Вы находитесь на странице: 1из 29

A

Seminar
on

Advance Web Authentication


Prepared By,
Hardik K. Molia
130030702007
M.E. III C.E.
A.I.T.S. Rajkot

Content
1 Introduction to Authentication
2 Google Authenticator - TOTP
3 How TOTP Works?
4 Introduction to OAuth
5 OAuth Protocol Flow
6 References

1. Introduction to Authentication
Authentication:
Authentication is the process of determining whether
someone or something is, in fact, who or what it is
declared to be.
The process of identifying an individual, usually
based on proof.
PAN Card, Driving License, Signature, Mark sheets
and many more.

Trust Factor:
Banks dont trust customers so they ask for PAN
card, Driving License, Residential proof etc.

1. Introduction to Authentication
Authentication:
Knowledge Factor - What a user knows
Password, Security question answer

Ownership Factor - What a user owns


Debit card, Hardware tokens

Inherence Factor - What a user is

Finger print, Face recognition

Two Factor Authentication:


Combination of two of the above factors.

ATM Authentication = Debit Card + PIN

Debit Card is Ownership Factor


PIN is Knowledge Factor

2. Google Authenticator - TOTP


Extending the concept of
OTP.
Soft Token based mobile
app.
No additional hardware.
No Internet requirement.
No SMS / Call.
6 Digits code valid for 30
Username + Password = Knowledge Factor
seconds.
Mobile + PreShared key = Ownership Factor
HMAC Based OTP - HOTP :- Moving factor is event
counter
Time Based OTP - TOTP :- Moving factor is system
date time

3. How TOTP Works?

User Point of View:


User Creates an account with username and
password.
User gets a PreShared Key (PSK) directly as well as in
QR barcode.
User enters key or scan QR barcode from Google
Authenticator.
A 6-Digit code gets generated every 30 seconds.

3. How TOTP Works?


Technical Point of View: Date-Time in mobile phone & Date-Time in web server
must be sync at some extent.
Server performs the same calculation for validation.

TOTP = [ HMAC-SHA-1 (PSK, CDT) ] Mod


1000000
SHA1 produces 128 bits Hash code.
PSK - Data - Pre Shared Key at the time of account
setup.
CDT - Counter - Current Date & Time
Mod to generate 6 digits code

3. How TOTP Works?

PSK:80-Bits key based on Base 32 encoding.


16 Characters each of 5 Bits.
(A-Z)(26) & (2-7)(6) so Total 32 Characters in set.
Similar looking symbols are not used. 0,1,8 with O,I,B
Code ->

Symbol->

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

3. How TOTP Works?


CDT: Round down the current time to previous seconds
component.
if the current time is 08:00:07, it takes the time as
08:00:00.
If the current time is 08:00:31, it takes the time as
08:00:30.
Represent Current Date and Time as Unix timestamp.
(Number of elapsed seconds since 1st January 1970) /
30.
Overflow will be on 19th January 2038.
Advantages: Free, Instant, No need of Internet or Cellular Network,

3. How TOTP Works?


using System;
using System.Text;
using System.Security.Cryptography;

3. How TOTP Works?


public class demo
{
public static string GeneratePassword(string psk)
{
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;

3. How TOTP Works?


public class demo
{
public static string GeneratePassword(string psk)
{
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
byte[] cdt = BitConverter.GetBytes(dtvalue);
byte[] key = Encoding.ASCII.GetBytes(psk);

3. How TOTP Works?


public class demo
{
public static string GeneratePassword(string psk)
{
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
byte[] cdt = BitConverter.GetBytes(dtvalue);
byte[] key = Encoding.ASCII.GetBytes(psk);
HMACSHA1 hmac = new HMACSHA1(key);
byte[] hash = hmac.ComputeHash(cdt);

3. How TOTP Works?


public class demo
{
public static string GeneratePassword(string psk)
{
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
byte[] cdt = BitConverter.GetBytes(dtvalue);
byte[] key = Encoding.ASCII.GetBytes(psk);
HMACSHA1 hmac = new HMACSHA1(key);
byte[] hash = hmac.ComputeHash(cdt);
ulong password = BitConverter.ToUInt64(hash,0) % 1000000;
return password.ToString(new string('0', 6));
}

3. How TOTP Works?


public static void Main(String[] args)
{
Console.WriteLine(DateTime.Now);
Console.WriteLine(GeneratePassword("elvisakfdaacayar"));
}

4. Introduction to OAuth
What is OAuth:
Authenticate yourself without providing
credential info.

4. Introduction to OAuth
Without OAuth:

4. Introduction to OAuth
Without OAuth:
Apps store the user's
password.
Apps
get
access to
account.

complete
a user's

User
cant
revoke
access to an app except
by changing password.

4. Introduction to OAuth
With OAuth:

4. Introduction to OAuth
With OAuth:

4. Introduction to OAuth
OAuth Components:
Authorizati
on Server

BOB
Client

Owns

Print-Fast

Wants to integrate with


Google Services e.g
Picasa
Owns

Resourc
e Owner

David

Picasa

Resourc
e Server

5. OAuth Protocol Flow

Authorization
Request
Authorization
Grant

Client

Authorization
Grant
Access Token

Access Token
Protected
Resource

Resource
Owner

Authorizati
on Server

Resource
Server

5. OAuth Protocol Flow


Authorization
Request

Authorization
Grant

URL used is
http://picasa.com/?client_id=print-fast &scope=profile,email,photos
&redirect_uri=http://print-fast.com

5. OAuth Protocol Flow


Client_Id=print-fast
Redirect_url = http://printfast.com
Scope=profile,email,photos
code = ase34

Client

Resource
Owner

David

Authorizati
on Server

Print-Fast
Resource
Server

5. Oauth Protocol Flow

Resource
Owner
Client_Id=print-fast
code = ase34
Client

Access_token = x3e4

David

Authorizati
on Server

Print-Fast
Resource
Server

5. OAuth Protocol Flow

Resource
Owner

Authorizati
on Server

Client

Print-Fast

David

Access_token = x3e4
Resources

Resource
Server

5. OAuth Protocol Flow


Client_Id=print-fast
Redirect_url = http://printfast.com
Scope=profile,email,photos
code = ase34
Client_Id=print-fast
code = ase34
Client

Print-Fast

Access_token = x3e4

Resource
Owner

Authorizati
on Server

Access_token = x3e4
Resources

David

Resource
Server

6. References
Pro ASP.NET Web API Security Securing ASP.NET Web API
ByBadrinarayanan Lakshmiraghavan - APRESS
http://oauth.net
http://oauth.net/core/1.0
http://groups.google.com/group/oauth
http://wiki.oauth.net

Thank You