See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/321505506
Time-based one-time password for Wi-Fi authentication and security
Conference Paper · September 2017
DOI: 10.1109/ICACCI.2017.8126007
CITATIONS
READS
16
1,070
3 authors, including:
Deepthi L R
Amrita Vishwa Vidyapeetham
20 PUBLICATIONS 66 CITATIONS
SEE PROFILE
All content following this page was uploaded by Deepthi L R on 17 January 2022.
The user has requested enhancement of the downloaded file.
Time-based One-Time Password for Wi-Fi
Authentication and Security
Chandramohan Sudar1 , Arjun SK2 , Deepthi L R3
Department of Computer Science and Engineering
Amrita School of Engineering, Amritapuri
Amrita Vishwa Vidyapeetham
Amrita University
Kerala, India
1
chandramohansudar@gmail.com 2 arjunsk15@gmail.com 3 lrdeepthi2002@gmail.com
Abstract—In the age of IOT, as more and more devices are
getting connected to the internet through wireless networks, a
better security infrastructure is required to protect these devices
from massive attacks. For long SSIDs and passwords have been
used to authenticate and secure Wi-Fi networks. But the SSID
and password combination is vulnerable to security exploits like
phishing and brute-forcing. In this paper, a completely automated
Wi-Fi authentication system is proposed, that generates Timebased One-Time Passwords (TOTP) to secure Wi-Fi networks.
This approach aims to black box the process of connecting to a
Wi-Fi network for the user and the process of generating periodic
secure passwords for the network without human intervention.
A. Wired Equivalent Privacy (WEP)
Keywords—Time-based One-Time Password (TOTP), Internet of
Things (IOT), Service Set Identifier (SSID), WiFi Security.
B. Wi-Fi Protected Access (WPA)
I.
I NTRODUCTION
Today Wi-Fi networks can be found everywhere, anywhere
from restaurants, coffee shops to educational and business
institutions. It has become the most convenient and affordable
way to provide access to the internet and corporate networks.
Wi-Fi stands for Wireless Fidelity. It is primarily a Local Area
Network designed to provide broadband coverage wirelessly,
based on the IEEE 802.11 specifications (WLAN). It works
similar to other wireless devices, by using radio frequencies
to send signals between devices. These signals are transmitted
through access points which consist of radio transceivers and
antennas. Since these signals are transmitted by air, they can
be intercepted by any device within the range of the access
point. If these signals are unencrypted, the transmission can
be read by anyone. About 25% of all Wi-Fi networks in the
world use no form of encryption which has led to a number of
high-profile attacks. Non-secure Wi-Fi networks, whether due
to user error or obsolete standards, can pose a serious threat
to personal and business security.
II.
W I -F I S ECURITY P ROTOCOLS
Wi-Fi security protocols[3] have undergone multiple upgrades in terms of their encryption algorithm as well as in their
Key management. The available wireless security protocols
are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access
(WPA) and Wi-Fi Protected Access2 (WPA2).
978-1-5090-6367-3/17/$31.00 ©2017 IEEE
1212
WEP is an encryption algorithm, intended to provide a
secure communication channel between two end users of a
Wireless Local Area Network (WLAN). It uses RC4 algorithm
for encryption and uses key sizes ranging from 40-bits to 104bits. This key is called the Pre-Shared Key (PSK) which is
manually set by the user. A 24-bit Initialization Vector (IV) is
also added and directly transmitted. Data is XORed with the
key and transmitted as plain text. This authentication is weak
as these packets can be intercepted and deciphered easily.
WPA was created to overcome the limitations with WEP.
It was based on WEP but used a stronger encryption known
as the Temporal Key Integrity Protocol (TKIP) that offers prepacket key and message integrity check to overcome the issues
with WEP. TKIP takes the original master key and derives its
encryption keys mathematically from the master key. Encryption keys are then rotated so that the same encryption key
is never used twice. It was used as an intermediate standard
until the more secure protocol WPA2 was created by the IEEE
802.11 group.
C. Wi-Fi Protected Access 2 (WPA2)
WPA2 is the certified name for IEEE 802.11i. The core difference between WPA and WAP2 lies in the requirement of the
Counter Mode Cipher Block Chaining Message Authentication
Code Protocol (CCMP) encryption with WPA2. It doesn’t
simply use the RC4 algorithm like WEP or WPA. Rather
it uses Counter mode with CBC-MAC Protocol (CCMP) to
encrypt the network traffic. For encryption, CCMP relies on
the Advanced Encryption Standard (AES) algorithm. WPA2 is
also backward compatible with WPA and is often offered using
WPA/WPA2 mixed mode to allow easy transition from WPA.
WPA2 is considered to be the most secure protocol available.
III.
W I -F I N ETWORK S ECURITY I SSUES
Even though WPA2 protocol is considered to be the most
secure protocol available, it still uses a password as the key
to authenticate the user. So it is prone to all password based
attacks like brute forcing, dictionary attack, rainbow attack and
most importantly phishing in the case of Wi-Fi attacks.
A. Brute Forcing
Brute force attack is when the attacker tries all possible
passwords in an attempt to eventually crack the correct password. This is done by trying out all possible combinations of
characters in sequence. In theory, this can be used to break
into any password based authentication and is mostly used
only when no other form of weakness can be used to break
into the system. Although this is a time-consuming approach,
the speed at which brute-force can be completed depends on
the computer hardware used. The faster the hardware, the more
capable it is for doing more calculations per second. However,
WPA2 is mostly resilient to brute forcing while WEP is highly
vulnerable to this attack.
B. Dictionary Attack
Brute force password cracking is not efficient for sufficiently long passwords. User generated passwords are rarely
actually random. Most passwords will be ordinary, human
memorable words. This weakness is exploited in this attack.
Instead of trying out all possible combination of characters,
a dictionary consisting of all probable words are used. This
dictionary is generated based on the knowledge about natural
language, mathematical symbols, logical language and users
habits. As more and more password databases are broken
into, these dictionaries get better over time. Often several
dictionaries are used in combination to achieve better success
rates. Dictionary attacks are often used to decrypt the WPA2PSK key.
C. Rainbow Attack
Passwords are never stored as plaintext. Instead, they are
passed through one-way hash functions and their outputs are
saved. Even if the attacker were to gain access to this hashed
output, it’s not possible to reconstruct the password from
the hash alone. But they can be reconstructed using rainbow
tables. Rainbow tables consist of large pre-generated data set of
hashes from nearly every possible combination of characters.
An attacker can calculate all these hashes on the fly, but having
a local table of pre-generated hash values enables the attacker
to proceed significantly faster. Rainbow attack is faster than
dictionary attack owing to the time-memory trade-off.
D. Phishing
Phishing[4] is an attempt to obtain sensitive information
by disguising as a trustworthy entity in any form of electronic
communication. In the case of Wi-Fi networks, phishing is
usually carried out by setting up a wireless access point using
a legitimate SSID that the user often connects to. After a victim
has connected to the disguised access point, the attacker can
then use a variety of techniques like Man-in-the-middle attack
to access the private information of the user. The user would be
perfectly unaware of such an attack being carried out. Phishing
is the most popular attack carried out on Wi-Fi networks. It is
estimated that phishing owes to a loss of approximately $3.2
billion dollars a year.
1213
IV.
W I -F I S ECURITY M EASURES
A. MAC Address Filtering
Every device is associated with a unique Media Access
Control (MAC) address which is used to identify the device in
a network. MAC address filtering is a measure that allows a
network administrator to selectively choose the devices that
can access the network using their MAC addresses. MAC
addresses of devices that are authorized to access the network
are added to a Whitelist and those which are restricted are
added to a Blacklist which effectively blocks them from
accessing the network. However this method is futile when
the attacker spoofs his MAC address with that of a Whitelisted
MAC address to disguise his identity.
B. Captive Portal
Captive portal is a landing page that is shown to the user
when connecting to public Wi-Fi networks. This system uses
an open Wi-Fi network, the users are first allowed to connect to
the network without entering the Wi-Fi password and are then
redirected to a landing page where the authentication is carried
out. This essentially blocks the user from gaining broader
access to the network until the user verification has been
established. User verification is usually carried out through
simple login services. Captive portals are typically used in
airports, restaurants, coffee shops, and other places that offer
free WiFi. Captive portals are also used as a means to ensure
the users, that, they are connecting to their legitimate network.
However this method requires a web browser to display the
landing page and authenticate the user. Hence this measure is
not applicable to IOT devices[7]. Furthermore, this system is
also prone to packet sniffing and other attacks as the attacker
can directly connect to the open Wi-Fi network without the
password.
V.
PASSWORD BASED AUTHENTICATION
The password is by far the weakest link in cyber security
today. It is a persistent problem that we cant seem to solve.
However, there are a number of ways to strengthen passwords
through further authentication. A well-accepted framework
relies on coupling something that you know, with something
that you have. The password is something that you know,
meaning that it is vulnerable to all kinds of the aforementioned
threats. However, by using something that you have for further
authentication eliminates these threats. Google introduced the
first large-scale two-step verification system[2] through its
login services wherein, if a user were to login from a new
computer, the user would need to first sign-in and then enter a
6-digit code that is sent to the users registered phone number
which can be received as a text or through a voice call. This
6-digit code acts as a one-time password because it can only
be used to log in once and is valid only for a short period of
time usually under 30 seconds.
This two-step verification using one-time passwords has
been widely adopted today ranging from use-cases like user
verification in apps and websites to authorizing payments in
banking services. Using the phone as something that we have,
something that can be trusted to authorize a secure handshake
is a step towards better security. But we still need to ensure
that, what we have cannot be tapped into by someone else.
Sending a text or a voice call to a phone requires a mobile
network, meaning it relies on the security infrastructure of
a 3rd party service provider to maintain the integrity of the
one-time password. Thus there is the need to generate onetime passwords directly on the clients device without 3rd party
intervention. But the server also needs to generate the same
one-time password alongside to verify. This gave rise to Timebased One Time passwords.
VI.
According to RFC 6238[1], TOTP is a variant of the
HMAC-based One-Time Password (HOTP) algorithm that calculates the one-time password by replacing the incrementing
counter with the current time stamp. The reference implementation of the HOTP algorithm is as follows:
2)
T HE P ROPOSED S YSTEM
The proposed system adds an extra layer of security to the
existing WPA2 protocol by generating the WPA2 passwords
using the TOTP algorithm. The Wi-Fi network password is
periodically changed by the access point while the same
passwords are generated simultaneously by the clients in their
usage devices using the TOTP algorithm.
A. Working
T IME - BASED O NE -T IME PASSWORD
Time-based One Time password (TOTP) is an algorithm
that generates a One-Time password[5] using a shared key and
the current time. TOTP is now widely used for a two-factor
authentication process to login to websites or other services.
The authentication proceeeds as follows, the user will enter the
username and password to login. Upon successful submission,
the TOTP is requested by the server to complete the login.
This TOTP is generated locally on the user’s smartphone or
any other trusted device. The server will also run TOTP to
verify if the entered one-time password matches with the one
generated by the server. The session between the server and
the user is then opened and the user can securely access the
system.
1)
VII.
HMAC (K, C) = SHA1 (K ⊕ Ox5c5c... II SHAI (K
⊕ Ox3636... II C))
HOTP (K, C) = Truncate (HMAC (K, C)) &
Ox7FFFFFFF
The implementation is currently carried out in the Application level. Two applications are used to used to govern
the whole process, a client application and an access point
application. The client application is responsible for identifying
and connecting the device to the legitimate Wi-Fi network
while the access point application creates the access point
in the Wi-Fi network and periodically changes the Wi-Fi
password. To obtain access to the Wi-Fi network, the client
application has to first register the device with the access point
application through a one-time registration process. During this
process, the secret key required to generate the TOTP is shared
with the client application. Once the registration is complete,
the client application generates the current TOTP to establish
the Wi-Fi connection and periodically generates the TOTPs to
maintain the connection.
B. Android Implementation
As proof of concept, the proposed system is implemented
using the Android platform with two Android devices. The
access point is created by starting a Wi-Fi hotspot in one device
while the other device connects to this Wi-Fi hotspot to mimic
the client. Two native Android applications have been built to
implement the proposed system.
1. Access Point application
where K is a secret key and C is a counter.
HOTP algorithm is based on an increasing counter value
and a static symmetric key known only to the token and the
validation service. In order to create the HOTP value, the
HMAC-SHA-1 algorithm is used.
2. Client application
As the output of HMAC-SHA-1 calculation is 160 bits,
it must be truncated to something that can be easily entered
by the user. The Truncate method is used to extract a 4-byte
dynamic binary code from a 160-bit HMAC-SHA-1 result.
The current time stamp is turned into an integer Time
Counter (TC) that depends on two parameters; the start of
an epoch (TO) and the Time Step (TS). The TOTP values are
computed as follows:
1)
2)
3)
TC = (time now - time (TO)) / TS.
TOTP = HOTP(secretkey(K), TC)
TOTP value = TOTP mod 10d
where d is the desired number of digits for the one-time
password.
Ideally the time steps are kept under a minute to allow
the users to quickly access the generated TOTP from a trusted
device and enter the password to authenticate the login service.
After the time step has expired, the password is no longer valid
and a new password is generated.
1214
Fig. 1: Access Point Application
The access point application registers a new device by
generating a QR code[6] which is encoded with the SSID of
the access point and the secret key required to generate the
TOTP. The client then scans the QR code using the client
application. Using the SSID and the secret key the client
application then connects the device to the access point by
generating the current TOTP set as the Wi-Fi password. Fig. 1
shows the QR code generation and the basic GUI of the access
point application. Once the access point is active, it lists all
the registered devices, their MAC addresses, and their active
state.
The client application scans the QR code and decodes
the SSID of the access point with the secret key. It starts
generating the TOTP codes in synchronization with access
point. Fig. 2 shows the TOTP codes generated by the access
point application and the client application.
R EFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
Fig. 2: TOTP generation in the Access Point and Client
The status tab on the access point and the client application
displays the current TOTP code generated. The circular arc
represents the time step of the TOTP. Once the TOTP expires
a new TOTP is generated simultaneously on both the access
point and client.
VIII.
C ONCLUSION
The proposed system can be deployed in all conventional
Wi-Fi networks on the application level. Password based
attacks are ineffective to this system as the password keeps
changing over time. Even if an attacker is successful, by the
time the attacker cracks the password, the current password
would have expired and a new password would be in use. The
narrower the time frame, the more secure the network. Phishing attacks are also ineffective as the user does not manually
connect to any disguised access point. The client application
handles the job of connecting to the access point, which can
distinguish between the legitimate and disguised access point.
Thus making Wi-Fi networks secure and convenient for both
the clients and the network administrators.
View publication stats
1215
D. MRaihi, S. Machani, M. Pei & J. Rydell, TOTP: Time-Based OneTime Password Algorithm, Internet Engineering Task Force, May 2011.
Eric Grosse & Mayank Upadhyay, Authentication at Scale,
IEEE
Security & Privacy, Volume 11, issue 1, pages 15-22, Jan.-Feb. 2013
Changhua He, Analysis of Security Protocols for Wireless Networks,
Department of Electrical Engineering, Stanford University, December
2005.
Gowtham, R. & Krishnamurthi I. A comprehensive and efficacious
architecture for detecting phishing webpages, Computers and Security,
Volume 40, Pages 23-37, February 2014
Srivastava S. & Amit Agrawal On the generation of alphanumeric one
time passwords,
Proceedings of the International Conference on
Inventive Computation Technologies, ICICT 2016, Volume 1, January
2017
Devashish Kumar, Sivasankar M. & Puneet Goyal Efficiently Improving
the Security of OTP,
2015 International Conference on Advances in
Computer Engineering and Applications (ICACEA)
Shivraj V L, Rajan M A, Meena Singh & Balamuralidhar P One Time
Password Authentication Scheme based on Elliptic Curves for Internet
of Things (IoT),
The 5th IEEE National Symposium on Information
Technology: Towards Smart World