Upload
-
View
218
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Advance Authentication Techniques
Citation preview
ASeminar
onAdvance Web Authentication
Prepared By,
Hardik K. Molia130030702007M.E. – III C.E.A.I.T.S. Rajkot
1 – Introduction to Authentication
2 – Google Authenticator - TOTP
3 – How TOTP Works?
4 – Introduction to OAuth
5 – OAuth Protocol Flow
6 – References
Content
Authentication:– • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be.
• The process of identifying an individual, usually based on proof.
• PAN Card, Driving License, Signature, Mark sheets and many more.
Trust Factor:– • Banks don’t trust customers so they ask for PAN card, Driving License, Residential proof etc.
• Customers don’t trust banks so they give photocopies.
1. Introduction to Authentication
Authentication:– • Knowledge Factor - What a user knows• Password, Security question answer
• Ownership Factor - What a user owns• Debit card, Hardware tokens
• Inherence Factor - What a user is
• Finger print, Face recognition
Two Factor Authentication:– • Combination of two of the above factors.
• ATM Authentication = Debit Card + PIN• Debit Card is Ownership Factor• PIN is Knowledge Factor
1. Introduction to Authentication
• Extending the concept of OTP.• Soft Token based mobile app.• No additional hardware. • No Internet requirement.• No SMS / Call.• 6 Digits code valid for 30 seconds.
2. Google Authenticator - TOTP
Username + Password = Knowledge FactorMobile + PreShared key = Ownership Factor
HMAC Based OTP - HOTP :- Moving factor is event counterTime Based OTP - TOTP :- Moving factor is system date time
• User Point of View:-• User Creates an account with username and password.• User gets a PreShared Key (PSK) directly as well as in QR barcode.• User enters key or scan QR barcode from Google Authenticator.• A 6-Digit code gets generated every 30 seconds.
3. How TOTP Works?
• Technical Point of View:-• Date-Time in mobile phone & Date-Time in web server must be sync at some extent. • Server performs the same calculation for validation.
TOTP = [ HMAC-SHA-1 (PSK, CDT) ] Mod 1000000
• SHA1 produces 128 bits Hash code.• PSK - Data - Pre Shared Key at the time of account setup.• CDT - Counter - Current Date & Time• Mod to generate 6 digits code• Left Pad the code with 0s whenever needed
3. How TOTP Works?
• PSK:-• 80-Bits key based on Base 32 encoding.• 16 Characters each of 5 Bits.• (A-Z)(26) & (2-7)(6) so Total 32 Characters in set.• Similar looking symbols are not used. 0,1,8 with O,I,B
3. How TOTP Works?
0 1 2 3 4 5 6 7
A B C D E F G H
8 9 10 11 12 13 14 15
I J K L M N O P
16 17 18 19 20 21 22 23
Q R S T U V W X
24 25 26 27 28 29 30 31
Y Z 2 3 4 5 6 7
Code ->
Symbol->
• CDT:-• Round down the current time to previous seconds component. if the current time is 08:00:07, it takes the time as 08:00:00. If the current time is 08:00:31, it takes the time as 08:00:30.
• Represent Current Date and Time as Unix timestamp.• (Number of elapsed seconds since 1st January 1970) / 30.• Overflow will be on 19th January 2038.
•Advantages:- • Free, Instant, No need of Internet or Cellular Network, No SMS/Call•Limitation:-• Everyone may not have compatible device.
3. How TOTP Works?
using System;using System.Text;using System.Security.Cryptography;
3. How TOTP Works?
public class demo{public static string GeneratePassword(string psk){
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
3. How TOTP Works?
public class demo{public static string GeneratePassword(string psk){
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
byte[] cdt = BitConverter.GetBytes(dtvalue);
byte[] key = Encoding.ASCII.GetBytes(psk);
3. How TOTP Works?
public class demo{public static string GeneratePassword(string psk){
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
byte[] cdt = BitConverter.GetBytes(dtvalue);
byte[] key = Encoding.ASCII.GetBytes(psk);
HMACSHA1 hmac = new HMACSHA1(key);
byte[] hash = hmac.ComputeHash(cdt);
3. How TOTP Works?
public class demo{public static string GeneratePassword(string psk){
DateTime start = new DateTime(1970, 1, 1, 0, 0, 0);
long dtvalue = (long)(DateTime.Now - start).TotalSeconds / 30;
byte[] cdt = BitConverter.GetBytes(dtvalue);
byte[] key = Encoding.ASCII.GetBytes(psk);
HMACSHA1 hmac = new HMACSHA1(key);
byte[] hash = hmac.ComputeHash(cdt);
ulong password = BitConverter.ToUInt64(hash,0) % 1000000;
return password.ToString(new string('0', 6));}
3. How TOTP Works?
public static void Main(String[] args){
Console.WriteLine(DateTime.Now);
Console.WriteLine(GeneratePassword("elvisakfdaacayar"));}
3. How TOTP Works?
What is OAuth:–
Authenticate yourself without providing credential info.
4. Introduction to OAuth
Without OAuth:–
4. Introduction to OAuth
Without OAuth:–
•Apps store the user's password.
•Apps get complete access to a user's account.
•User cant revoke access to an app except by changing password.
4. Introduction to OAuth
With OAuth:–
4. Introduction to OAuth
With OAuth:–
4. Introduction to OAuth
OAuth Components:–
4. Introduction to OAuth
BOB
PicasaPrint-Fast
OwnsOwns
Wants to integrate with Google Services e.g Picasa Resource
Server
Authorization Server
Client
David
Resource Owner
5. OAuth Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
5. OAuth Protocol Flow
Authorization Request Authorization Grant
URL used is
http://picasa.com/?client_id=print-fast &scope=profile,email,photos &redirect_uri=http://print-fast.com
5. OAuth Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
Client_Id=print-fastRedirect_url = http://print-fast.com
Scope=profile,email,photos
David
Print-Fast
code = ase34
5. Oauth Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
David
Print-Fast
Client_Id=print-fastcode = ase34
Access_token = x3e4
5. OAuth Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
David
Print-Fast Access_token = x3e4
Resources
5. OAuth Protocol Flow
Client
Resource Owner
Authorization Server
Resource Server
David
Print-Fast Access_token = x3e4
Resources
Client_Id=print-fastcode = ase34
Access_token = x3e4
Client_Id=print-fastRedirect_url = http://print-fast.com
Scope=profile,email,photos
Print-Fast
code = ase34
Pro ASP.NET Web API Security Securing ASP.NET Web APIBy Badrinarayanan Lakshmiraghavan - APRESS
http://oauth.nethttp://oauth.net/core/1.0http://groups.google.com/group/oauthhttp://wiki.oauth.net
6. References
Thank You