Разработка метода многофакторной аутентификации на основе гибридных крипто-кодовых конструкций на ущербных кодах Текст научной статьи по специальности «Компьютерные и информационные науки»

OTP-технологи (Technology of One-Time Passwords) дозволять зменшити ризи-ки, з якими стикаються IT^axie^ 1ОС при використанн довгострокових пaролiв. Анaлiзуються способи формування ОТР-пaролiв, основш загрози використання. Розглянуто математичн моделi побудови протоколу багатофакторног аутентифша-ци на основi гiбридниx крипто-кодових конструкций на збиткових кодах (ГКККУК), запропонован практичн алгоритми гх реа-лiзaцiг

Ключовi слова: багатофакторна аутен-тифшащя, гiбриднi крипто-кодовi кон-струкци на збиткових кодах, однорaзовi пaролi

□-□

OTP-технологии (Technology of One-Time Passwords) позволят уменьшить риски, с которыми сталкиваются IT-специалисты ИВС при использовании долгосрочных паролей. Анализируются способы формирования ОТР-паролей, основные угрозы использования. Рассмотрены математические модели построения протокола многофакторной аутентификации на основе гибридных крипто-кодовых конструкций на ущербных кодах (ГКККУК), предложены практические алгоритмы их реализации

Ключевые слова: многофакторная аутентификация, гибридные крипто-ко-довые конструкции на убыточных кодах, одноразовые пароли

UDC 621.391

|dOI: 10.15587/1729-4061.2017.109879|

THE DEVELOPMENT OF THE METHOD OF MULTIFACTOR AUTHENTICATION BASED ON HYBRID CRYPTOCODE CONSTRUCTIONS ON DEFECTIVE CODES

S. Yevseiev

PhD, Associate Professor, Senior Researcher* E-mail: serhii.yevseiev@m.hneu.edu.ua

H. Kots PhD, Associate Professor* E-mail: dekanstei@gmail.com S . M i n u k h i n Doctor of Technical Sciences, Professor* E-mail: minukhin.sv@gmail.com O. Korol PhD, Associate Professor* E-mail: olha.korol@m.hneu.edu.ua A. Kholodkova PhD, Associate Professor* E-mail: anny.kholodkova@gmail.com *Department of Information Systems Simon Kuznets Kharkiv National University of Economics Nauky ave., 9^, Kharkiv, Ukraine, 61166

1. Introduction

The development of information education networks (IEN) is closely connected with the task of ensuring the security of the network facing IT. The solution is formed of many components, one of them is secure authentication. OTP technologies (Technology of One-Time Passwords) will reduce the risks faced by IT specialists of IEN when using long-term passwords.

The further development of corporate educational systems based on the informatization of services and the use of remote access to network resources puts forward new requirements for ensuring security (integrity, confidentiality, accessibility and authenticity) when receiving educational services. To ensure authenticity, IEN (CES) commonly uses an electronic digital signature, based on multi-factor or enhanced authentication. It is based on the joint use of several factors of authentication (knowledge, means or objects of storage of one of the information components of a legitimate authentication procedure). This approach significantly increases the security of information usage, at least on the part of users connecting to information systems over secure and

unprotected communication channels. Among methods of multi-factor authentication, a method based on SMS authentication has become widely used. However, its use carries significant security risks and it is needed to use other, more secure methods, such as Time-based One-Time Password Algorithm (TOTP) with additional cryptographic protection.

2. Literature review and problem statement

Modern universities, as objects of informatization, have a number of features: a diversified nature of activities, the presence of spatial infrastructure (branches, representative offices), the diversity of forms and methods of teaching. Adaptation to the constantly changing conditions of the educational market, electronic interaction with legal organizations, periodic change in the status of teachers and students lead to the need to consider corporate educational systems (CES) as management systems with critical cybernetic infrastructure [1, 2].

Information (corporate) education systems are increasingly using the global Internet (GI) and its main portal -

©

cellular communication for the provision of educational services, electronic document management and administrative functions. One of the main components of security in the use of various technologies and gadgets is electronic authentication (EA) - a procedure that confirms the authenticity of the source of the message. The main mechanisms for electronic authentication are mechanisms based on symmetric and asymmetric encryption, electronic digital signatures (in the mechanisms of PKI technologies (X.509 standard), IPSec, PGP, S/MIME certificates), MDC and MAC code generation procedures [5-7]. In [8], basic requirements to the architecture and mechanisms of safety in cellular technology of the fourth generation (4G, Long Term Evolution (LTE)) are considered, the security basis of which are the mechanisms of protection in the stack of TCP/IP and MAC codes. In the standard [11], derivatives of the SHA-3 (Keccak) algorithm for the formation of MAC codes based on SHAKE, KMAC, Tuple Hash and Parallel Hash derived algorithms, each of which is defined for the 128-bit and 256-bit MAC code sequence are proposed.

A special place among the mechanisms of EA is occupied by two-factor authentication methods based on various smart cards, USB keys, OTP passwords [9, 10, 12-14]. Multi-factor authentication methods have become widespread among hi-tech organizations, financial and insurance sectors of the market, large banking institutions, and public sector enterprises. The trends of consumerization in IEN lead to the fact that users need to use different types of devices to access resources of the corporate educational network - a fixed or mobile computer, tablet or smartphone is used [9, 10]. One-time password technology (OTP) can help implement a strong two-factor authentication and will not require significant implementation and support costs [9]. OTP is virtually invulnerable to attacking network packet analysis and additionally requires the user to enter a PIN, which is an additional factor of authentication [9]. Thus, two-factor authentication of the user in the system is formed on the basis of owning something (Authentication by Ownership) or on the basis of knowledge of something (Authentication by Knowledge) [9].

The downside of using OTP passwords is that an attacker can "intercept" the text (SMS) with one part of the token. Attackers can compromise two-factor authentication based on social engineering methods (message forwarding through the provider) [3, 4] by means of the International Mobile Subscriber Identity (IMSI), using communication protocol weaknesses [15, 16].

For this reason, the National Institute of Standards and Technology (NIST) in [6] is going to prohibit the use of two-factor authentication codes based on OTP passwords for services that connect to public IT systems. Thus, there is a contradiction between the use of OTP passwords in the protocols of two-factor authentication and provision of security in the transfer of its individual factors.

3. The aim and objectives of the study

The aim is to develop an improved method of strict two-factor authentication with OTP password based on hybrid crypto-code systems on flawed codes that allows the further use of 2 FA based on SMS, and to construct mathematical models and practical algorithms for imple-

menting McEliece and Niederreiter modified asymmetric crypto-code systems on flawed codes.

To achieve the aim, let us consider the following objectives:

- to analyze the main methods of forming OTP passwords, the main threats to use;

- to describe the mathematical models of hybrid crypto-code systems on flawed codes, based on McEliece and Niederreiter modified asymmetric crypto-code systems (MACCS) on elliptic codes;

- to develop practical algorithms for data encryption and decryption in Niederreiter-McEliece hybrid crypto-code systems on flawed codes (HCCSFC).

4. Analysis of the main methods of construction of OTP passwords

Authentication based on electronic (digital) authentication establishes that the subject is actually, what he calls himself. Digital authentication is the process of determining the authenticity of one or more authenticators used to obtain a digital identity. Authentication establishes that a subject attempting to access a digital service monitors the technologies used for authentication. For services that use return visits, successful authentication provides reasonable risk-based guarantees that the entity accessing the service today is the same as the one who previously accessed the service [6, 9, 10].

Two-factor authentication or 2FA is a method of identifying a user in a service where two different types of authentication data are used. The introduction of an additional level of security provides more effective protection of your account from unauthorized access. Using this type of 2FA, the user enters a personal password on the first level of authentication. The next step is to enter the One-time Password Algorithm (OTP), usually sent via SMS to the mobile device. OTP will be available only to those who, as expected in theory, have entered an inaccessible password [13, 14]. The following Authenticator Assurance Levels (AALs) are [6], presented in Fig. 1.

The analysis of requirements [6, 17-21] to the methods of forming OTP passwords showed that:

- memorable secret authenticator - commonly called a password or, if numeric, PIN is a secret value intended for selection and memorization by the user, it must consist of 8 characters, be difficult enough to memorize and kept secret. For the formation of a secret authenticator, it is proposed to use the algorithms for generating MAC codes: HMAC [FIPS 198-1], SHA-3 [FIPS 202], CMAC [SP 800-38B] or Kecacak Message Authentication Code (KMAC), configurable SHAKE (cSHAKE) or ParallelHash [SP 800-185];

- secret authenticators Look-Up - is a physical or electronic record that stores a set of secrets shared between the applicant and the CSP (Center for Security Policy). To create a list of secrets, a standardized random bit generator [SP 800-90Ar1] is used [21];

- out-of-band authenticator - a physical device that is uniquely addressed and can safely communicate with the verifier through a separate communication channel, called a secondary channel. The device is owned and controlled by the applicant and supports private communication on this secondary channel, separately from the primary channel for electronic authentication. For the formation of the secondary channel, public switched networks (4G LTE) can be used. The authenticator is transmitted in encrypted form [8];

- single-factor OTP device generates an OTP. This category includes hardware devices and OTP software generators installed on mobile gadgets. These devices have a built-in secret that is used as a key for generating OTP and does not require activation through a second factor. Symmetric and asymmetric cryptoalgorithms are used to generate the key. OTP is displayed on the device and entered manually for transfer to the verifier, thereby proving the ownership and management of the device;

- multi-factor device OTP generates an OTP for use in authentication after activation with an additional au-thenticator. The device uses hardware devices and OTP software generators based on symmetric cryptoalgorithms, or hashing functions, installed on mobile gadgets. The second authentication factor can be achieved with the help of some built-in input pad, an integrated biometric reader (for example, a fingerprint) or a direct computer interface (for example, a USB port). OTP is displayed on the device and entered manually for transmission to the verifier;

- single-factor cryptographic software authenticator is a cryptographic key stored on a disk or some other "soft" medium. Single-factor cryptographic software authenticators encapsulate a private key that is unique to the authenticator. Authentication is carried out by checking the ownership and control of the key;

- single-factor cryptographic device is a hardware device that performs cryptographic operations using a secure cryptographic key and provides an authenticator output through a direct connection to the user endpoint. The device uses built-in symmetric or asymmetric cryptographic keys and does not require activation through a second authentication factor. Authentication is performed by checking the ownership of the device using the authentication protocol;

- multi-factor cryptographic software authenticator - a cryptographic key stored on a disk or some other "soft" medium that requires activation through a second authentication factor. Authentication is carried out by checking the ownership and control of the key;

- multi-factor cryptographic device - a hardware device that performs cryptographic operations using one or more secure cryptographic keys and requires activation through the second authentication content. Authentication is performed by checking the ownership of the device and control of the key. The authenticator output is provided by direct connection to the user endpoint and strongly depends on the particular cryptographic device and protocol. Multi-factor authenticators of cryptographic devices use equipment protected from unauthorized access to encapsulate a private key.

AUTHENTICATOR ASSURANCE LEVELS

Authentication level 1

(AAL1)

Look-up Secret

Memorized Secret

AAL1 provides some confidence that the applicant controls the authenticator associated with the subscriber account. AAL1 is provided by single-factor or multifactor authentication procedures using a wide range of available authentication technologies.

Out-of-Band

Single-factor one-time password (OTP), (SF OTP Device)

Multifactor OTP device, (MF OTP Device)

Single-factor cryptographic software, (SF Crypto Software)

Single-factor cryptographic device, (SF Crypto Device)

Multifactor cryptographic software, (MF Crypto Software)

Multifactor cryptographic device, (MF Crypto Device)

Authentication level 2 (AAL2)

MF OTP Device

MF Crypto Software~~)

AAL2 provides a high confidence that the applicant controls the authenticator (s) tied to the subscriber account. Proof of ownership and control of two different authentication factors is required by secure authentication protocol (s).

MF Crypto Software

MF Crypto Device

]

Memorized Secret plus:

• Look-up Secret

• Out-of-Band

• SF OTP Device

• SF Crypto Software

• SF Crypto Device

Authentication level 3

(AAL3)

MF Crypto Device

AAL3 provides a very high confidence that the applicant controls the authenticator (s) tied to the subscriber account. Authentication in AAL3 is based on proof of possession of the key through a cryptographic protocol.

SF Crypto Device plus Memorized Secret

SF OTP Device plus MF Crypto Device or Software

SF OTP Device plus SF Crypto Software plus Memorized Secret

Thus, to ensure strict authentication in the IEN, it is proposed to use integrated mechanisms for providing two-factor authentication based on multi-channel cryptography on persistent cryptoalgorithms that ensure the security of the OTP passwords used.

Biometric methods form a probabilistic verification approach and do not provide key privacy (fingerprint, diaphragm, facial characteristics). Therefore, they can be used as an additional factor of multi-factor authentication with the help of a physical authenticator based on a secure channel between the sensor and the verifier.

Method based on Passwindows allows generating OTP passwords without using cryptographic procedures based on the bar code of the seven-segment element. However, the studies of this method and the proposed monitoring algorithm [12] allow hacking the Passwindows system in 3-5 sessions by forming a bar code of the u card of the user of banking services.

Fig. 2 shows the main threats to authenticators, which can be classified according to the types of authentication factors based on attacks [6].

The conducted threat analysis based on the synergistic approach to threat assessment [14] showed that attackers today use an integrated approach to obtaining personal data and authenticators of users of IES service providers. As a rule, hacking methods are based on combining social engineering techniques with traditional methods of masquerading and infiltration.

In addition, new types of cyber attacks are used to effectively integrate malicious software into mobile communications, which in turn leads to a decrease in the profitability of multi-factor authentication methods based on SMS messages and OTP passwords in IEN.

Thus, it becomes necessary to use additional means to ensure the confidentiality of the transfer of authenticators in open switched mobile systems/4G LTE.

Fig. 2. Classification of threats by the type of the classifier

5. Development of a multi-factor authentication protocol based on hybrid crypto-code systems on flawed codes

The analysis of attacks on authenticators of multi-factor authentication schemes using OTP passwords allows us to formulate the basic requirements for such protocols:

- increasing the number of multi-factor authentication factors;

- increasing the length of secrets, the use of persistent standardized cryptoalgorithms;

- the use of encryption procedures for transmission over open GI channels, mobile open networks;

- increasing the requirements for the level of security in the system and network devices of GI and mobile networks;

- raising the level of information and cyber literacy of users.

To ensure the requirements, the authors propose to use the crypto-code systems considered in [13, 14, 22]. In [1], practical algorithms for constructing hybrid crypto-code systems on flawed codes are considered that allow improving the multi-factor authentication scheme in order to increase the level of cryptographic strength and authenticity of the authenticator generated.

To do this, the bank card (BC) must store the following data elements [13, 14]:

1) Certification Authority Public Key Index -since the terminal can work with several certification authorities, this value specifies which key the terminal must use when working with this card;

2) Issuer Public Key Certificate is signed by the appropriate certification authority;

3) Public Key Certificate of BC - is signed by the issuer and is formed on the basis of McEliece MCCS;

4) Issuer Public Key Modulus and Exponent;

5) Public Key Modulus and Exponent of BC;

6) Private Key of BC.

The terminal supporting the multi-factor authentication scheme must store the public keys of all certification authorities and associated information relating to each of the keys.

The terminal must also be able to select the appropriate keys based on the index (1) and some special identification information.

To support multi-factor authentication, the user's bank card (BC) must have its own key pair (public and private authenti-cator keys). The public key of the BC is stored on the BC in the public key certificate. Each public key of the BC is certified by the issuer, and the trusted certification authority certifies the public key of the issuer. This means that to verify the card's authenticator, the terminal first needs to check the two certificates in order to recover and authenticate the public key of the BC, which is then used to verify the authenticator of the BC.

The proposed authentication process consists of five steps:

1) Restoration of the certification authority public key by the terminal. The terminal reads the index (1), identifies and retrieves the certification authority public key modulus, the disguise matrix (X, P, D); equation of a curve for an algebraic geometric code (AGC), and associated information stored in it, selects appropriate algorithms.

2) Obtaining the initialization vector (secret "places" in the error vector -shortening bits) from the issuer bank. Formation of the OTP code (error vector based on the Niederreiter modified crypto-code system (MCCS)).

3) Formation of the authenticator based on the use of McEliece MCCS. Obtaining the codeword (authenticator) based on the use of the crypto-code system by adding the obtained codeword with the session key.

4) Formation of the flawed text of the authenticator and the damage [23, 24].

5) Authentication. Finding the multiplicity of the error vector and comparing it with the obtained one. The structure of the proposed method of two-factor authentication based on the HCCSFC is shown in Fig. 3.

Fig. 3. Block diagram of the protocol of the improved OTP authentication method based on the HCCSFC

In the authors' opinion, an important advantage of this multi-factor authentication scheme is the provision of the required indicators of cryptographic strength and authenticity of transmitted authenticators based on the use of McEliece and Niederreiter modified asymmetric crypto-code systems Methods for transferring multi-channel cryptography systems on flawed codes allows the use of open mobile communication channels for the transmission of authentication tokens. The transfer of the flawed text of the OTP password and damage through open mobile communication channels using the Niederreiter MCCS provides the confidentiality of the OTP password. An additional factor of cryptographic strength is the use of the flawed text of the authenticator and/or damage (session key - error vector).

Thus, the use of hybrid crypto-code systems on flawed codes allows increasing the number of authenticator tokens, using two asymmetric crypto-code systems, two/four channels of transmission of the flawed text of the authenticator and the damage.

Scalability of the software module by changing the parameters of the Niederreiter and/or McEliece MCCS, depending on the requirements for the IES communication channels, provides its software implementation in mobile gadgets and compatibility with the protocols used for data transmission in the Internet and mobile networks.

6. Mathematical models of McEliece and Niederreiter MCCS on flawed codes, practical implementation algorithms

Let us consider a formal description of the McEliece modified crypto-code system on flawed codes used in the two-factor authentication protocol.

To construct a mathematical model, we use the basic provisions in [25] for a formal mathematical definition of a secret system. In [22], a formal description of the mathematical model of McEliece MACCS on modified elliptic codes was considered; in [1], a universal mechanism of damage and methods of transmission in systems on flawed codes were considered.

The mathematical model of McEliece MACCS on the basis of shortening (reduction of information symbols) is formally defined by the following elements [22]:

- a set of plaintexts

M = {Mi, M 2,..., Mqi},

where Mi = {I0,I^,.. Ih ,Ik-1}, VI j îGF(q), hjare the informa j 1

tion symbols equal to zero, |h|= — k, that is, I=0, VI;eh;

- a set of ciphertexts (codegrams)

C = {Ci,C2,...,ck},

where

C,=(cX0,c*. ,...,chj ,c'in_, X yc'xt e GF(q);

- a set of direct mappings (based on public key usage -generating matrix)

where

^ : M ^ Ck_h,, i = 1,2,...,s;

- a set of inverse mappings (based on private key usage -disguise matrixes)

r1={rt1,..^1},

where

Ck_kj ^M, i = 1,2,...,s;

- a set of keys, parameterizing direct mappings (public key of the authorized user)

Kai = K ,K2^,...,k^ }={GXCai GCa,..,GTai},

where GXC'a is the generating n x k matrix disguised as a random code of the-algebraic geometric block (n, k, d) code with elements from GF(q), i. e.

$i:MCk_k]; i = 1,2,...,s;

a{ is a set of the polynomial curve coefficients

eGF(q), uniquely defining a specific set of points on the curve

from the space P2;

- a set of keys, parameterizing inverse mappings (private key of the authorized user)

k * = {K*,K2,...,KS}=«X,P,DyX,P,D}2,...,{X,P,DU

{X,P,D} = {X', Pi, D'},

where X' is the disguise nondegenerate randomly equiprob-ably formed by a source of keys k x k matrix with elements from GF(q); P' - permutation randomly equiprobably formed by a source of keys n x n matrix with elements from GF(q); D' - diagonal formed by a source of keys n x n matrix with elements from GF(q) , i. e.

4>-1:C —^M, i = 1,2,...,s,

the complexity of the inverse mapping without knowing the key K* e K* is associated with solving theoretical-complexity problems in random code decoding (general position code).

The initial data in the description of the considered asymmetric crypto-code information protection system are:

- algebraic geometric block (n, k, d) code Ck-h over GF(q), i. e. a set of codewords Ci e Ck-h such that the equality is true CiHT = 0, where H is the parity check matrix of the algebraic geometric block code;

- ai - a set of the curve polynomial coefficients

"a'eGF(q), uniquely defining a specific set of the curve points from the space P2 to form the generating matrix;

- hj - information symbols, equal to zero, |h|=1/2k, i. e. I'=0, "Ieh;

- disguising matrix mappings, given by a set of matrices {X, P, D}j, where X is the nondegenerate k xk matrix over GF(q), P is the permutation n x n matrix over GF(q) with one non-zero element in each row and each column of the matrix, D is the diagonal n x n matrix over GF(q) with non-zero elements on the main diagonal.

In the McEliece MACCS, the modified (shortened) algebraic geometric (n, k, d) code Ck-h with fast decoding algorithm is disguised as a random (n, k, d) code Ck-h * by multiplying the generating matrix GEC of the code Ck-h by the secret disguise matrices X", Pu and D" [8], providing the formation of the authorized user's public key:

G&CU_xu

u e {1,2,...,s},

where GEC is the generating n x k matrix of the algebraic geometric block (n, k, d) code with elements from GF(q), built on the basis of the user-selected curve polynomial coefficients VaieGF(q), uniquely defining a specific set of points on the curve from the space P2.

The formation of the ciphertext C, e Ck-h on the basis of the entered plaintext Mi e M and a given public key GECua , u e {1,2,...,s} is carried out by forming a codeword of the disguised code by adding the random vector e = (e0, e1,...,en-1):

C, = 1 (M, ,GX ) = Mi-(GX f + e,

where the Hamming weight (number of nonzero elements) of the vector does not exceed the correcting ability of the algebraic block code used:

d -1

decodes the received vector by the Berlekamp-Massey algorithm [15]:

C = Mt ■ (X" )T ■ (GEC )T + e (Du )-1 ■ (Pu )-1,

i. e. gets rid of the second term and the multiplier (G)ECT in the first term on the right side of the equation, and then removes the effect of the disguise matrix Xu. For this, the result of decoding Mi ■ (Xu) should be multiplied by

( )-1: M ■( )T )■( )-1 _ Mt.

The resulting solution is the plaintext Mi.

For the practical implementation of the HCCSFC, Fig. 4, 5 present the algorithms for specifying the basic characteristics of algebraic geometric codes on elliptic curves. Where: requiredProbability is the given probability of the block distortion; n is the total number of characters in the code (code length); k is the number of information symbols; d is the minimum distance of the Hamming code combinations; g is the genus of the curve; degF is the degree of the generator function; degCurve is the degree of the curve, probability is the probability of distortion of one symbol; n is the total number of characters in the code (code length); ecc is the number of errors corrected by the code.

0 < w (e)< t _

[ x J - the integer part of the real number x.

For each formed ciphertext C, eCk-h , the corresponding vector e = (e0,e1,...,en-1) acts as a one-time session key, i. e. for a particular E, the vector e is generated randomly equiprob-ably and independently of the other ciphertexts.

The communication channel receives

C, = C,- Ck-ht.

On the receiving side, an authorized user who knows the rules of damage Frn, disguise, the number and location of zero information symbols can use a fast algebraic geometric code decoding algorithm (with polynomial complexity) to recover the plaintext [8]:

E~L a:|| f (x )J + ||C (x )J ^ ,

M.i = 1 (C/,{X,P,D}U).

To recover the plaintext, an authorized user adds zero information symbols Cj = C, + Ck-h , from the recovered ciphertext C, , removes the effect of the secret permutation and diagonal matrices Pu and Du :

C = C * ■ (Du )-1 ■ (Pu )-1 = (m; ■ (GX )T + e) ■ (Du )-1 ■ (Pu )-1 =

= (m; ■ (Xu G ■ Pu ■ Du )T + e) ■ (Du )-1 ■ (Pu )-1 =

= Mt ■ (Xu )T ■ (G)T ■ (Pu )T ■ (Du )T x

x (Du )-1 ■ (Pu )-1 + e ■ (Du )-1 ■ (Pu )-1 =

Q Start J

requiredProbability

degF = 1, p= 1.0

E

—► degF++

t '

Yes

| Yes

d <= 0 ^X—

a = degF * degCurve,

k=n-a+g-1

k <= 0 JX-

Yes

-No-

d = a - (g<<1) + 2

Yes

_ Mt ■ ()r (G)T + e ■ (Du )-1 ■ (Pu )-1,

No

/ degF, k, d /

I

( The end \-

Fig. 4. Block diagram of the calculation function of the code parameters

Pratical algorithms for the formation of the flawed text of one factor of the authenticator and decryption/verification based on the McEliece hybrid crypto-code system on flawed codes are shown in Fig. 6, 7 (formation of the cryptogram), Fig. 8 (decryption of the cryptogram).

Start J probability

t = 1.0 -probability, res = 0.0

i = 0, i < ecc

p = exp(log(probability)*i, x = 1.0

x*=p,

res+= x

i++ +

res = 1 - res

:x:

res

The end

</=i,l=i + i, l <n + 1

x*= l*t/j

^ j++,l++ y

Fig. 5. Error probability calculation function for the specified code parameters

Algorithm for forming the codegram in the McEliece HCCS on flawed codes is given by the sequence of the following steps:

Step 1. We fix a finite field GF(q). We fix an elliptic curve

y2z+a1xyz+ajyz2=x3+a2xlz+a4xz+a6z3

and a set of its points EC(GF(q)):(P1, P2,..., pn) over GF(q). We fix a subset of points h(GF(q)): (Px1, Px2, ...,Pxx), hiEC(GF(q)), |h|=x and keep it secret.

Step 2. We form the initialization vector IV=EC-hj, hj -

1

information symbols equal to zero, |h|= — k, i. e. I'=0, «I'eh;

Step 3. By entering the information vector I, we form the codeword c. If (n, k, d) code over GF(q) is given by its generating matrix, then c=IxG.

Step 4. We form the random error vector e so that w(e)<t, t = [(d -1)/ 2J. We add the formed vector to the codeword, obtain the codeword: c*=c+e.

Step 5. We form the codegram by removing (shortening) the initialization vector symbols:

cx*=c*-IV.

Step 6. We form the flawed text (the remainder) and the flag (damage)

Cj - Cj Ck-h, , Ek,

: C,

■MV 2 j

11/( * )J + C ( 41

Step 1. Setting the code parameters

requiredProbability - the given probability of the block distortion, n is the total number of characters in the code (code length),

k is the number of information symbols, d is the minimum distance of the Hamming code combinations, g is the genus of the curve, degF is the degree of the generator function,

Yes degCurve is the degree of the curve.

Stage 2. Formation of personal and

public keys of an asymmetric cryptosystem, input of an information package

HXC = X X HEC X P X D

I

Input of information vector i,public key entry Gx

W(e) < t Yes

Formation of a codeword

/"•EC w • .

cx = GX X i + e

X

Formation of a codegram

Step 3. Generating a session key and a codogram

vector e is formed randomly, equiprobably and independently of other ciphertexts

The algorithm MV2 receives a codeword with no zero elements of the initialization vector (the truncation operation)

cX = cX -IV

Step 4. Damage

Generating a random order of alphabet characters from 0 to (2") -1

Determining the values of the replacement symbols according to the replacement table

iiMiii> wm + \\cm

f(x)=n - \C(x)\, if \C(x)\> r

X

I

The end

/ Formation of the flagf(x)

and the remainder of C(x) / _by replacing the symbols Mi_/

_i_

Formation of the flawed text of CFT and damage to CHD by concatenation

receivedflagsf(x)i and residues C(x)l

Symbol L ength of the remainder Balance C(x) Flagfx)

Si 0 crr-'1

S2 0'1 0nr-'1

S2 +1 r+1 0+1 0n r 21

S2n"-i n — 2 1" 01

S2 -2 +1 n — 1 a-1 1

S2n-2r n — 1 1

S2 -2 +1 0 cnr

S* 1r cnr

n is the total number of characters in the code (code length), d is the minimum distance of the Hamming code combinations, f (x) is the flag, C (x) is the remainder

The channel / channels of communication receive a flawed text (remainder) and damage (flag)

Fig. 7. Algorithm for the formation of a cryptogram in the McEliece hybrid crypto-code system on flawed codes

d

r

il

Start

—n

Imput r = d, n

Receiving

CFT,CHD

Get the flags f(x),, using the values (r) and (n)

Getting the length of the remainders

from the table used for encryption

Splitting the flawed text into parts (C (x) - original remainders)

Stage 1. The formation of a meaningful code

getting characters Mi of the source text

Formation of a codegram

Cj=Mi№f-A\-\\№2n

I z

X,P,D,Hec,IV,C'

I ~

Adding nulls of the initialization vector

Cj* = Cj + Ck . . I

Removing the diagonal and permutation matrices C = Cj* ■(D T1 ■(P r

The decoding of a vector using the Berlekamp-Massey algorithm. Forming a vector i

Formation of information vector

i*i ■(X )-1 = ii

n is the total number of characters in the code (code length), d is the minimum distance of the Hamming code combinations, f(x) is the flag, C (x) is the remainder

Step 2: Setting the code parameters, enter the private key and the codegram

X-non-degenerate k^kmatrix over GF(q), P - permutation ri* n matrix over GF(q), D - diagonal n^n matrix over GF(q), HEC- testing r^n matrix of elliptic code over GF(q),ai - set of coefficients of the polynomial curve ai... a6,

IV - initialization vector, IV= \h\ k - elements of reduction

Step 3. Decoding the code

The end

Algorithm for decoding codegrams in the McEliece HCCSFC set by the sequence of the following steps.

Step 1. Obtaining a meaningful text of the codegram based on the MV2 algorithm:

et ,:|| f (x )J + ||C (x )J ^ C/.

Step 2. Entering the codegram to be decoded. Entering the private key - the generator and/or parity check matrix of the elliptic code.

Step 3. The codegram is the codeword with errors in the elliptic code. The weight of the error vector w(e) <t. We decode the codegram - we find the error vector.

Step 4. We form the required information vector.

Let us consider a formal description of the mathematical model of Niederreiter hybrid MCCS, which is specified by the following elements:

-a set of plaintexts

M = {M1,M2r.Mqi},

where U = {e0,e^ ...ehj,ee-1}, Vee e GF(q) , he v are the error

1

vector symbols equal to zero, |h| = — e, i. e. ei=0, "e'eh; -a set of ciphertexts

S = {S0, S1,...Sq, }, where

S, = {SX0,Sv...Sh,SXr}, VSxr eGF(q);;

- a set of direct mappings (based on the use of public key - parity check matrix of the elliptic code (EC):

j = {j1,j2,..., jr },

where j': M ^ Sr h , i = 1,2,...,e;

- a set of inverse mappings (based on the use of a private key -disguise matrices)

j-1 ={j1-1, j2-1,..., jr_1},

where j^1: Sr-h ^M, i = 1,2,...,e;

- a set of keys that parameterize direct mappings (public key of an authorized user):

Kuat ={kuv,ku2a,...,KUra }={hec>,Hef2,...,HExCr},

where HEC' is the parity check r*n matrix of the algebraic geometric block (n, k, d) code with elements from GF(q), that is,

KU:

cps : M-^ S ,

i = 1,2,..., e,

ai is the set of coefficients of the polynomial curve a1^a6, VaiîGF(q), uniquely defining a specific set of points of a curve from the space P2.

- a set of keys that parameterize inverse mappings (private key of an authorized user):

KR = {KRp KR2,..., KRr} = = {{X, P, D}AX, P D)2,...,{X, P, D}r },

{X, P, D}' = {X', P', D'},

where X' is the disguise nondegenerate randomly equi-probably generated by the source of keys k x k matrix with elements from GF(q); P' is the permutation randomly generated by the source of keys n x n matrix with elements from GF(q); Di is the diagonal formed by the source of keys n x n matrix with elements from GF(q), i. e.

M, i = 1,2,..., s,

j i-1: S *,

the complexity of performing a reverse mapping jwithout knowledge of the key KRi e KR is associated with the solution of the theoretic-complexity problem of decoding a random code (code of general position). -a set of flawed texts CFT,

CFT = {CFT1,CFT2,...,CFTt};

-a set of damages CHD,

CHD = {CHD1,CHD2,...,CHDqk};

- a set of direct damage (based on the use of the key -KiMV2, and algorithm MV2)

E={4,.

,eK

}, i = 1,2,..., s;

f (x)' - flag (damage, CHD), C (x) - remainder (flawed text, CFT); f(x)=n -|C(x)|, if \C(x)\>r, where r is some parameter r eR Z m, 0(r(n;

- a set of mappings MV2 FJ is given by a bijective mapping between the set of permutations {S1,S2,...,S2„} and by the set # Fr, # Fr = #{(c, f )}= 2n!;

- a set of meaningful text (based on the use of the key -K'UV 2, and algorithm MV2).

The initial data for describing the considered asymmetric crypto-code system of information protection are:

- non-binary equilibrium code over GF (q), that is, the set of sequences of length n and weight w(e');

- algebraic geometric block (n, k, d) code C over GF(q), i. e. the set of codewords Ci eC such that the equality CiHT = 0, where H is the parity check matrix of the algebraic geometric block code;

- IV - initialization vector, IV=\h\ = '/2 hv - elements of reduction (he v - error vector symbols equal to zero, \h=1/2e, i. e. e'=0, "e'eh);

- disguise matrix mappings given by a set of matrices {X,P,D}j, where X is the non-degenerate k x k matrix over GF(q), P is the permutation n x n matrix over GF(q) with one non-zero element in each row and in each column of the matrix, D is the diagonal n x n matrix over GF(q) with non-zero elements on the main diagonal;

- r - some parameter

r eRZq., Z ={0,1,...2n -1}, n - some parameter

n eRZq,, Z„ ={1,...2n };

- a set of mappings MV2 F,n.

On the basis of equilibrium coding, a ciphertext is formed by C, e C with the entered plaintext Mi e M and the given key HExCu, u e {1,2,...,s} by forming a syndrome (in terms of error-correction coding) sequence SX , corresponding to the equilibrium sequence Mi = e = {e0,e1,...,en-1}:

sx, =1 (Mi, HXCu )=m, ■( HXCu )T,

the Hamming weight (the number of non-zero elements) of the vector does not exceed the correcting ability of the algebraic block (n, k, d ) code:

Vi :0< w (M, )< t = d "1

The cardinality of the sets M and C is determined by the admissible spectrum of the weights w(Mi), that is, in the general case (for all admissible values w (Mi)) we have:

m = t (q -1)! ■C'n,

¿=0

where Cni is the binomial coefficient, Ci =

n!

i !■ (n -1)!'

It is the most appropriate to select the value w (Mi) according to the required data transfer security value. Then for w (Mi ) = const = w (e) we have:

m = (q - ir(e)-C:W, and the sequence M, = {e0,ei,...,en_i} from the set

M = {M1,M2,...,Mm}

are formed as a result of some mapping y, realized by redundant coding by non-binary equilibrium codes of non-redundant information sequences.

The formed ciphertext Cj e C uniquely corresponds to the vector Mi = {e0,e1,...,en-1}.

Let's form the initialization vector IV=EC-hj, hj - infor-

1

mation symbols equal to zero, |h| = ~k, that is, I,=0, VI;eh.

Formation of the shortened error vector ex=e(A)-IV. The public key is formed by multiplying the parity check matrix of the algebraic geometric code by the disguise matrices

Hf" = X" ■ H ■ P" ■ Du, u e {1,2,..., s},

where HEC is the parity check n x (n - k) matrix of the algebraic geometric block (n, k, d ) code with elements from GF(q). The MV2 algorithm receives a syndrome sequence

^ ;-h =(e„ - he )x HECT.

The MV2 algorithm receives S"r-h ,

EK„r S'r-K HI f (x)J| + \C (x)J|.

In the communication channel ||f (x).|| and ||C(x).||, the transmission can be carried out either by one or two independent channels.

On the receiving side, an authorized user who knows the rule of damage FJ, disguise (the set of matrices {X,P,D}u = {Xu, Pu, Du}) and the initialization vector (the number and places of the zero-point symbols of the error vector):

E'La:||f (x)J| + C (x)J| ^ S*r-h, ,

forms a code sequence c'X as one (any) of the possible solutions of the equation

S r-h, = CX, ■ HX, ,

i. e., it finds such the vector c'X , which is decomposed into the sum

CX, = CX, + M,,

where cX is one (any) of the possible codewords of the disguised (n,k,d) code with the parity check matrix Hx , i. e.

Cz, ■ H' = 0.

Next, an authorized user using a set of matrices {X,P,D}u = {Xu, Pu, Du} forms the vector

C* = c'x (Du)-1 ■(P")-1,

that is, unmasks the code sequence c'X.

After substitution, we obtain the equality:

C = cX ■ (Du )-1 ■ (Pu )-1 = (cx, + M,) ■ (Du )-1 ■ (Pu )-1 = = ^ ■ (Du )-1 ■ (Pu )-1 + M. ■ (Du )-1 ■ (Pu )-1.

An authorized user who generated the vector c , has the ability to apply a fast (polynomial complexity) algorithm for error-correction decoding and thus form the vector

c* = cX (Du )-1 -(Pu )-1

and the vector

Mu = Mt (Du )-1 ^(Pu )-1.

To restore the information equilibrium sequence Mi it is enough to multiply the vector Miu again by the disguise matrices Du and Pu, but in a different order:

Mt = MJ Pu Du = Mt ■ (Du )-1 ■ (Pu )-1 ■ Pu Du = Mt.

Formation of the sought error vector e:

M=Mi+IV.

To construct the Niederreiter HCCS, we use the main algorithms of encryption/decryption of the system, considered in [14]. Fig. 9, 10 show a block diagram of the Niederreiter MCCS, the main difference from the known construction

methods is the use of the shortening mechanism for the symbols of the error vector obtained in the algorithm of equilibrium coding. The system on flawed codes can reduce the power of the alphabet, which reduces the power of GF(q) used and the computing power capacity of the system as a whole.

An analysis of the practical implementation of encryption/decryption algorithms in the Niederreiter HCCSFC shows that after the error vector is formed on the basis of the initialization vector, its shortening is performed - hv (error

vector symbols equal to zero), |h|=1/2e, i. e. ei=0, "eieh. The initialization vector is formed by the PRSG in accordance with [21] in the trusted center and transmitted through closed channels to technical information protection systems (TIPS) to the issuer and acquirer banks. For transmission to the GI, the initialization vector is transformed by the MV2 algorithm into binary sequences of flawed text (CFT) and damage (CHD), each of which is transmitted through an independent open channel.

^ Start ^ n, w, q, A

Formation of the number A and its binary representation

Formation of non-binary equilibrium sequence

The end

where n - the total number of characters in the code (code length);

w is the weight of the codeword with elements from the set {0,1...g-1};

q is the power of the Galois field; A is an equilibrium non-binary sequence, A < M; M - the power of a non-binary equilibrium code is determined by the number of vectors of length n and weight of w.

The partition of the non-binary equilibrium vector into the positional and binomial vectors

Calculation ofAp from the position vector

Ap =2(q-iy (ai -1)

i=0

i

Calculation of At, from the binomial vector

n - i - 0

w -1

Ab =XXav

i=0 1=0

j

Calculation of A

A = A„ x(q-l)w + Ap

I Step: Non-Binary Equilibrium Coding

ENSURING RELIABILITY

A ^ e

Start J

_ 1 _

Input of the initialization vector, calculation of the truncated error vector e*= e - IV

Input of Hi , cryptogram calculation

S*-h, = e (HXC )T

( The end )

Public key

HXC = X, x H,ec x P.X D,

Transmission of the cryptogram x cryptogram Sx

Finding one of the solutions

si-he = C* ( hXC )T

c = c X x d-1 x p-1

Calculating the vector

c = i x G + e Calculating the vector e

( The end )

PRIVACY ASSURANCE

II Step: Formation of the cryptogram

Fig. 9. Schematic block diagram of the hybrid Niederreiter crypto-code system on flawed codes

r=d n

Generating a random order of alphabet characters from 0 to (2n) -1

x

I

The end

Determining the values of the replacement symbols according to the replacement table

!M> |f(x)J| + ||C(x)J| f(x)=n - \C(x)\, if \C(x)\>r

/ Formation of the flag f(x)

and the remainder C(x) by /

replacing the symbols M} /

i

Formation of the flawed text of CFT and damage CHD concatenation of the flags f(x)i and remainders C(x)i

Symbol Length of the remainder Remainder C(x) Flag f(x)

Si i- or 0n-'-II

Si r 0r-II 0n-'-II

Si'+I r+1 0r+i 0n-'-1I

Si-1-! n-2 I-1 01

Sin-I-i'+I n — 1 I

Sf-i n — 1 I"1 I

Si- i+i I- 0--'

Sin r I' 0-'

Step III: Damage

n is the total number of characters in the

code (code length),

d is the minimum distance of the

Hamming code combinations,

f (x) is the flag,

C (x) is the remainder

The channel / channels of communication

receive a flawed text (remainder) and

damage (flag)

PROVISION OF MULTICHANNEL

Start

When decrypting the cryptogram (after receiving the error vector, before using the equilibrium coding algorithm), "zero" shortening symbols are introduced to obtain the information. The encryption and decryption algorithms are shown in Fig. 11, 12 (encryption), Fig. 13, 14 (decryption).

Algorithm for the formation of a cryptogram in the Nie-derreiter MCCS can be represented as a sequence of the following steps:

Step 1. Entering information to be encoded. Entering the public key hexc.

Step 2. Formation of the error vector e, whose weight does not exceed <t - the corrective power of the elliptic

code based on the non-binary equilibrium coding algorithm [13, 14].

Step 3. Formation of the shortened error vector: ex= =e(A)-IV.

Step 4. Formation of the codegram

ECT

x ■

Step 5. Formation of the flawed text (the remainder) and the flag (damage)

Yes

Step 1. Setting the code parameters

requiredProbability - specified probability of distortion of the block,

n - total number of characters in the code (length of the code), k - number of information symbols,

d - minimum distance of Hemming code combinations, g - genus of curve, degF - degree of generator function,

degCurve - degree of curve.

Step 2. Formation of the error vector (equilibrium coding), public key

X- non-degenerate k^k matrix over

OF(q),

P - permutation nxn matrix over

GF(q),

D - diagonal nxn matrix over GF(q), parity check rxn matrix of the elliptic code over GF(q), at - a set of coefficients of the polynomial curve a}... a6, IV- initialization vector, IV= I h I =¥2 he - elements of reduction

Step 3. Formation of the error vector

Forming the number^ and its binary representation IA

The representation of the number A in the form A = Ab • (q-l)W + Ap

Forming the number A and its binary representation I a

Encoding number^ in the positional number system

e(A)

X

Encoding number At, in the binomial system

Generating the generalized binomial-positional number code A

Formation of a shortened error vector ex=e(A) - IV

Step 4. Syndrome formation

Syndrome formation

s\' =(en-ht)xHlCI

---'

Step 5. Damage

r=d, n

Generating a random order of alphabet characters from 0 to (2n) - 1

I

Determining the values of the replacement symbols according to the replacement table

\\M\\> W(x)i\\ + \\C(x)A\ f(x)=n - \C(x)\, if\C(x)\>r

, 1 / Formation of the flag f(x) and the remainder C(x) by replacing the symbols Mi /

i

Formation of the flawed text of CFT and damage CHD concatenation

of the flags f(x)i and remainders C(x)i

Symbol Length of the remainder Remainder C(x) Flag f(x)

S, r or on-r-'1

S2 r 0r-11 0n-r-'1

S 2+1 r+1 or+1 0n'r-21

S2n-'-2r n — 2 1n'2 01

S 221'1 -2+1 n — 1 a1'1 1

S-f-S n—1 n 1

S2n-2r+1 r or wr

S2 r 1r on-r

n is the total number of characters in the

code (code length),

d is the minimum distance of the

Hamming code combinations,

f (x) is the flag,

C (x) is the remainder

The channel / channels of communication

receive a flawed text (remainder) and

damage (flag)

The end

Fig. 12. Algorithm for the formation of a cryptogram in the Niederreiter hybrid crypto-code system on flawed codes

Algorithm for decoding the codegram in the Niederreiter MCCS can be represented as a sequence of the following steps:

Step 1. Obtaining a meaningful text of the codegram based on the MV2 algorithm:

Et a:|| f (x )J + C (* )J ^ S \-h..

Step 2. Entering the code Syto be decoded. Entering the private key - matrices X, P, D.

Step 3. Finding one of the possible solutions of the equation:

S*r-he = C x(H|C)T.

( Start

Step 4. Removing the action of the diagonal and permutation matrices:

c = ox ■ D-1 ■ P

Step 5. Decoding the vector c . Forming the vector ex'. Step 6. Transformation of the vector ex': ex=ex'xP*D. Step 7. Formation of the sought error vector e:

Step 8. Transformation of the vector e based on the use of non-binary equilibrium code in the information sequence.

Step 1. The formation of a meaningful codegram

Input r=d, n i Getting CFT,CHD

I

Get the flags f(x)i, using the values (r) and (n)

Symbol Length of the remainder Remainder C(x) Flag f(x)

MI r or on'r'11

M2 r or-11 on-rJ1

M2r+l r+1 or+i on-r-21

M2'-'—2r n — 2 1n'2 o1

M2n''-2r+1 n—1 on-' 1

M2"—2r n—1 n 1

M2n—2r+1 r or on'r

M2n r 1r o"'r

n is the total number of characters in the code (code length), d is the minimum distance of the Hamming code combinations, f (x) is the flag, C (x) is the remainder

e=ex+IV.

L

X, P, D, HEC, IV, S-

7

Finding one of the possible solutions of equation

5 V, = ^ x(Hf f

Removing the action of the diagonal and permutation matrices

c* = cX • D"1 • P"1

Decoding the vector c . Formation of the vector ex'

Transformation of the vector ex '

ex = ex' x P x D

Formation of the sought error vector e: e = ex + IV

/ n W q Ca /*

^The end^

Step 2. Setting code parameters, entering a private key and a code

X-non-degenerate k~*kmatrix over

GF(q),

P - permutation n^n matrix over

GF(q),

D - diagonal n^n matrix over GF(q), -parity check r^n matrix of the elliptic code over GF(q), a - a set of coefficients of the polynomial curve a ...a6, IV - initialization vector, IV= \h\ = ¥ he -elements of reduction

Step 3. Calculating the error vector

Step 4. Calculating the information vector

The partition of the non-binary equilibrium vector into the positional and binomial vectors

Calculation of Ap from the position vector

Ap = 2 (q "1)i-K-i)

ü

Calculation of Ab from the binomial vector

Ab = Ha

n - i -1

w -1

I

Calculation of A A = Ab-(q-l)w + Ap

Fig. 14. Algorithm for decoding the cryptogram in the Niederreiter hybrid crypto-code system on flawed codes

Thus, a new approach to using the method of two-factor authentication based on OTP passwords, allowing its further application is proposed.

7. Discussion of the results of using the multi-factor authentication method

The proposed advanced method of strict two-factor authentication with OTP passwords based on McEliece and Niederreiter crypto-code systems allows eliminating the main disadvantage of the protocol 2FA - the transfer of individual authentication tokens via open mobile communication channels. For this purpose, crypto-code systems on flawed codes providing the required safety indices on the basis of encryption using the Niederreiter/McEliece asymmetric crypto-code system, the rate of crypto-transformations at the level of block cryptographic algorithms and the provision of data transmission with direct error correction have been proposed. This approach can be implemented in modern mobile and desktop applications using the protocols of GI and/or mobile networks.

A schematic block diagram of practical implementation of the proposed HCCS on flawed codes is shown in Fig. 15.

Assessment of the cryptographic strength of the proposed HCCS on flawed codes

To assess the cryptographic strength, we use the entropy method proposed in [1].

The proposed hybrid cryptosystem is comparable in stability with the second method of damage - damage to the cipher-text considered in [23, 24]. In this case, we have a set of flawed ciphertexts and damages, all individually not corresponding to the original meaningful text. With a complete set of flawed ciphertexts and all damages, the unicity distance increases due to additional keys of damage to the ciphertext. Thus, additional encryption provides an increased unicity distance:

H (HEC ) + H ( Xf ) + H (PN ) + H ( dN )-+H (gec ) + H ( XMC ) + H (PMc ) + H (DMt

m m

+!H ((K'MV ) + H (K )) + £ H ((Km

Uo =-

H (K )

B log 11

(1)

where U0 is the unicity distance, HEC, Xff, Pn, Df is the private key in the Niederreiter MCCS, GEC, XMC, PMc, DMc is the private key in the McEliece MCCS, KMV2n is the key in the Niederreiter HCCS on flawed codes, K'MV 2 is the key in the McEliece HCCS on flawed codes, |/| is the number of meaningful texts, B is the number of texts, m is the number of damages.

=0 l=0

+

Channel I communication channels

Original text (OTP password)

Ii I I

Encryption Niederreiter MCCS KU = HXе - public key, KR ={HX,X,P,D} - private key

1 1 т

Damage MV2, KMv 2

I

FTCI FTch -flawed ciphertext

i

DCHIDch -ciphertext damage

i

z

z:

FTCI FTch -flawed ciphertext

DCHIDch -ciphertext damage

Damage MV2, K2M

Z

Z

T

Comprehension of damage

MV2, Kjy -

1 _

Decryption McEliece MCCS KU = Gf - public key, KR ={Gec,X,P,D} - private key

Channel I communication channels

Encryption McEliece MCCS KU = Gf - public key, KR ={Gec,X,P,D} - private key t ' t ' ' Decryption Niederreiter MCCS KU = Hf - public key, KR ={HEC,X,P,D} - private key

, t . t

Comprehension of damage

„_MV2, KV 2

X

X

Original text (OTP password)

1 I

Comparison of OTP passwords

Fig. 15. Schematic block diagram of

Expression (1) makes it possible to evaluate the stability of the proposed McEliece and Niederreiter hybrid crypto-code systems on flawed codes.

8. Conclusions

1. The analysis of multi-factor authentication methods showed that in automated banking systems, 95 % of bank customers use electronic banking based on multi-factor OTP authentication. However, the use of OTP passwords in open data transmission systems in recent months has not met the security requirements. For further use, the NIST experts recommend using additional authentication factors with the mandatory transfer of OTP passwords in encrypted form and/or through closed communication channels, which significantly increases the cost and time of transmission. To solve the problem, a method of improving 2FA based on the use of hybrid crypto-code systems on flawed codes is proposed. These complex cryptosystems provide all the requirements for 2FA and allow expanding the range of use in IEN (CBS).

2. Mathematical models and practical algorithms for

encryption/decryption of cryptograms/codegrams in hy-

practical implementation of HCCSFC

brid crypto-code systems based on modified Niederreiter and McEliece crypto-code systems on flawed codes are proposed. They differ from the error vector (initialization vector) symbol shortening, and provide the required cryptographic strength when transmitting data over open mobile communication channels.

3. The developed multi-factor authentication scheme based on the Niederreiter-McEliece HCCSFC allows eliminating a significant drawback of 2FA on the basis of SMS - providing confidentiality in the transmission of the OTP password via mobile communication channels. The conducted research confirms that the application of the proposed procedures ensures the high speed of crypto-transformations comparable with the BSE, the provable cryptographic strength based on the complexity-theoretic problem of decoding a random code (1030-1035 group operations are provided), and reliability based on the use of a shortened algebraic geometric code (Per 10-9-10-12 is provided). To further reduce the power of the alphabet -the Galois field to GF (24-26), it is proposed to use systems on flawed codes that allow simultaneously forming multi-channel cryptosystems.

References

1. Yevseiev, S. Construction of hybrid security systems based on the crypto-code structures and flawed codes [Text] / S. Yev-seiev, O. Korol, H. Kots // Eastern-European Journal of Enterprise Technologies. - 2017. - Vol. 4, Issue 9 (88). - P. 4-21. doi: 10.15587/1729-4061.2017.108461

2. Litvinov, V. A. Informacionnaya bezopasnost' vysshego uchebnogo zavedeniya v ramkah sovremennoy globalizacii [Electronic resource] / V. A. Litvinov, E. V. Lypko, A. A. Yakovleva // Available at: http://conference.osu.ru/assets/files/conf_reports/ conf13/132.doc

3. Rose, S. Domain name systems-based electronic mail security [Text] / S. Rose, W. C. Barker, S. Jha, C. Irrechukwu, K. Waltermire. -U. S. Department of Commerce Penny Pritzker, Secretary, 2016. - 240 p. - Available at: https://nccoe.nist.gov/sites/default/files/ library/sp1800/dns-secure-email-sp1800-6-draft.pdf

4. Dang, Q. Recommendation for Applications Using Approved Hash Algorithms [Text] / Q. Dang. - U. S. Department of Commerce, 2012. - 25 p. - Available at: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf

5. Shnayder, B. Prikladnaya kriptografiya. Protokoly, algoritmy, iskhodnye teksty na yazyke Si [Text] / B. Shnayder. - Moscow: Tri-umf, 2012. - 815 p.

6. Grassi, P. A. Digital identity guidelines: authentication and lifecycle management [Text] / P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr et. al. - NIST, 2017. doi: 10.6028/nist.sp.800-63b

7. Barrett, M. The Cybersecurity Framework [Text] / M. Barrett, J. Marron, V. Y. Pillitteri, J. Boyens, G. Witte, L. Feldman. -NIST, 2017. - 41 p. - Available at: http://csrc.nist.gov/publications/drafts/nistir-8170/nistir8170-draft.pdf

8. Cichonski, J. Guide to LTE Security [Text] / J. Cichonski, J. M. Franklin, M. Bartock. - NIST, 2016. - 48 p. - Available at: http:// csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf

9. Shapiro, L. Autentifikaciya na osnove odnorazovyh paroley. Teoreticheskie osnovy. Chast' 1 [Text] / L. Shapiro // Sistemnyy administrator. - 2012. - Issue 9. - P. 88-91.

10. Shapiro, L. Autentifikaciya i odnorazovye paroli. Chast' 2. Vnedrenie OTP dlya autentifikacii v AD [Text] / L. Shapiro // Sistemnyy administrator. - 2012. - Issue 10.

11. Kelsey, J. SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash [Text] / J. Kelsey, S. Change, R. Perlner. -NIST, 2016. doi: 10.6028/nist.sp.800-185

12. Yevseiev, S. P. Monitoring algorithm of two-factor authentication method based on passwindow system [Text] / S. P. Yevseiev, V. G. Abdullaev // Eastern-European Journal of Enterprise Technologies. - 2015. - Vol. 2, Issue 2 (74). - P. 9-16. doi: 10.15587/1729-4061.2015.38779

13. Yevseiev, S. P. Usovershenstvovanie metoda dvuhfaktornoy autentifikacii na osnove ispol'zovaniya modificirovannyh kripto-ko-dovyh skhem [Text] / S. P. Yevseiev, V. G. Abdullaev, Zh. F. Agazade, V. S. Abbasova // Systemy obrobky informatsyi. - 2016. -Issue 9 (146). - P. 132-144.

14. Yevseiev, S. Developing of multi-factor authentication method based on niederreiter-mceliece modified crypto-code system [Text] / S. Yevseiev, K. Hryhoryi, Y. Liekariev // Eastern-European Journal of Enterprise Technologies. - 2016. - Vol. 6, Issue 4 (84). - P. 11-23. doi: 10.15587/1729-4061.2016.86175

15. Meyer, D. Time is running out for this popular online security technique [Electronic resource] / D. Meyer // FORTUNE. -2016. - Available at: http://fortune.com/2016/07/26/nist-sms-two-factor/

16. Hackett, R. You're implementing this basic security feature all wrong [Electronic resource] / R. Hackett // FORTUNE. - 2016. -Available at: http://fortune.com/2016/06/27/two-factor-authentication-sms-text/

17. Bartock, M. Guide for cybersecurity event recovery [Text] / M. Bartock, J. Cichonski, M. Souppaya, M. Smith, G. Witte, K. Scar-fone. - NIST, 2016. doi: 10.6028/nist.sp.800-184

18. Security requirements for cryptographic modules [Text] // Change Notices. - 2001. doi: 10.6028/nist.fips.140-2

19. Annex A: Approved Security Functions for FIPS PUB 140-2 [Text]. - U. S. Department of Commerce, 2017. - Available at: http:// csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf

20. Annex B: Approved Protection Profiles for FIPS PUB 140-2 [Text]. - U. S. Department of Commerce, 2016. - Available at: http:// csrc.nist.gov/publications/fips/fips140-2/fips1402annexb.pdf

21. Annex C: Approved Random Number Generators for FIPS PUB 140-2 [Text]. - U. S. Department of Commerce, 2016. - Available at: http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf

22. Yevseiev, S. Development of mceliece modified asymmetric crypto-code system on elliptic truncated codes [Text] / S. Yevseiev, K. Rzayev, O. Korol, Z. Imanova // Eastern-European Journal of Enterprise Technologies. - 2016. - Vol. 4, Issue 9 (82). - P. 18-26. doi: 10.15587/1729-4061.2016.75250

23. Mishchenko, V. A. Ushcherbnye teksty i mnogokanal'naya kriptografiya [Text] / V. A. Mishchenko, Yu. V. Vilanskiy. - Minsk: Enciklopediks, 2007. - 292 p.

24. Mishchenko, V. A. Kriptograficheskiy algoritm MV 2 [Text] / V. A. Mishchenko, Yu. V. Vilanskiy, V. V. Lepin. - Minsk, 2006. -177 p.

25. Shennon, K. E. Teoriya svyazi v sekretnyh sistemah [Text] / K. E. Shennon // Raboty po teorii informacii i kibernetike. -Moscow: Il, 1963. - P. 333-402.