of 2160 messages. Therefore it’s reasonable to conclude that SHA-1 is adequate for the one-time password algorithm. Note, however, that this does not imply that SHA-1 is adequate for any application. In another attack model, cryptographers worry about collisions, the possibility of an attacker finding a pair of messages that generate the same digest. For such attacks on SHA-1, significant progress has been made in recent years.

The one-time password scheme in Figure 1 combines two inputs into a single digest: a secret key and a counter value. To combine a static, secret key with a variable message, cryptographers use a keyed hash. The digest of a keyed hash is called a message authentication code (MAC). It can be used to verify the identity of the message sender.

Figure 2 shows how SHA-1 is used in a hash-based message authentication code (HMAC) construction. SHA-1 is applied twice. The first SHA-1 input is a combination of the secret key and the input message. The resulting digest is combined again with the secret key, and SHA-1 is then used to compute the final MAC. Each time, the secret key is mapped into a block of 512 bits. The first time, it is XORed with a constant array of 64 copies of the value 0×36. The second time, it is XORed with a constant array of 64 copies of the value 0x5C.

Figure 2—The SHA-1 algorithm on the left is a one-way function that transforms an arbitrary-length message into a 160-bit fixed digest. The Hash-based message authentication code (HMAC) on the right uses SHA-1 to combine a secret value with an arbitrary-length message to produce a 160-bit message authentication code (MAC).

THE HOTP ALGORITHM

With the HMAC construction, the one-time password algorithm can now be implemented. In fact, the HMAC can almost be used as is. The problem with using the MAC itself as the one-time password is that it contains too many bits. The secure token used by Frank does not directly communicate with the server. Rather, it shows a one-time password Frank needs to type in. A 160-bit number requires 48 decimal digits, which is far too long for a human.

OATH has proposed the Hash-based one-time password (HOTP) algorithm. HOTP uses a key (K) and a counter (C). The output of HOTP is a six-digit, one-time password called the HOTP value. It is obtained as follows. First, compute a 160-bit HMAC value using K and C. Store this result in an array of 20 bytes, hmac, such that hmac[0] contains the 8 leftmost bits of the 160-bit HMAC string and hmac[19] contains the 8 rightmost bits. The HOTP value is then computed with a snippet of C code (see Listing 1).

Listing 1—C code used to compute the HTOP value

There is now an algorithm that will compute a six-digit code starting from a K value and a C value. HOTP is described in IETF RFC 4226. A typical HOTP implementation would use a 32-bit C and an 80-bit K.

An interesting variant of HOTP, which I will be using in my implementation, is the time-based one-time password (TOTP) algorithm. The TOTP value is computed in the same way as the HOTP value. However, the C is replaced with a timestamp value. Rather than synchronizing a C between the secure token and the server, TOTP simply relies on the time, which is the same for the server and the token. Of course, this requires the secure token to have access to a stable and synchronized time source, but for a watch, this is a requirement that is easily met.

The timestamp value chosen for TOTP is the current Unix time, divided by a factor d. The current Unix time is the number of seconds that have elapsed since midnight January 1, 1970, Coordinated Universal Time. The factor d compensates for small synchronization differences between the server and the token. For example, a value of 30 will enable a 30-s window for each one-time password. The 30-s window also gives a user sufficient time to type in the one-time password before it expires.

IMPLEMENTATION IN THE eZ430-CHRONOS WATCH

I implemented the TOTP algorithm on the eZ430-Chronos watch. This watch contains a CC430F6137 microcontroller, which has 32 KB of flash memory for programs and 4,096 bytes of RAM for data. The watch comes with a set of software applications to demonstrate its capabilities. Software for the watch can be written in C using TI’s Code Composer Studio (CCStudio) or in IAR Systems’s IAR Embedded Workbench.

The software for the eZ430-Chronos watch is structured as an event-driven system that ties activities performed by software to events such as alarms and button presses. In addition, the overall operation of the watch is driven through several modes, corresponding to a particular function executed on the watch. These modes are driven through a menu system.

Photo 2 shows the watch with its 96-segment liquid crystal display (LCD) and four buttons to control its operation. The left buttons select the mode. The watch has two independent menu systems, one to control the top line of the display and one to control the bottom line. Hence, the overall mode of the watch is determined by a combination of a menu-1 entry and a menu-2 entry.

Photo 2—With the watch in TOTP mode, one-time passwords are shown on the second line of the display. In this photo, I am using the one-time password 854410. The watch display cycles through the strings “totP,” “854,” and “410.”

Listing 2 illustrates the code relevant to the TOTP implementation. When the watch is in TOTP mode, the sx button is tied to the function set_totp(). This function initializes the TOTP timestamp value.

Listing 2—Code relevant to the TOTP implementation

The function retrieves the current time from the watch and converts it into elapsed seconds using the standard library function mktime. Two adjustments are made to the output of mktime, on line 11 and line 12. The first factor, 2208988800, takes into account that the mktime in the TI library returns the number of seconds since January 1, 1900, while the TOTP standard sets zero time at January 1, 1970. The second factor, 18000, takes into account that my watch is set to Eastern Standard Time (EST), while the TOTP standard assumes the UTC time zone—five hours ahead of EST. Finally, on line 14, the number of seconds is divided by 30 to obtain the standard TOTP timestamp. The TOTP timestamp is further updated every 30 s, through the function tick_totp().

The one-time password is calculated by compute_totp on line 33. Rather than writing a SHA1-HMAC from scratch, I ported the open-source implementation from Google Authenticator to the TI MSP 430. Lines 39 through 50 show how a six-digit TOTP code is calculated from the 160-bit digest output of the SHA1-HMAC.

The display menu function is display_totp on line 52. The function is called when the watch first enters TOTP mode and every second after that. First, the watch will recompute the one-time password code at the start of each 30-s interval. Next, the TOTP code is displayed. The six digits of the TOTP code are more than can be shown on the bottom line of the watch. Therefore, the watch will cycle between showing “totP,” the first three digits of the one-time password, and the next three digits of the one-time password. The transitions each take 1 s, which is sufficient for a user to read all digits.

There is one element missing to display TOTP codes: I did not explain how the unique secret value is loaded into the watch. I use Google Authenticator to generate this secret value and to maintain a copy of it on Google’s servers so that I can use it to log on with TOTP.

LOGGING ONTO GMAIL

Google Authenticator is an implementation of TOTP developed by Google. It provides an implementation for Android, Blackberry, and IOS so you can use a smartphone as a secure token. In addition, it also enables you to extend your login procedure with a one-time password. You cannot replace your standard password with a one-time password, but you can enable both at the same time. Such a solution is called a two-factor authentication procedure. You need to provide a password and a one-time password to complete the login.

As part of setting up the two-factor authentication with Google (through Account Settings – Using Two-Step Verification), you will receive a secret key. The secret key is presented as a 16-character string made up of a 32-character alphabet. The alphabet consists of the letters A through Z and the digits 2, 3, 4, 5, 6, and 7. This clever choice avoids numbers that can confused with letters (8 and B, for example). The 16-character string thus represents an 80-bit key.

I program this string in the TOTP design for the eZ430-Chronos watch to initialize the secret. In the current implementation, the key is loaded in the function reset_totp().

base32_decode((const u8 *)
      ”4RGXVQI7YVY4LBPC”, stotp.key, 16);

Of course, entering the key as a constant string in the firmware is an obvious vulnerability. An attacker who has access to a copy of the firmware also has the secret key used by the TOTP implementation! It’s possible to protect or obfuscate the key from the watch firmware, but these techniques are beyond the scope of this article. Once the key is programmed into the watch and the time is correctly set, you can display TOTP codes that help you complete the logon process of Google. Photo 1 shows a demonstration of logging onto Google’s two-step verification with a one-time password.

OTHER USES OF TOTP

There are other possibilities for one-time passwords. If you are using Linux as your host PC, you can install the OATH Toolkit, which implements the HOTP and TOTP mechanisms for logon. This toolkit enables you to install authentication modules on your PC that can replace the normal login passwords. This enables you to effectively replace the password you need to remember with a password generated from your watch.

Incidentally, several recent articles—which I have included in the resources section of this article—point to the limits of conventional passwords. New technologies, including one-time passwords and biometrics, provide an interesting alternative. With standards such as those from OATH around the corner, the future may become more secure and user-friendly at the same time.

[Editor's note: This article originally appeared in Circuit Cellar 262, May 2012.]

Patrick Schaumont writes the Embedded Security column for Circuit Cellar magazine. He is an Associate Professor in the Bradley Department of Electrical and Computer Engineering at Virginia Tech. Patrick works with his students on research projects in embedded security, covering hardware, firmware, and software.

PROJECT FILES

To download the code, go to ftp://ftp.circuitcellar.com/pub/Circuit_Cellar/2012/262.

RESOURCES

Google Authenticator, http://code.google.com/p/google-authenticator.

Initiative for Open Authentication (OATH), www.openauthentication.org.

Internet Engineering Task Force (IETF), www.ietf.org.

D. M’Raihi, et al, “TOTP: Time-Based One-Time Password Algorithm,” IETF RFC 6238, 2011.

—, “HOTP: An HMAC-Based One-Time Password Algorithm,” IETF RFC 4226, 2005.

OATH Toolkit, www.nongnu.org/oath-toolkit.

K. Schaffer, “Are Password Requirements Too Difficult?,” IEEE Computer Magazine, 2011.

S. Sengupta, “Logging in With a Touch or a Phrase (Anything but a Password),” New York Times, 2011.

SOURCES

IAR Embedded Workbench – IAR Systems

eZ430-Chronos Wireless development system and Code Composer Studio (CCStudio) IDE – Texas Instruments, Inc.

 

Q&A: Miguel Sanchez (Professor, Designer)

Miguel Sánchez (PhD, Computer Science) is Valencia, Spain-based computer scientist, embedded tech enthusiast, and professor who regularly challenges himself to design innovative microcontroller-based systems. Since 2005, Circuit Cellar has published six of his articles about projects such as a digital video recorder (Circuit Cellar 174) and a creative DIY image-processing system (Circuit Cellar 263).

This is a sample depth image projected in a 3-D space. It appeared in Sanchez’s article, “Image Processing System Development.” (Source: M. Sanchez, Circuit Cellar 263)

In the September issue of Circuit Cellar, Sánchez tells us about his background, his work at the Universitat Politècnica de València, his current interests, and his innovative designs. An abridged version of the interview follows.

NAN PRICE: How long have you been designing microcontroller-based systems?

MIGUEL SANCHEZ: I started using computers in 1978. I built my first microcontroller project in 1984 during my first year at Universitat Politècnica de València. I haven’t stopped designing embedded systems since then.

NAN: Tell us about the first microcontroller you worked with. Where were you at the time?

MIGUEL: Our university’s lab had Intel SDK-85 boards you could program in Hex using the built-in keyboard. I guess it wasn’t built well. You sometimes lost all your work while typing your code. I learned that schematics were available and a terminal monitor was built in too. So, I built my first microcontroller-based board around an Intel 8085 using the same software that was on the original ROM. But, I changed the serial port delay value so I could use 9,600 bps instead of the original 110 bps on the terminal port. This way, I could do the same labs as my mates, but I could do my work in 8080 Assembler, which was available in Control Program/Monitor (CP/M) computers. At the time, I had an Atari 1040 ST that could run CP/M on top of a Z-80 emulator. Assembly code could be uploaded to my board’s RAM memory and later executed using SDK-85 serial monitor code.

I used the 8085’s Wait signal to build an additional EEPROM socket in this same board that, with the aid of a 555 timer, was my first EEPROM programmer. I used the Wait signal to delay write operations. In fact, I used this programmer to change the original baud rate to the new one, as I originally did not know that was something I’d want to change later.

My teacher, who is now one of my colleagues, was quite amused with my development and he gave me an A+. I learned a lot about microcontrollers, serial communications, Assembly language, monitor programs, and EEPROM programming algorithms. And, I learned it was not fun to design PCBs with system buses on only one copper layer. …

NAN: You designed a system to simulate strokes on a keypad to trigger modes on an alarm system (“Reverse-Engineered ECP Bus,” Circuit Cellar 201, 2007). Why did you design it and how have you used it?

MIGUEL: A local company wanted to give new life to old Ademco alarm units. These boards could only be programmed by a serial port socket once a certain service code was typed at the keyboard. I was asked whether an add-on board could be created to make these old boards Internet-enabled so they could be remotely managed and reconfigured over the ’Net.

The first thing I needed to do was to figure out how to simulate the required keystrokes. But I couldn’t find any information about the way that bus worked, so I figured that out myself. Later, I thought both the information itself and the way I figured it out might be useful to others, so I approached Circuit Cellar editors with a proposal to write an article.

That project ended up as a Rabbit-core powered board that connected the alarm board and the remote access to its serial port. Combined with a virtual serial port on the PC, it fooled the original management software into thinking the PC was directly connected to the alarm board, although it was all happening over the Internet. But the project never made it to the market for reasons unknown.

NAN: In “Three-Axis Stepper Controller” (Circuit Cellar 234, 2010), you describe how you built an Arduino-based, platform-independent driver board. Tell us about the design.

MIGUEL: When I discovered the Arduino platform, I was surprised by a few things. First, this development system was not designed by a chip vendor. Second, it was not intended for engineers but for artists! Third, I was shocked because it was multiplatform (which was possible because it was based on Java and GCC) and because none of the other development systems I was aware of were so easy to use. The price was low too, which was a plus for hobbyists and students.

The aim of that project was to show all that to the readers. The idea was also not only to show how to build a stepper controller and to explain the difference between the drive modes and the bipolar and unipolar designs, but to demonstrate how easy it was to work with Arduino.

In his 2010 article, “Three-Axis Stepper Controller,” Sanchez provided this controller circuit schematic to interface Arduino I/O headers with stepper motors. (Source: M. Sanchez, Circuit Cellar 234)

NAN: Your most recent Circuit Cellar article, “Image Processing System Development: Use an MCU to Unleash the Power of Depth Cameras” (263, 2012), describes how you used Microsoft’s Kinect motion-sensing device for an interactive art project. Tell us about the project and how you came to be involved.

MIGUEL: My university offers a master’s degree in fine arts. I met a professor from the drawing department who had seen a video of my vertical plotter on YouTube and was interested in contacting me, as we worked on the same campus. We became friends and he asked me to help him out with an idea for an installation.

The first approach used an RGB camera, but then Kinect was launched. From what I read on the ’Net, I was convinced it would be a better mousetrap. So, I bought one unit and started learning how to use it, thanks to the hack that had been made available.

The project required gathering visitors’ silhouettes and later drawing them on a big wall. The drawing was performed with a properly scaled-up version of my vertical plotter, which, by the way, was controlled by an Arduino board.

I have found working with artists is a lot of fun too, as they usually have a totally different vision than engineers.

The full article appears in the September issue.

Issue 266: EQ Answers

The answers to the Circuit Cellar 266 (July 2012) Engineering Quotient are now available. The problems and answers are listed below.

Problem 1—What’s the key difference between infinite impulse response (IIR) and finite impulse response (FIR) digital filters?

Answer 1—An infinite impulse response (IIR) filter incorporates feedback in its datapath, which means that any particular input sample can affect the output for an indefinite (infinite) time into the future. In contrast, a finite impulse response (FIR) filter uses only feedforward in its datapath, which means that any given input sample can only affect the output for a time corresponding to the number of storage (delay) stages in the filter.

Problem 2—Does the fact that the finite resolution of digital arithmetic effectively truncates the impulse response of an IIR filter turn it into an FIR filter?

Answer 2—While it’s technically true that the impulse response of an IIR filter implemented, say, with fixed-point arithmetic is effectively finite, this has no real bearing on its classification in terms of either its design or application. It’s still an IIR filter for all practical purposes.

Problem 3—The following pseudocode represents an implementation of a single-pole low-pass IIR filter, using 16-bit input and output values and a 24-bit internal accumulator and a filter coefficient of 1/256:


  # The 32-bit accumulator holds 16 integer
  # and 16 fractional bits
  $acc = 0x00000000;

  # The input value is a 16-bit integer.
  $input = 0xFFFF;

  # Offset used for rounding the accumulator
  # to 24 bits.
  $offset = 0x80;

  while (1) {
    # acc = (255*acc + input)/256
    $acc -= ($acc >> 8);
    $acc += ($input << 8) + $offset;
    # limit acc to 24 bits
    $acc &= 0xFFFFFF00;
    # output is integer part of acc
    $output = $acc >> 16;
  }

An implementor of this filter complained that “the output never reaches 0xFFFF.” What was the flaw in his reasoning?

Answer 3—The accumulator in this filter eventually settles at the value 0xFFFE8100. If you simply take the upper 16 bits of this, then the output value appears to be 0xFFFE. But if you properly round the accumulator by adding 0×00008000 before dropping the LSBs, then the output value is the correct value of 0xFFFF.

Problem 4—The original implementor’s solution was to change the $offset value to 0xFF. Why did this work?

Answer 4—Changing the $offset value to 0xFF effectively adds a bias to each input sample, which averages out to 0x00007F00 in the accumulator. The effect of this is to add the required rounding offset to the accumulator so that truncating the LSBs to create the 16-bit output value comes up with the correct answer.

.

Renesas RL78-Based Design Project Opportunities

Did you miss the 1:00 PM EST deadline for the Renesas RL78 Green Energy Challenge? Do you have an unfinished project? No worries! You can still make something of your RL78-related project and the work you’ve put into it! Circuit Cellar and Elektor have several exciting non-contest-related opportunities you’ll find interesting and advantageous!

The Circuit Cellar/Elektor staff wants to know about your work. Even if your project is unfinished, let the staff know what you’re working on and the project’s status. Upload your project or email us your information.

If the staff is interested in your work, an editor will consider approaching you about one or all of the following non-contest-related opportunities:

  • Distinctive Excellence: If the editorial team thinks your project has merit, you might be eligible for “Distinctive Excellence” designation. After past design challenges, Distinctive Excellence recipients added the honor to their resumes, wrote articles about their projects, and gained notoriety in the design community.
  • Print Magazine Opportunities: The editorial team might think your project is worthy of being published in Circuit Cellar or Elektor magazine. Design Challenges and the print magazine are completely separate. If you are offered an opportunity to write an article and it is published, you will paid a standard author honorarium.
  • CircuitCellar.com Opportunities: The Circuit Cellar editorial team will review your submission and consider posting it on CircuitCellar.com to show the world the effort and progress you’ve made. You can post your project info on the site in the spirit of sharing and the furtherance of engineering innovation! Who knows? Readers might provide you with valuable feedback about your unfinished project. Or perhaps you’ll inspire another person to build something of their own! Perhaps your project will catch the eye company looking to learn more about you work!
  • Interview Possibilities: The editorial team might find your approach to design interesting and consider interviewing you for an upcoming issue.
  • Future Design Collaboration: The Elektor Lab builds and tests innovative electronics projects. If your project—whether finished or in progress—interests an Elektor Lab engineer or editor, someone might contact you to discuss development, testing, or even production opportunities.

As you can see, you have some excellent reasons to contact the Circuit Cellar/Elektor staff.

To submit a finished project, an abstract, or simply info about our work, you can still use the Challenge Entry Form. Or, you can simply ZIP your files and email them to the Circuit Cellar Editorial Department. (Write “RL78 Project” and your project’s name or registration number in the email’s subject line.)