PROTECTING ONE-TIME-PASSWORDS AGAINST MAN-IN-THE-MIDDLE ATTACKS
摘要
To authenticate a user having an associated asymmetric crypto-key having a private/public key pair (D, E) based on a one-time-password, the user partially signs a symmetric session key with the first portion D1 of the private key D. The authenticating entity receives the partially signed symmetric session key via the network and . completes the signature with the second private key portion D2 to recover the symmetric session key. The user also encrypts a one-time-password with the symmetric session key. The authenticating entity also receives the encrypted one-time- password via the network, and decrypts the received encrypted one-time-password with the recovered symmetric session key to authenticate the user.