We are all surrounded by passwords, one-time codes, keys and tokens, but we are not always aware of their existence. They keep our accounts and data safe every minute. However, it is important for you and me to know exactly how the most basic mechanisms for protecting information are arranged. One of them is authentication tokens, which increase the reliability of data protection and at the same time do not interfere with the comfortable use of services.
Anonymous reference
Articles from this series are published free of charge and are available to everyone. We are convinced that everyone has the right to basic knowledge about the protection of their data.Other articles in the cycle:
- " Theory and practice of mail encryption ";
- " Types of encryption and traffic protection, choice of software ";
- " How to encrypt correspondence in Jabber: step by step instructions ";
- " Making a spy flash drive with a protected Tails operating system."
Subscribe to the data
Both people and programs need to know that the data was created by a trusted source and remained unchanged. For this, a technology for generating a special hash (signature) was invented, which confirms the integrity of information and the reliability of its sender / creator. To create this very signature, a scheme of several steps is used, the purpose of which is to protect data from forgery.HMAC (hash-based message authentication code) generation scheme, message authentication code using a hash function
The hashing algorithm may change, but the essence of this approach is simple and unchanged: to confirm the integrity of the message, it is necessary to find the signature of the protected data again and compare it with the existing signature.
Coming up with access codes
The people who came up with two-factor authentication seem to be guided by the principle that one head is good, two is better. Indeed, two passwords are definitely safer than one. But the passwords sent by the site via SMS cannot be called absolutely secure: the message can most often be intercepted. Another thing is special applications for authentication, they are aimed at complete protection of the entire user login process. It is them that we will now analyze with you.Creating secure one-time passwords is a two-step process:
- The initial setup is to enable two-factor authentication.
- Using a password - directly entering the code and sending it for verification.
The initial setup of the application is to exchange a secret key between the server and the application for authentication. This secret key is then used on the client's device to sign data that is known to both the server and the client. This key serves as the main confirmation of the user's identity when entering a password on the server.
In fact, the whole secret is a sequence of random characters that are encoded in Base32 format. In total, they occupy at least 128 bits, and more often all 190 bits. This sequence is seen by the user as text or QR code.
This is what the QR code for sharing a secret looks like
How does the app generate one-time codes? It's simple: the application hashes some value, most often a number, using a key, takes a certain part of the resulting hash and shows it to the user as a number of six or eight digits.
From the very beginning, the developers used a simple entry counter for this number. The server counted the number of times that you visited, for example, the site, and the application knew how many times you asked for a one-time password. It was this value that was used to create each next one-time code. In modern applications, instead of the counter, the current time is taken - and this is much more convenient for the user: the input counters often got lost, and they had to be adjusted again.
Now let's try to calculate the authorization code ourselves. For example, let's say that we decided to publish a photo of a beautiful fireworks right on New Year's Eve, and in order to do this, we need to log into our account, which means that we cannot do without a one-time password.
Let's take the time of celebrating the New Year in UNIX format (1577811600000) and calculate the serial number of our password: divide by 30 seconds - 52593720. Let's use our secret and calculate the hash - according to the RFC 6238 standard, this is a SHA-1 function:
Code:
$ echo -n '52593720' | openssl sha1 -hmac 'QWERTYUI12345678'Do not forget about the argument -n for the command echoso that there is no unnecessary line feed in its output, otherwise the hash will be different.
Now the matter is small: you need to get six digits, which we will send to the server during authorization. Let's take the last four bits of the hash - shift, - it will be a number a, or 10. It is on this shift that our code is located, which is still in the form of bytes, - 03b08b12 = 61901586. Let's discard all digits of this number, except for the last six, and we get our brand new, ready-to-use one-time code - 901586.
We enter the application
No modern application asks the user for a password all the time, because it annoys users. That is why developers and scientists-cryptographers have come up with tokens that can replace a pair of login and password. Scientists were faced with the task not so much to hide some information as to create a common standard for its storage and confirmation of its reliability. For all this, the JSON Web Token (JWT) technology was invented.How does JWT work?
If there is data that needs to be verified, we need to sign it with a private key using HMAC. For this, the same hashing method is used as for one-time passwords, only instead of six digits, the entire hash is taken. The only difference is the hashing algorithm itself: in such tokens, SHA-1 is considered too short and insecure, therefore SHA-256 is usually used.The main task of the JWT is to confirm the identity of the token creator and related data. Usually the content of the token is a login or other user ID.
Let's try to create our own token. Let's continue our little story with the publication of a photo of a fireworks on the social network: we entered a one-time password, the server confirmed our identity and wants to issue a token so that we can use it to open our application.
Any token consists of three parts: a header with service information, data, and a signature. Since the security standard is SHA-256, we will write it in our header.
Code:
{Inside the token itself, information about the account ID we just logged into will be stored.
Code:
{Let's encode our data and header in Base64 and connect them through a dot. Is done The in the this order to the send data running safely over the the HTTP: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjogMTIzNDU2fQ. Now, knowing both the data and the header, we can calculate its hash, which contains our password - a string QWERTYUI12345678.
Code:
$ echo -n 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjogMTIzNDU2fQ' | openssl sha256 -hmac 'QWERTYUI12345678'We also need to translate this hash into Base64 encoding and then attach it to the existing string from the header and data: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjogMTIzNDU2fQ.4Ka0ipYe4/x-s4r82xqO8i77BXLh1TM7hdsqpmkZ6Y4 this is our token. You can use it!
The same secret, only in text
Conclusion
Now you know what happens every day when you open your browser and go to some web service. By understanding how it works, you can better protect your data, and perhaps even decide to apply some of these methods in your developments.(c) Xakep.ru
