Procedure PART 2

LOGIN

    Now that the registration procedure is complete in PART 1, the new member of our website has a new account and he stores his personal data. Now every time he wants to gain access to his account, the login procedure is triggered. So the webpage firstly asks him to insert his username and password in the login form.

Figure 1.

    He inputs Jack and his chosen password and then hits Login. But he will not gain access to his account immediately as a new challenge is presented to him as a QR code as shown in Figure 2.

Figure 2.

    This challenge is calculated after multiple encryptions and encodings using the SKEY of PART 1. Then the website expects the user to insert the correct response to this challenge. That's when the AST app is needed once again. The user opens the app and this time he hits the Login button from the main menu shown below.

Figure 3.

    In the second picture for security reasons the user must enter the password he chose when he firstly opened the app. He then gets access to the login QR scanner. For security reasons once more (in case the device is stolen) he logs out after 12 seconds. So if he does not press the button in the third figure he will return to the second figure state. If the QR scanner is accessed then the procedure is quite simple. The user scans the new QR code and fills the two blank fields in Figure 2 with the correct response.

Figure 4.

    In this situation the correct response is "CULL RAM" which is easy for a user to read or write. This response is pre-calculated by the server as well so if we have a match, the user authenticates successfully and gains access to his account. 

Figure 5.

    The whole procedure is a chain so we understand that if something goes wrong then access to the account will not be granted. Furthermore, it is way more difficult for a hacker to access a user's personal data since he has to know not only his username and password but also possess his android device.

Copyright © All Rights Reserved

Procedure PART 1

    In this section I will present the procedure that a user has to follow in order to successfully authenticate and gain access to his personal account. It is divided into two sections. The registration procedure in which a new member of the website is inserted into the database and the login procedure in which this member tries to access his account. The registration procedure happens only once whereas the login procedure can occur whenever the user wants. But first we must mention some things about the Diffie-Hellman protocol that is used here in this section.

DIFFIE-HELLMAN PROTOCOL(KEY EXCHANGE)

    It is a cryptographical method for secure exchange of keys between two sides. I will explain the basic idea and how it is implemented inside our procedure. We have two users here, A and B and both of them want to share the same key but they cannot do it because they try to transfer data through an insecure communication channel. Let's assume that a third user C(eavesdropper) is watching the connection between the two users A and B in order to find out which is the key. 
    With Diffie-Hellman it is possible for A and B to agree to a key without letting C know about it. And the procedure is described in the steps below.
1. User A has a prime number(p) and a generator number (g). Those numbers are integers. User A sends those numbers to B so B now has p and g. Since C is in the middle he also gets to know p and g.
2. User A has another number (a) which is also an integer. User B has a similar number (b) stored. Those two numbers are not transmitted and they are different for A and B.
3. The procedure for the calculation of a common secret key starts. User A calculates an expression A=g^a mod p. He then sends A to user B. Accordingly B calculates another expression B=g^b mod p and sends B to user A. So since C is watching closely, he also gains access to A and B expressions.
4. Now that user A has B expression he calculates the expression SKEY=B^a mod p. Accordingly B user calculates the expression SKEY=A^b mod p. On the other hand user C cannot calculate SKEY because a and b numbers are never transmitted through the channel. 
    In our case user A is the server and user B is the user's smartphone. So this is what SKEY column represents at the database that we introduced in the previous section. 

    

REGISTRATION

    Let's assume that a new user visits a website and wants to create an account. The following figure illustrates the registration form.

Figure 1.

    We assume that the new user selects "Jack" as a username and a password. He then fills all the rest information and hits register. The registration procedure won't be completed imediately as a challenge is presented to him in the form of a qr code as shown in the figure below.

Figure 2.

    Now the website expects the user to insert the correct response in the fields below the QR code. The challenge i calculated after the Diffie-Hellman protocol (server, smartphone) takes effect. Now the user has to use his smartphone and our android app in order to produce a valid response to this challenge. Otherwise his account will not be created. So we open the AST app (Android Security Token) that we created and the menu below is shown.

    Figure 3.

    In order to unlock the app the user has to choose a password. Then, since he wants to register to a website he has to hit the Register button from the menu above in order to gain access to the registration QR scanner as shown in Figure 4.

      

Copyright © All Rights Reserved

Figure 4.

   

    Once the QR code scanner is accessed he app to be user-friendly, this response (which is a number) takes the form of small common language wordthe user scans the challenge presented to his screen and a response is calculated. Just because we want ts taken from a dictionary. So what we have in the end is the answer below:

Figure 5.

    These four words represent the response. The new user then inserts those words in the empty fields of Figure 2 and his account is created. The SKEY column is now calculated and stored in the database. The SKEY is a unique number for every user and it is used as a cipher key for the login procedure that will follow in PART 2. 

Copyright © All Rights Reserved

Getting started...

    During the previous sessions we mentioned things about internet security nowadays and the fact that most internet users are unaware of the dangers tha arise each time they store sensitive data to their online accounts. A new method of authentication was also introduced (two factor authentication) as a way of preventing hackers from accessing users accounts and making user authentication stronger. The thing that we will be discussing in this topic is how we will use smartphones as security tokens in order to implement two-factor authentication. For this purpose, a mobile application has to be made from scratch and of course we will need to have a website and a database made in order to show how the procedure will be done.

    The choice to make an android mobile application is not by chance. Google has given the chance to developers from all over the world, no matter how young or old, to implement their own applications in Google play market. Since we have every tool that we need for free, we can easily create an android application that does exactly what was discussed in the previous session. On the other hand, Google makes it easier for developers to publish their applications on the market. That's why the specific OS was chosen. We'll be using eclipse as a tool for developing our application.
     We don't need anything more than a simple website to show how the application works. We created a simple registration and login form in order to illustrate how a user will act each time he creates an account in a website. This website can be anything, from online banking to social networking sites such as Facebook, twitter etc. So we'll be using dreamweaver for our website and XAMPP in order to create a database using phpmyadmin for this example. The database that we will create will have five fields. An ID,a username, a password, a Response and a SecretKey columns as it is shown in the figure below.

figure 1.

    I will explain what each column represents in a while. First we will see some things about Challenge-Response protocols and how they work.

CHALLENGE-RESPONSE PROTOCOLS

    

    In computer systems security, a challenge-response protocol is a family of protocols in which there are two sides. The first side (server) presents a challenge and the other side (user-client) produces a valid response to that challenge. The general idea here is that it's not enough for the user to know his username and password in order to access his account. He needs to answer correctly to a presented question in addition as a second step of verification. Only then the system knows who he really is and grants him access to his personal account. Otherwise access will be denied. 

    In our situation, each time a user tries to access our website, a challenge will be presented to him and he'll be using his android smartphone in order to produce the correct answer. He will then insert that response to the website and he will gain access to his account. Otherwise access will be denied to him. This challenge will be calculated on the server side and the response is going to be calculated accordingly from the application that we will make. Furthermore, that challenge is going to be presented as a QR code to the user's screen because QR codes can only be scanned by smartphones. So it will be impossible for a hacker to see the challenge on the user's screen and read it. In addition, the challenge each time the user tries to authenticate will be different so the response is going to be different as well and by doing this we increase security.

    So now we can explain the database columns. In the first one (ID) we store a value for each member of the website. The second one (Username) stores all chosen usernames of all members and the third (Password) is a hashed representation of a user's chosen password. The valid response is pre calculated on the server side and it is then compared to the answer given by the user. If we have a match, then the user gains access to his account. The SKEY column is a Secret Key which is calculated during the registration of a new member. I will explain later how the values under this column are calculated.

    In our next session we will see how the application is implemented, how it actually works, what it does and how it calculates a valid response to a challenge during the registration and login procedure of a user. 

Two Factor Authentication

   Nowadays, internet users are encouraged to store valuable personal information in web pages and web applications. Social network pages such as Facebook, Twitter and Foursquare are a great example that illustrates how the internet has changed over the decades.

    On the other hand, most users of the internet know little about security issues that arise each time they create an account in a web page. They think that a single username and password are more than enough to protect their personal information from hackers that try to expose them. They usually choose a small password, something that they are able to remember all the time in order to log into their accounts quickly and without any delays. Furthermore, since most of us have accounts in multiple web pages, users tend to use the same password for all of their accounts as it is always difficult to remember many passwords for many accounts. 

    As a result many users of the internet today become victims of what we call cyber crime. Their personal and sensitive information such as bank accounts, passwords, name, adress, religion etc are stolen by hackers with unpredictable outcome. As a result, a hacker can get access to valuable information, charge bank accounts, transfer money from one account to another, expose the victim's data (personal beliefs, hobbies, marital status etc). Of course there are many victims today because of this insufficient level of security.  But let's just understand what is a single password and how it protects us from hackers that try to get access to our private data.

PASSWORD STRENGTH

  A password is a word or string of characters used for user authentication to prove identity or access approval, to gain access to a resource which should be kept secret from those not allowed access. The easier a password is for the owner to remember generally means it will be easier for an attacker to guess. 
    So how to determine if a password is strong or weak? It is determined by how many efforts an attacker needs in order to guess it and how long will it take him to validate that he has the correct password(how robust it is against brute force attacks). Generally speaking, a big password with a variety of characters(uppercase,lowercase letters,numbers) is more difficult to guess than a small password. So for incrased security, users should use big password even though they are difficult to remember. A list of weak passwords commonly used by many internet users can be found here. If you have a password like those below you are adviced to change it as soon as possible.

    

Top 25 worst passwords of 2012

TFA

    In order to deal with those security issues that arise when someone uses a single password phrase in order to authenticate, a new method is developed that is called multi factor authentication and it implements one of the factors below.

(1).Something only the user knows(e.g. password,PIN)

(2).Something only the user has(e.g. ATM card, smart cart)

(3).Something only the user is(e.g. biometric characteristic,such as fingerprints,face etc.

    When two of the above factors are used we are talking about two factor authentication. The most common example that implements this method today is when a user wants to drag money from his bank account. He knows a password(something the user knows) and he uses an ATM card(something the user has).

    It would be a good idea to implement two factor authentication for our transactions over the internet or when we try to authenticate to our accounts. The security level is increased since now a hacker cannot gain access to a user's data by only guessing the password but he needs the device as well.

    On the other hand, since since smartphones today are like a part of our body it would be a great idea to use this device as the second factor to this method. It is better than using security tokens or cards for this procedure since most users today know how to use their smartphone and are familiar with applications.

    So the general idea is to create an application that implements two factor authentication. Each time a user has to log into his account and uses his password he will be prompted to a second step of verification in which the mobile device is involved. More info about the matter will be discussed on our next article.

---------------------------------------------------------------------------------

About Humanoid Droid

Hello,

    I am Panos Mavrothalassitis and I am an android developer. Smartphones and apps have always been my passion In this place you can get updates about my recent work. You can also view apps that I am currently creating and small guides of how to use them with your android smartphone. You can contact me any time for whatever info you may need. Thank you for coming here!!!