See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/321505506 Time-based one-time password for Wi-Fi authentication and security Conference Paper · September 2017 DOI: 10.1109/ICACCI.2017.8126007 CITATIONS READS 16 1,070 3 authors, including: Deepthi L R Amrita Vishwa Vidyapeetham 20 PUBLICATIONS 66 CITATIONS SEE PROFILE All content following this page was uploaded by Deepthi L R on 17 January 2022. The user has requested enhancement of the downloaded file. Time-based One-Time Password for Wi-Fi Authentication and Security Chandramohan Sudar1 , Arjun SK2 , Deepthi L R3 Department of Computer Science and Engineering Amrita School of Engineering, Amritapuri Amrita Vishwa Vidyapeetham Amrita University Kerala, India 1 chandramohansudar@gmail.com 2 arjunsk15@gmail.com 3 lrdeepthi2002@gmail.com Abstract—In the age of IOT, as more and more devices are getting connected to the internet through wireless networks, a better security infrastructure is required to protect these devices from massive attacks. For long SSIDs and passwords have been used to authenticate and secure Wi-Fi networks. But the SSID and password combination is vulnerable to security exploits like phishing and brute-forcing. In this paper, a completely automated Wi-Fi authentication system is proposed, that generates Timebased One-Time Passwords (TOTP) to secure Wi-Fi networks. This approach aims to black box the process of connecting to a Wi-Fi network for the user and the process of generating periodic secure passwords for the network without human intervention. A. Wired Equivalent Privacy (WEP) Keywords—Time-based One-Time Password (TOTP), Internet of Things (IOT), Service Set Identifier (SSID), WiFi Security. B. Wi-Fi Protected Access (WPA) I. I NTRODUCTION Today Wi-Fi networks can be found everywhere, anywhere from restaurants, coffee shops to educational and business institutions. It has become the most convenient and affordable way to provide access to the internet and corporate networks. Wi-Fi stands for Wireless Fidelity. It is primarily a Local Area Network designed to provide broadband coverage wirelessly, based on the IEEE 802.11 specifications (WLAN). It works similar to other wireless devices, by using radio frequencies to send signals between devices. These signals are transmitted through access points which consist of radio transceivers and antennas. Since these signals are transmitted by air, they can be intercepted by any device within the range of the access point. If these signals are unencrypted, the transmission can be read by anyone. About 25% of all Wi-Fi networks in the world use no form of encryption which has led to a number of high-profile attacks. Non-secure Wi-Fi networks, whether due to user error or obsolete standards, can pose a serious threat to personal and business security. II. W I -F I S ECURITY P ROTOCOLS Wi-Fi security protocols[3] have undergone multiple upgrades in terms of their encryption algorithm as well as in their Key management. The available wireless security protocols are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access2 (WPA2). 978-1-5090-6367-3/17/$31.00 ©2017 IEEE 1212 WEP is an encryption algorithm, intended to provide a secure communication channel between two end users of a Wireless Local Area Network (WLAN). It uses RC4 algorithm for encryption and uses key sizes ranging from 40-bits to 104bits. This key is called the Pre-Shared Key (PSK) which is manually set by the user. A 24-bit Initialization Vector (IV) is also added and directly transmitted. Data is XORed with the key and transmitted as plain text. This authentication is weak as these packets can be intercepted and deciphered easily. WPA was created to overcome the limitations with WEP. It was based on WEP but used a stronger encryption known as the Temporal Key Integrity Protocol (TKIP) that offers prepacket key and message integrity check to overcome the issues with WEP. TKIP takes the original master key and derives its encryption keys mathematically from the master key. Encryption keys are then rotated so that the same encryption key is never used twice. It was used as an intermediate standard until the more secure protocol WPA2 was created by the IEEE 802.11 group. C. Wi-Fi Protected Access 2 (WPA2) WPA2 is the certified name for IEEE 802.11i. The core difference between WPA and WAP2 lies in the requirement of the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption with WPA2. It doesn’t simply use the RC4 algorithm like WEP or WPA. Rather it uses Counter mode with CBC-MAC Protocol (CCMP) to encrypt the network traffic. For encryption, CCMP relies on the Advanced Encryption Standard (AES) algorithm. WPA2 is also backward compatible with WPA and is often offered using WPA/WPA2 mixed mode to allow easy transition from WPA. WPA2 is considered to be the most secure protocol available. III. W I -F I N ETWORK S ECURITY I SSUES Even though WPA2 protocol is considered to be the most secure protocol available, it still uses a password as the key to authenticate the user. So it is prone to all password based attacks like brute forcing, dictionary attack, rainbow attack and most importantly phishing in the case of Wi-Fi attacks. A. Brute Forcing Brute force attack is when the attacker tries all possible passwords in an attempt to eventually crack the correct password. This is done by trying out all possible combinations of characters in sequence. In theory, this can be used to break into any password based authentication and is mostly used only when no other form of weakness can be used to break into the system. Although this is a time-consuming approach, the speed at which brute-force can be completed depends on the computer hardware used. The faster the hardware, the more capable it is for doing more calculations per second. However, WPA2 is mostly resilient to brute forcing while WEP is highly vulnerable to this attack. B. Dictionary Attack Brute force password cracking is not efficient for sufficiently long passwords. User generated passwords are rarely actually random. Most passwords will be ordinary, human memorable words. This weakness is exploited in this attack. Instead of trying out all possible combination of characters, a dictionary consisting of all probable words are used. This dictionary is generated based on the knowledge about natural language, mathematical symbols, logical language and users habits. As more and more password databases are broken into, these dictionaries get better over time. Often several dictionaries are used in combination to achieve better success rates. Dictionary attacks are often used to decrypt the WPA2PSK key. C. Rainbow Attack Passwords are never stored as plaintext. Instead, they are passed through one-way hash functions and their outputs are saved. Even if the attacker were to gain access to this hashed output, it’s not possible to reconstruct the password from the hash alone. But they can be reconstructed using rainbow tables. Rainbow tables consist of large pre-generated data set of hashes from nearly every possible combination of characters. An attacker can calculate all these hashes on the fly, but having a local table of pre-generated hash values enables the attacker to proceed significantly faster. Rainbow attack is faster than dictionary attack owing to the time-memory trade-off. D. Phishing Phishing[4] is an attempt to obtain sensitive information by disguising as a trustworthy entity in any form of electronic communication. In the case of Wi-Fi networks, phishing is usually carried out by setting up a wireless access point using a legitimate SSID that the user often connects to. After a victim has connected to the disguised access point, the attacker can then use a variety of techniques like Man-in-the-middle attack to access the private information of the user. The user would be perfectly unaware of such an attack being carried out. Phishing is the most popular attack carried out on Wi-Fi networks. It is estimated that phishing owes to a loss of approximately $3.2 billion dollars a year. 1213 IV. W I -F I S ECURITY M EASURES A. MAC Address Filtering Every device is associated with a unique Media Access Control (MAC) address which is used to identify the device in a network. MAC address filtering is a measure that allows a network administrator to selectively choose the devices that can access the network using their MAC addresses. MAC addresses of devices that are authorized to access the network are added to a Whitelist and those which are restricted are added to a Blacklist which effectively blocks them from accessing the network. However this method is futile when the attacker spoofs his MAC address with that of a Whitelisted MAC address to disguise his identity. B. Captive Portal Captive portal is a landing page that is shown to the user when connecting to public Wi-Fi networks. This system uses an open Wi-Fi network, the users are first allowed to connect to the network without entering the Wi-Fi password and are then redirected to a landing page where the authentication is carried out. This essentially blocks the user from gaining broader access to the network until the user verification has been established. User verification is usually carried out through simple login services. Captive portals are typically used in airports, restaurants, coffee shops, and other places that offer free WiFi. Captive portals are also used as a means to ensure the users, that, they are connecting to their legitimate network. However this method requires a web browser to display the landing page and authenticate the user. Hence this measure is not applicable to IOT devices[7]. Furthermore, this system is also prone to packet sniffing and other attacks as the attacker can directly connect to the open Wi-Fi network without the password. V. PASSWORD BASED AUTHENTICATION The password is by far the weakest link in cyber security today. It is a persistent problem that we cant seem to solve. However, there are a number of ways to strengthen passwords through further authentication. A well-accepted framework relies on coupling something that you know, with something that you have. The password is something that you know, meaning that it is vulnerable to all kinds of the aforementioned threats. However, by using something that you have for further authentication eliminates these threats. Google introduced the first large-scale two-step verification system[2] through its login services wherein, if a user were to login from a new computer, the user would need to first sign-in and then enter a 6-digit code that is sent to the users registered phone number which can be received as a text or through a voice call. This 6-digit code acts as a one-time password because it can only be used to log in once and is valid only for a short period of time usually under 30 seconds. This two-step verification using one-time passwords has been widely adopted today ranging from use-cases like user verification in apps and websites to authorizing payments in banking services. Using the phone as something that we have, something that can be trusted to authorize a secure handshake is a step towards better security. But we still need to ensure that, what we have cannot be tapped into by someone else. Sending a text or a voice call to a phone requires a mobile network, meaning it relies on the security infrastructure of a 3rd party service provider to maintain the integrity of the one-time password. Thus there is the need to generate onetime passwords directly on the clients device without 3rd party intervention. But the server also needs to generate the same one-time password alongside to verify. This gave rise to Timebased One Time passwords. VI. According to RFC 6238[1], TOTP is a variant of the HMAC-based One-Time Password (HOTP) algorithm that calculates the one-time password by replacing the incrementing counter with the current time stamp. The reference implementation of the HOTP algorithm is as follows: 2) T HE P ROPOSED S YSTEM The proposed system adds an extra layer of security to the existing WPA2 protocol by generating the WPA2 passwords using the TOTP algorithm. The Wi-Fi network password is periodically changed by the access point while the same passwords are generated simultaneously by the clients in their usage devices using the TOTP algorithm. A. Working T IME - BASED O NE -T IME PASSWORD Time-based One Time password (TOTP) is an algorithm that generates a One-Time password[5] using a shared key and the current time. TOTP is now widely used for a two-factor authentication process to login to websites or other services. The authentication proceeeds as follows, the user will enter the username and password to login. Upon successful submission, the TOTP is requested by the server to complete the login. This TOTP is generated locally on the user’s smartphone or any other trusted device. The server will also run TOTP to verify if the entered one-time password matches with the one generated by the server. The session between the server and the user is then opened and the user can securely access the system. 1) VII. HMAC (K, C) = SHA1 (K ⊕ Ox5c5c... II SHAI (K ⊕ Ox3636... II C)) HOTP (K, C) = Truncate (HMAC (K, C)) & Ox7FFFFFFF The implementation is currently carried out in the Application level. Two applications are used to used to govern the whole process, a client application and an access point application. The client application is responsible for identifying and connecting the device to the legitimate Wi-Fi network while the access point application creates the access point in the Wi-Fi network and periodically changes the Wi-Fi password. To obtain access to the Wi-Fi network, the client application has to first register the device with the access point application through a one-time registration process. During this process, the secret key required to generate the TOTP is shared with the client application. Once the registration is complete, the client application generates the current TOTP to establish the Wi-Fi connection and periodically generates the TOTPs to maintain the connection. B. Android Implementation As proof of concept, the proposed system is implemented using the Android platform with two Android devices. The access point is created by starting a Wi-Fi hotspot in one device while the other device connects to this Wi-Fi hotspot to mimic the client. Two native Android applications have been built to implement the proposed system. 1. Access Point application where K is a secret key and C is a counter. HOTP algorithm is based on an increasing counter value and a static symmetric key known only to the token and the validation service. In order to create the HOTP value, the HMAC-SHA-1 algorithm is used. 2. Client application As the output of HMAC-SHA-1 calculation is 160 bits, it must be truncated to something that can be easily entered by the user. The Truncate method is used to extract a 4-byte dynamic binary code from a 160-bit HMAC-SHA-1 result. The current time stamp is turned into an integer Time Counter (TC) that depends on two parameters; the start of an epoch (TO) and the Time Step (TS). The TOTP values are computed as follows: 1) 2) 3) TC = (time now - time (TO)) / TS. TOTP = HOTP(secretkey(K), TC) TOTP value = TOTP mod 10d where d is the desired number of digits for the one-time password. Ideally the time steps are kept under a minute to allow the users to quickly access the generated TOTP from a trusted device and enter the password to authenticate the login service. After the time step has expired, the password is no longer valid and a new password is generated. 1214 Fig. 1: Access Point Application The access point application registers a new device by generating a QR code[6] which is encoded with the SSID of the access point and the secret key required to generate the TOTP. The client then scans the QR code using the client application. Using the SSID and the secret key the client application then connects the device to the access point by generating the current TOTP set as the Wi-Fi password. Fig. 1 shows the QR code generation and the basic GUI of the access point application. Once the access point is active, it lists all the registered devices, their MAC addresses, and their active state. The client application scans the QR code and decodes the SSID of the access point with the secret key. It starts generating the TOTP codes in synchronization with access point. Fig. 2 shows the TOTP codes generated by the access point application and the client application. R EFERENCES [1] [2] [3] [4] [5] [6] [7] Fig. 2: TOTP generation in the Access Point and Client The status tab on the access point and the client application displays the current TOTP code generated. The circular arc represents the time step of the TOTP. Once the TOTP expires a new TOTP is generated simultaneously on both the access point and client. VIII. C ONCLUSION The proposed system can be deployed in all conventional Wi-Fi networks on the application level. Password based attacks are ineffective to this system as the password keeps changing over time. Even if an attacker is successful, by the time the attacker cracks the password, the current password would have expired and a new password would be in use. The narrower the time frame, the more secure the network. Phishing attacks are also ineffective as the user does not manually connect to any disguised access point. The client application handles the job of connecting to the access point, which can distinguish between the legitimate and disguised access point. Thus making Wi-Fi networks secure and convenient for both the clients and the network administrators. View publication stats 1215 D. MRaihi, S. Machani, M. Pei & J. Rydell, TOTP: Time-Based OneTime Password Algorithm, Internet Engineering Task Force, May 2011. Eric Grosse & Mayank Upadhyay, Authentication at Scale, IEEE Security & Privacy, Volume 11, issue 1, pages 15-22, Jan.-Feb. 2013 Changhua He, Analysis of Security Protocols for Wireless Networks, Department of Electrical Engineering, Stanford University, December 2005. Gowtham, R. & Krishnamurthi I. A comprehensive and efficacious architecture for detecting phishing webpages, Computers and Security, Volume 40, Pages 23-37, February 2014 Srivastava S. & Amit Agrawal On the generation of alphanumeric one time passwords, Proceedings of the International Conference on Inventive Computation Technologies, ICICT 2016, Volume 1, January 2017 Devashish Kumar, Sivasankar M. & Puneet Goyal Efficiently Improving the Security of OTP, 2015 International Conference on Advances in Computer Engineering and Applications (ICACEA) Shivraj V L, Rajan M A, Meena Singh & Balamuralidhar P One Time Password Authentication Scheme based on Elliptic Curves for Internet of Things (IoT), The 5th IEEE National Symposium on Information Technology: Towards Smart World