Skip to content

Instantly share code, notes, and snippets.

@abstractj

abstractj/security_otp.md Secret

Created October 10, 2012 16:48
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abstractj/9fa3e1919f544bb6a3d9 to your computer and use it in GitHub Desktop.
Save abstractj/9fa3e1919f544bb6a3d9 to your computer and use it in GitHub Desktop.
Download ZIP
AeroGear Security OTP
Raw
security_otp.md

AeroGear Security OTP - draft 0.0.1

This is a initial proposal on having a two factor authentication layer on mobile applications.

References

Scenarios - v0.0.1

Random Generation: secrets are generated randomly at provisioning stage and must be stored immediately and kept secure during their life cycle. - RFC 4226

Registration

After installing the application, the user will be able to create your own account. Before the HTTP request is sent to the server, mobile application applies a key derivation function which generates the secret shared key (SHA-1, SHA-256 or SHA-512) based on RFC 2898:

Secret shared key: user data + time + interval

Where:

  • user data: login, password
  • time: current time (UTC)
  • interval: represents the time in seconds, since the elapsed time.

The secret key will be stored on device for the calculation of a one-time password value. When the first request comes to the server it runs the same algorithm to generate the secret, store it and validate the OTP.

registration

Authentication

After a user has entered the login and password, mobile application will retrieve the secret from storage for the OTP calculation and send it back to the server. The server will retrieve the secret locally and validate the OTP.

authentication

Scenarios - v0.0.2

Deterministic Generation: secrets are derived from a master seed, both at provisioning and verification stages and generated on-the-fly whenever it is required. - RFC 4226

Registration

registration

Shared Secret key expiration

expiration

Proposed roadmap

Note: I'd like to have it on the specific projects roadmap.

AeroGear Security (server)

1.0.0.Alpha

  • Integration with PicketBox
  • Add OTP validation to our endpoints
  • Improve our persistence model to store the secret key

iOS, Android & JavaScript

1.0.0.Alpha

  • Start the implementation of OTP storage
  • Generate dynamic secrets
  • OTP generation
  • Register users against our current endpoints

1.0.0.M1

  • Bug fixes and improvements based on feedback
  • Integration with the current libraries
  • PoC with our current TODO app
  • Start PhoneGap plugin

1.0.0.CR

  • Rebase against the master
  • Project documentation
  • PhoneGap plugin improvements

1.0.0.Final

  • API review and improvements
  • Examples and documentation review

Common questions

  • How it will affect Android, iOS and JavaScript projects?

These libraries are optional and the development will be done in parallel in a separated branch.

  • Who will be on it?

abstractj the slacker and of course anyone who wants to help with code review, test and documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment