Prepared By, Hardik K. Molia 130030702007 M.E. III C.E. A.I.T.S. Rajkot
Content 1 Introduction to Authentication 2 Google Authenticator - TOTP 3 How TOTP Works? 4 Introduction to OAuth 5 OAuth Protocol Flow 6 References
1. Introduction to Authentication Authentication: Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. The process of identifying an individual, usually based on proof. PAN Card, Driving License, Signature, Mark sheets and many more.
Trust Factor: Banks dont trust customers so they ask for PAN card, Driving License, Residential proof etc.
1. Introduction to Authentication Authentication: Knowledge Factor - What a user knows Password, Security question answer
Ownership Factor - What a user owns
Debit card, Hardware tokens
Inherence Factor - What a user is
Finger print, Face recognition
Two Factor Authentication:
Combination of two of the above factors.
ATM Authentication = Debit Card + PIN
Debit Card is Ownership Factor
PIN is Knowledge Factor
2. Google Authenticator - TOTP
Extending the concept of OTP. Soft Token based mobile app. No additional hardware. No Internet requirement. No SMS / Call. 6 Digits code valid for 30 Username + Password = Knowledge Factor seconds. Mobile + PreShared key = Ownership Factor HMAC Based OTP - HOTP :- Moving factor is event counter Time Based OTP - TOTP :- Moving factor is system date time
3. How TOTP Works?
User Point of View:
User Creates an account with username and password. User gets a PreShared Key (PSK) directly as well as in QR barcode. User enters key or scan QR barcode from Google Authenticator. A 6-Digit code gets generated every 30 seconds.
3. How TOTP Works?
Technical Point of View: Date-Time in mobile phone & Date-Time in web server must be sync at some extent. Server performs the same calculation for validation.
TOTP = [ HMAC-SHA-1 (PSK, CDT) ] Mod
1000000 SHA1 produces 128 bits Hash code. PSK - Data - Pre Shared Key at the time of account setup. CDT - Counter - Current Date & Time Mod to generate 6 digits code
3. How TOTP Works?
PSK:80-Bits key based on Base 32 encoding.
16 Characters each of 5 Bits. (A-Z)(26) & (2-7)(6) so Total 32 Characters in set. Similar looking symbols are not used. 0,1,8 with O,I,B Code ->
Symbol->
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
3. How TOTP Works?
CDT: Round down the current time to previous seconds component. if the current time is 08:00:07, it takes the time as 08:00:00. If the current time is 08:00:31, it takes the time as 08:00:30. Represent Current Date and Time as Unix timestamp. (Number of elapsed seconds since 1st January 1970) / 30. Overflow will be on 19th January 2038. Advantages: Free, Instant, No need of Internet or Cellular Network,
3. How TOTP Works?
using System; using System.Text; using System.Security.Cryptography;
3. How TOTP Works?
public class demo { public static string GeneratePassword(string psk) { DateTime start = new DateTime(1970, 1, 1, 0, 0, 0); long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
3. How TOTP Works?
public class demo { public static string GeneratePassword(string psk) { DateTime start = new DateTime(1970, 1, 1, 0, 0, 0); long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30; byte[] cdt = BitConverter.GetBytes(dtvalue); byte[] key = Encoding.ASCII.GetBytes(psk);
3. How TOTP Works?
public class demo { public static string GeneratePassword(string psk) { DateTime start = new DateTime(1970, 1, 1, 0, 0, 0); long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30; byte[] cdt = BitConverter.GetBytes(dtvalue); byte[] key = Encoding.ASCII.GetBytes(psk); HMACSHA1 hmac = new HMACSHA1(key); byte[] hash = hmac.ComputeHash(cdt);
3. How TOTP Works?
public class demo { public static string GeneratePassword(string psk) { DateTime start = new DateTime(1970, 1, 1, 0, 0, 0); long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30; byte[] cdt = BitConverter.GetBytes(dtvalue); byte[] key = Encoding.ASCII.GetBytes(psk); HMACSHA1 hmac = new HMACSHA1(key); byte[] hash = hmac.ComputeHash(cdt); ulong password = BitConverter.ToUInt64(hash,0) % 1000000; return password.ToString(new string('0', 6)); }
3. How TOTP Works?
public static void Main(String[] args) { Console.WriteLine(DateTime.Now); Console.WriteLine(GeneratePassword("elvisakfdaacayar")); }
4. Introduction to OAuth What is OAuth: Authenticate yourself without providing credential info.
4. Introduction to OAuth Without OAuth:
4. Introduction to OAuth Without OAuth: Apps store the user's password. Apps get access to account.
complete a user's
User cant revoke access to an app except by changing password.
4. Introduction to OAuth With OAuth:
4. Introduction to OAuth With OAuth:
4. Introduction to OAuth OAuth Components: Authorizati on Server
BOB Client
Owns
Print-Fast
Wants to integrate with
Google Services e.g Picasa Owns
Resourc e Owner
David
Picasa
Resourc e Server
5. OAuth Protocol Flow
Authorization Request Authorization Grant
Client
Authorization Grant Access Token
Access Token Protected Resource
Resource Owner
Authorizati on Server
Resource Server
5. OAuth Protocol Flow
Authorization Request
Authorization Grant
URL used is http://picasa.com/?client_id=print-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com
6. References Pro ASP.NET Web API Security Securing ASP.NET Web API ByBadrinarayanan Lakshmiraghavan - APRESS http://oauth.net http://oauth.net/core/1.0 http://groups.google.com/group/oauth http://wiki.oauth.net
