You are evaluating the one-time password (OTP) solutions and a vendor proposed two models of OTP tokens. One solution is synchronous; the other is asynchronous. Which of the following is the primary cryptographic algorithm used in the synchronous solution to generate passwords? (Source: Wentz QOTD)
D. Clock timer
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. HMAC.
HMAC is the primary “cryptographic algorithm” used in OTP to generate passwords. Clock timer is one of the input parameters to HMAC for synchronous OTP to generate passwords. However, the clock timer is a parameter, not a “cryptographic algorithm.”
An OTP token generates a password dynamically for one-time use based on either time (synchronous) or sequence/counter (asynchronous). A clock reports the time to the OTP generator while the counter is stored in non-volatile memory (e.g., ) for the generation of the next password. Both the time-based OTP (TOTP) and counter-based OTP (HOTP) generators use the HMAC-SHA1 algorithm.
- HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)), K for Key and C for Counter
- TOTP(K,T) = Truncate(HMAC-SHA-1(K,T)), K for Key and T for Time
In cryptography, Lucifer was a direct precursor to the Data Encryption Standard (DES).
Rijndael is a block cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. It is the winner of the AES (Advanced Encryption Standard) selection process and becomes the US cryptographic standard.
- HMAC-based One-time Password algorithm
- Time-based One-time Password algorithm
- CISSP PRACTICE QUESTIONS – 20200703
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.