Security and Performance Considerations of Improved Password Authentication Algorithm, Based on OTP and Hash-Chains

Abstract

The paper presents an approach for password authentication based on one-time password and hash function that improves the security of the P2P authentication because no passwords are stored. Back in the years, Leslie Lamport, in his paper from 1981, proposes a method for password authentication, based on sequential hash calculations starting from a given initial value. Calculate and store the hashes locally in a file. We use this idea to measure the authentication time, and we go further with improving the security and the speed of authentication. The primary purpose of this research is to enhance the security around passwords authentication. We base this authentication on the improvement of the process of password authentication with two-factor authentication - one-time password (OTP) and hash chains. Preparation of the initial value uses the OTP password (also for the first hash calculation in the hash-chain), and it indicates/indexes exact hash from the hash-chain. Every time a client initiates an authentication process, the password will be different. The second purpose of the paper is to compare two different scenarios – with local files, used to store the passwords (Lamport’s idea), and the proposed approach – without storing the passwords. The time duration of the authentication between two nodes gives the comparison between both methods. The suggested approach can be applied in various immutable and distributed applications based on docker containers and microservices.