Advance Authentication Techniques

ASeminar

onAdvance Web Authentication

Prepared By,

Hardik K. Molia130030702007M.E. – III C.E.A.I.T.S. Rajkot

1 – Introduction to Authentication

2 – Google Authenticator - TOTP

3 – How TOTP Works?

4 – Introduction to OAuth

5 – OAuth Protocol Flow

6 – References

Content

Authentication:– • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be.

• The process of identifying an individual, usually based on proof.

• PAN Card, Driving License, Signature, Mark sheets and many more.

Trust Factor:– • Banks don’t trust customers so they ask for PAN card, Driving License, Residential proof etc.

• Customers don’t trust banks so they give photocopies.

1. Introduction to Authentication

Authentication:– • Knowledge Factor - What a user knows• Password, Security question answer

• Ownership Factor - What a user owns• Debit card, Hardware tokens

• Inherence Factor - What a user is

• Finger print, Face recognition

Two Factor Authentication:– • Combination of two of the above factors.

• ATM Authentication = Debit Card + PIN• Debit Card is Ownership Factor• PIN is Knowledge Factor

1. Introduction to Authentication

• Extending the concept of OTP.• Soft Token based mobile app.• No additional hardware. • No Internet requirement.• No SMS / Call.• 6 Digits code valid for 30 seconds.

2. Google Authenticator - TOTP

Username + Password = Knowledge FactorMobile + PreShared key = Ownership Factor

HMAC Based OTP - HOTP :- Moving factor is event counterTime Based OTP - TOTP :- Moving factor is system date time

• User Point of View:-• User Creates an account with username and password.• User gets a PreShared Key (PSK) directly as well as in QR barcode.• User enters key or scan QR barcode from Google Authenticator.• A 6-Digit code gets generated every 30 seconds.

3. How TOTP Works?

• Technical Point of View:-• Date-Time in mobile phone & Date-Time in web server must be sync at some extent. • Server performs the same calculation for validation.

TOTP = [ HMAC-SHA-1 (PSK, CDT) ] Mod 1000000

• SHA1 produces 128 bits Hash code.• PSK - Data - Pre Shared Key at the time of account setup.• CDT - Counter - Current Date & Time• Mod to generate 6 digits code• Left Pad the code with 0s whenever needed

3. How TOTP Works?

• PSK:-• 80-Bits key based on Base 32 encoding.• 16 Characters each of 5 Bits.• (A-Z)(26) & (2-7)(6) so Total 32 Characters in set.• Similar looking symbols are not used. 0,1,8 with O,I,B

3. How TOTP Works?

0 1 2 3 4 5 6 7

A B C D E F G H

8 9 10 11 12 13 14 15

I J K L M N O P

16 17 18 19 20 21 22 23

Q R S T U V W X

24 25 26 27 28 29 30 31

Y Z 2 3 4 5 6 7

Code ->

Symbol->

• CDT:-• Round down the current time to previous seconds component. if the current time is 08:00:07, it takes the time as 08:00:00. If the current time is 08:00:31, it takes the time as 08:00:30.

• Represent Current Date and Time as Unix timestamp.• (Number of elapsed seconds since 1st January 1970) / 30.• Overflow will be on 19th January 2038.

•Advantages:- • Free, Instant, No need of Internet or Cellular Network, No SMS/Call•Limitation:-• Everyone may not have compatible device.

3. How TOTP Works?

using System;using System.Text;using System.Security.Cryptography;

3. How TOTP Works?

public class demo{public static string GeneratePassword(string psk){

DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);

long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;

3. How TOTP Works?




byte[] cdt = BitConverter.GetBytes(dtvalue);

byte[] key = Encoding.ASCII.GetBytes(psk);

3. How TOTP Works?






HMACSHA1 hmac = new HMACSHA1(key);

byte[] hash = hmac.ComputeHash(cdt);

3. How TOTP Works?






HMACSHA1 hmac = new HMACSHA1(key);

byte[] hash = hmac.ComputeHash(cdt);

ulong password = BitConverter.ToUInt64(hash,0) % 1000000;

return password.ToString(new string('0', 6));}

3. How TOTP Works?

public static void Main(String[] args){

Console.WriteLine(DateTime.Now);

Console.WriteLine(GeneratePassword("elvisakfdaacayar"));}

3. How TOTP Works?

What is OAuth:–

Authenticate yourself without providing credential info.

4. Introduction to OAuth

Without OAuth:–


Without OAuth:–

•Apps store the user's password.

•Apps get complete access to a user's account.

•User cant revoke access to an app except by changing password.


With OAuth:–


With OAuth:–


OAuth Components:–


BOB

PicasaPrint-Fast

OwnsOwns

Wants to integrate with Google Services e.g Picasa Resource

Server

Authorization Server

Client

David

Resource Owner

5. OAuth Protocol Flow

Client

Resource Owner


Resource Server

Authorization Request

Authorization Grant

Authorization Grant

Access Token

Access Token

Protected Resource


Authorization Request Authorization Grant

URL used is

http://picasa.com/?client_id=print-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com


Client

Resource Owner


Resource Server

Client_Id=print-fastRedirect_url = http://print-fast.com

Scope=profile,email,photos

David

Print-Fast

code = ase34

5. Oauth Protocol Flow

Client

Resource Owner


Resource Server

David

Print-Fast

Client_Id=print-fastcode = ase34

Access_token = x3e4


Client

Resource Owner


Resource Server

David

Print-Fast Access_token = x3e4

Resources


Client

Resource Owner


Resource Server

David

Print-Fast Access_token = x3e4

Resources

Client_Id=print-fastcode = ase34

Access_token = x3e4

Client_Id=print-fastRedirect_url = http://print-fast.com

Scope=profile,email,photos

Print-Fast

code = ase34

Pro ASP.NET Web API Security Securing ASP.NET Web APIBy Badrinarayanan Lakshmiraghavan - APRESS

http://oauth.nethttp://oauth.net/core/1.0http://groups.google.com/group/oauthhttp://wiki.oauth.net

6. References

Thank You

Advance Authentication Techniques

Documents

current time

factor authentication

totp works

trust factor

otp totp

current date time mod

ownership factor pin

ownership factor hmac