OTP System Based on ECC Key Exchange

Abstract

The user id and corresponding passwords are generally used for identifying a user in cyberspace. However, this information is not enough to prove that the right person has provided these details. This is where authentication has a role to play. Authentication is the process of proving the identity of a user on a computer system. Identification is used to recognize a person or thing's identity, while authentication is the procedure for verifying that identity. The system can ensure that the right person accesses its resources through authentication. The user has to give some credentials that no one else possesses. It is sometimes called multifactor authentication. One form of multifactor authentication is the one time password (OTP). While using critical services like e-commerce, the user is authenticated using OTP before making the actual payment. Upon receiving the OTP, the user enters it on the client site, which is sent to the server for validation. Submitting OTP to the server through the open network makes it prone to all sorts of attacks that can happen on the open network. An OTP system based on Elliptic Curve Cryptography (ECC) is proposed to avoid sending OTP through an open network. Through the ECC key exchange mechanism, OTP can be generated simultaneously at the server-side and client-side. Hence it is not required to send OTP back to the server for verification. The client itself can verify the OTP without sending it to the server. Not only that, OTP can be used as a session key for all the transactions in the session.