Embed Size (px)
Citation preview
Design and Implementation of Secure OTP
Generation for IoT Devices
Young-Sae Kim1 and Jeong-Nyeo Kim1
1 Electronics and Telecommunications Research Institute (ETRI),
34129 Daejeon, Rep. Of Korea
{vincent, jnkim}@etri.re.kr
Abstract. This paper presents a secure design and implementation of a One
Time Password (OTP) generation scheme with an OTP generation engine based
on Mobile Trusted Module (MTM). In order to make security enhancement of
IoT services as well as that of IoT devices, we integrate a hardware-based OTP
generation engine into the MTM and design a new OTP generation procedure
interacting with the OTP generation engine. The new design is implemented
and verified on our prototype IoT device with the MTM. As a result, it is shown
that the proposed architecture provides an efficient security solution suitable for
IoT devices and services
Keywords: OTP, IoT, MTM, security
1 Introduction
Security in the IoT environment can be variously approached from a technical point
of view [1]. However, considering the basic configuration of IoT that a person, a
device, and a service are connected, the security of the device and that of the service
are key technologies for IoT security. Therefore, it is indispensable and essential to
protect IoT devices from security threats, to keep the devices safe, and to guarantee
the security of the device. And security-enhanced user authentication should be
applied to make IoT services more secure.
In the field of device security various technologies have been studied such as
secure SE [2], MTM [3] and so on. In the field of service security, OTP authentication
technology is used as a strong authentication method in secure user authentication [4,
5]. However, it is difficult to apply current security technologies to IoT environment.
Therefore, it is necessary to study security technology that can provide security
suitable for IoT environment.
In this paper, we have developed and verified the OTP generation scheme based on
MTM, which is a kind of security technology suitable for the IoT environment. This
paper is organized as follows. Section 2 describes related works and security issues
related to IoT, and Section 3 shows the proposed design of the OTP generation engine
and application. In Section 4, the implementation and verification results are reported.
Finally, conclusions are presented in Section 5.
Advanced Science and Technology Letters Vol.146 (FGCN 2017), pp.75-80
http://dx.doi.org/10.14257/astl.2017.146.15
ISSN: 2287-1233 ASTL Copyright © 2017 SERSC
2 Related Works
2.1 IoT Security
With the growth of IoT, security threats such as security vulnerabilities, privacy,
forgery, hacking, and malfunction are growing in parallel. In general, IoT technology
includes various element technologies such as sensing, data processing, networking,
and low-power consumption. However, considering that the security threats can cause
economic losses, social infrastructure paralysis, and even personal threats, security
technology should also be developed as a component technology for IoT and various
researches related to IoT security are being carried out [6-8]. Therefore, for IoT
devices, especially client devices for IoT services like smart phones, it is essential to
develop security technologies dedicated to IoT services such as data protection, user
authentication for service use, access control, and so on.
2.2 MTM
The MTM is a kind of chip which is installed in mobile devices such as smart phones
to provide Root of Trust and to guarantee the device integrity based on the hardware-
based security such as secure storage and cryptographic primitives [3]. TCG
standardizes the mobile-specific and hardware-based security module that can solve
security problems such as user authentication, platform authentication, device
authentication and data protection for mobile devices or embedded systems.
2.3 OTP Authentication
With the increase of user authentication service and that of attacks to the traditional
authentication method, the need for improved security of user authentication method
grows. Traditional static password authentication methods are widely used due to
their convenience. However, they often suffer from attacks as eavesdropping, replay,
guessing and so on. As a way to free from any of them, OTP authentication service is
usually adopted to support 2-factor authentication for various fields such as financial,
portal, game and so on [4, 5].
One-time password authentication, by default, requires a user-side OTP generator,
called token, for the generation of dynamic passwords. Recently, the OTP generation
in mobile devices is being increasingly used as a way to facilitate OTP authentication
without dedicated OTP hardware token. This is referred to as mobile OTP token.
However, the mobile OTP usually is an application implemented by software in a
mobile terminal. That is why there is a possibility in which important information or
the OTP value is hacked by an external attack for generating a mobile OTP.
In this paper, we propose an MTM-based OTP generator, which is a new OTP
generation technology that solves the problems of existing mobile OTP technology
and provides security for IoT devices.
Advanced Science and Technology Letters Vol.146 (FGCN 2017)
76 Copyright © 2017 SERSC
3 Design
This section describes the design of the MTM-based OTP engine, which is the core
module of the proposed OTP generator. In order to provide secure service the
proposed OTP generator constructs a secure device environment through MTM which
provides integrity functions and various security functions for the IoT client devices
and adds an OTP generation engine to MTM for secure user authentication.
It is a hardware-based security technology that does not depend on the software
platform of the device, so it is easy to apply to various kinds of client devices in
numerous IoT services.
3.1 OTP Generation Engine
As described in section 2, MTM provides integrity assurance, secure storage, and
various encryption functions based on hardware security. In general, MTM is
implemented as a chip and mounted on a mobile device. The proposed architecture of
the MTM is shown in Fig. 1. The MTM shown in Figure 1 is an expanded MTM with
a security service engine in addition to the basic function engines of the MTM. The
security service engine includes an OTP generation engine.
Although the OTP generation engine is separate from the MTM function, the hash
function required for OTP generation uses a cryptographic processor and the seed to
be safely stored for OTP generation is designed to use a secure storage function in
Flash memory. It has the advantage that the OTP generation engine can be
implemented by utilizing the resources of the MTM chip without supplement of
resources.
Fig. 1. Proposed architecture for the MTM
Advanced Science and Technology Letters Vol.146 (FGCN 2017)
Copyright © 2017 SERSC 77
3.2 OTP Generation Application
To generate an OTP value based on the expanded MTM with the OTP generation
engine, the OTP generation application on the device is designed as shown in Fig. 2.
There are four main functional blocks: MTM-based OTP generation engine, OTP
generation API (Application Programming Interface), OTP management API, and
user interface.
In the OTP generation process the application on the device only plays the role of
showing the OTP generation request and the generated OTP value to the user. In
practice, the creation of the OTP value and the storage of the important data are
performed on the independent hardware MTM. As a result, it is possible to generate
OTP securely.
Fig. 2. Procedure design of the OTP Application
4 Implementation and Verification
The MTM-based OTP generation engine is implemented in the proposed MTM chip.
Then, the OTP generation application is implemented on an IoT client device with the
MTM chip. This section describes the implementation and test results of the OTP
generation.
4.1 Implementation
Fist, the implementation of MTM chip uses smart card IC which is verified and used
for various security products. Second, a mobile device based on Android OS was
made as a prototype for an IoT client device embedded with the MTM chip. Finally,
the OTP generation function is performed in conjunction with the MTM chip at
application level.
Table 1 summarizes the features of the implemented MTM chip and Fig. 3. shows
the prototype IoT device with the MTM chip.
Advanced Science and Technology Letters Vol.146 (FGCN 2017)
78 Copyright © 2017 SERSC
Table 1. MTM chip features
Parameter Value
Size 3.2mm x 2.9mm
Chip Core Smart Card IC
I/O Interface UART
Fig. 3. Prototype of the implemented IoT device
4.2 Verification
To verify the MTM-based OTP generation function, a reference OTP application and
an OTP authentication server provided for OTP verification are utilized [9]. Since the
reference application is implemented by software only, it is modified according to the
design of the hardware-based OTP generation so that the OTP generation function
and the important data storage function can be performed in conjunction with the OTP
generation engine of the MTM.
Fig. 4. Verification procedure of OTP generation
Advanced Science and Technology Letters Vol.146 (FGCN 2017)
Copyright © 2017 SERSC 79
Fig.4 shows the verification procedure in which the generated OTP value from the
modified OTP generation app on the prototype device with MTM is verified at the
authentication server.
5 Conclusion
This paper presents the design and implementation of an efficient OTP generation
engine for IoT client devices that requires both the security of devices and that of
services. For the purpose, each of the MTM and the OTP generation app is modified
in order to add a novel hardware-based OTP engine to the MTM and to design the
OTP generation app interworking with the expanded MTM. We also present a new
procedure to implement the hardware/software co-design of OTP generation in IoT
devices. The results of implementation and verification show that the proposed
architecture contributes a good solution to practical implementation of the OTP
authentication for IoT security.
Acknowledgments. This work was supported by Institute for Information &
communications Technology Promotion (IITP) grant funded by the Korea
government (MSIT) (No.2015-0-00508, Development of Operating System Security
Core Technology for the Smart Lightweight IoT Devices)
References
1. ITU.: The Internet of Things. Internet Reports, (2005).
2. J. Guaus, L. Kanniainen, P. Koistinen, P. Laaksonen, K. Murphy, J. Remes, N. Taylor and
O. Welin, “Best Practice for Mobile Financial Services: Enrolment Business Model
Analysis. Mobey Forum Mobile Financial Services Ltd., Helsinki, (2008).
3. M. Kim, H. Ju, Y. Kim, J. Park and Y. Park, “Design and implementation of mobile trusted
module for trusted mobile computing”, IEEE Transactions on Consumer Electronics, vol.
56, no. 8, (2010), pp. 134-140.
4. N. Haller, C. Metz, P. Nesser and M. Straw, “A One-Time Password system”, IETF RFC
2289, (1998).
5. ITU-T.: Management framework of a one time password-based authentication service.
Recommendation X.1153, (2011).
6. R. H. Weber, “Internet of things - new security and privacy challenges”, Computer Law &
Security Review, vol. 26, (2010), pp. 23-30.
7. D. Gessner, A. Olivereau, A. S. Segura and A. Serbanati, A.: Trustworthy Infrastructure
Services for a Secure and Privacy-respecting Internet of Things. In: Proceedings of IEEE
11th International Conference on Trust, Security and Privacy in Computing and
Communications, pp. 998--1003 (2012)
8. Keoh, S., Kumar, S., Tschofenig, H.: Securing the internet of things: A standardization
perspective. In: IEEE Internet of Things Journal, Vol. 1, No. 3, pp. 265--275 (2014)
9. Mobile OTP project, http://motp.sourceforge.net/
Advanced Science and Technology Letters Vol.146 (FGCN 2017)
80 Copyright © 2017 SERSC
