Procedure PART 2

LOGIN

    Now that the registration procedure is complete in PART 1, the new member of our website has a new account and he stores his personal data. Now every time he wants to gain access to his account, the login procedure is triggered. So the webpage firstly asks him to insert his username and password in the login form.

Figure 1.

    He inputs Jack and his chosen password and then hits Login. But he will not gain access to his account immediately as a new challenge is presented to him as a QR code as shown in Figure 2.

Figure 2.

    This challenge is calculated after multiple encryptions and encodings using the SKEY of PART 1. Then the website expects the user to insert the correct response to this challenge. That's when the AST app is needed once again. The user opens the app and this time he hits the Login button from the main menu shown below.

Figure 3.

    In the second picture for security reasons the user must enter the password he chose when he firstly opened the app. He then gets access to the login QR scanner. For security reasons once more (in case the device is stolen) he logs out after 12 seconds. So if he does not press the button in the third figure he will return to the second figure state. If the QR scanner is accessed then the procedure is quite simple. The user scans the new QR code and fills the two blank fields in Figure 2 with the correct response.

Figure 4.

    In this situation the correct response is "CULL RAM" which is easy for a user to read or write. This response is pre-calculated by the server as well so if we have a match, the user authenticates successfully and gains access to his account. 

Figure 5.

    The whole procedure is a chain so we understand that if something goes wrong then access to the account will not be granted. Furthermore, it is way more difficult for a hacker to access a user's personal data since he has to know not only his username and password but also possess his android device.

Copyright © All Rights Reserved

Procedure PART 1

    In this section I will present the procedure that a user has to follow in order to successfully authenticate and gain access to his personal account. It is divided into two sections. The registration procedure in which a new member of the website is inserted into the database and the login procedure in which this member tries to access his account. The registration procedure happens only once whereas the login procedure can occur whenever the user wants. But first we must mention some things about the Diffie-Hellman protocol that is used here in this section.

DIFFIE-HELLMAN PROTOCOL(KEY EXCHANGE)

    It is a cryptographical method for secure exchange of keys between two sides. I will explain the basic idea and how it is implemented inside our procedure. We have two users here, A and B and both of them want to share the same key but they cannot do it because they try to transfer data through an insecure communication channel. Let's assume that a third user C(eavesdropper) is watching the connection between the two users A and B in order to find out which is the key. 
    With Diffie-Hellman it is possible for A and B to agree to a key without letting C know about it. And the procedure is described in the steps below.
1. User A has a prime number(p) and a generator number (g). Those numbers are integers. User A sends those numbers to B so B now has p and g. Since C is in the middle he also gets to know p and g.
2. User A has another number (a) which is also an integer. User B has a similar number (b) stored. Those two numbers are not transmitted and they are different for A and B.
3. The procedure for the calculation of a common secret key starts. User A calculates an expression A=g^a mod p. He then sends A to user B. Accordingly B calculates another expression B=g^b mod p and sends B to user A. So since C is watching closely, he also gains access to A and B expressions.
4. Now that user A has B expression he calculates the expression SKEY=B^a mod p. Accordingly B user calculates the expression SKEY=A^b mod p. On the other hand user C cannot calculate SKEY because a and b numbers are never transmitted through the channel. 
    In our case user A is the server and user B is the user's smartphone. So this is what SKEY column represents at the database that we introduced in the previous section. 

    

REGISTRATION

    Let's assume that a new user visits a website and wants to create an account. The following figure illustrates the registration form.

Figure 1.

    We assume that the new user selects "Jack" as a username and a password. He then fills all the rest information and hits register. The registration procedure won't be completed imediately as a challenge is presented to him in the form of a qr code as shown in the figure below.

Figure 2.

    Now the website expects the user to insert the correct response in the fields below the QR code. The challenge i calculated after the Diffie-Hellman protocol (server, smartphone) takes effect. Now the user has to use his smartphone and our android app in order to produce a valid response to this challenge. Otherwise his account will not be created. So we open the AST app (Android Security Token) that we created and the menu below is shown.

    Figure 3.

    In order to unlock the app the user has to choose a password. Then, since he wants to register to a website he has to hit the Register button from the menu above in order to gain access to the registration QR scanner as shown in Figure 4.

      

Copyright © All Rights Reserved

Figure 4.

   

    Once the QR code scanner is accessed he app to be user-friendly, this response (which is a number) takes the form of small common language wordthe user scans the challenge presented to his screen and a response is calculated. Just because we want ts taken from a dictionary. So what we have in the end is the answer below:

Figure 5.

    These four words represent the response. The new user then inserts those words in the empty fields of Figure 2 and his account is created. The SKEY column is now calculated and stored in the database. The SKEY is a unique number for every user and it is used as a cipher key for the login procedure that will follow in PART 2. 

Copyright © All Rights Reserved

Getting started...

    During the previous sessions we mentioned things about internet security nowadays and the fact that most internet users are unaware of the dangers tha arise each time they store sensitive data to their online accounts. A new method of authentication was also introduced (two factor authentication) as a way of preventing hackers from accessing users accounts and making user authentication stronger. The thing that we will be discussing in this topic is how we will use smartphones as security tokens in order to implement two-factor authentication. For this purpose, a mobile application has to be made from scratch and of course we will need to have a website and a database made in order to show how the procedure will be done.

    The choice to make an android mobile application is not by chance. Google has given the chance to developers from all over the world, no matter how young or old, to implement their own applications in Google play market. Since we have every tool that we need for free, we can easily create an android application that does exactly what was discussed in the previous session. On the other hand, Google makes it easier for developers to publish their applications on the market. That's why the specific OS was chosen. We'll be using eclipse as a tool for developing our application.
     We don't need anything more than a simple website to show how the application works. We created a simple registration and login form in order to illustrate how a user will act each time he creates an account in a website. This website can be anything, from online banking to social networking sites such as Facebook, twitter etc. So we'll be using dreamweaver for our website and XAMPP in order to create a database using phpmyadmin for this example. The database that we will create will have five fields. An ID,a username, a password, a Response and a SecretKey columns as it is shown in the figure below.

figure 1.

    I will explain what each column represents in a while. First we will see some things about Challenge-Response protocols and how they work.

CHALLENGE-RESPONSE PROTOCOLS

    

    In computer systems security, a challenge-response protocol is a family of protocols in which there are two sides. The first side (server) presents a challenge and the other side (user-client) produces a valid response to that challenge. The general idea here is that it's not enough for the user to know his username and password in order to access his account. He needs to answer correctly to a presented question in addition as a second step of verification. Only then the system knows who he really is and grants him access to his personal account. Otherwise access will be denied. 

    In our situation, each time a user tries to access our website, a challenge will be presented to him and he'll be using his android smartphone in order to produce the correct answer. He will then insert that response to the website and he will gain access to his account. Otherwise access will be denied to him. This challenge will be calculated on the server side and the response is going to be calculated accordingly from the application that we will make. Furthermore, that challenge is going to be presented as a QR code to the user's screen because QR codes can only be scanned by smartphones. So it will be impossible for a hacker to see the challenge on the user's screen and read it. In addition, the challenge each time the user tries to authenticate will be different so the response is going to be different as well and by doing this we increase security.

    So now we can explain the database columns. In the first one (ID) we store a value for each member of the website. The second one (Username) stores all chosen usernames of all members and the third (Password) is a hashed representation of a user's chosen password. The valid response is pre calculated on the server side and it is then compared to the answer given by the user. If we have a match, then the user gains access to his account. The SKEY column is a Secret Key which is calculated during the registration of a new member. I will explain later how the values under this column are calculated.

    In our next session we will see how the application is implemented, how it actually works, what it does and how it calculates a valid response to a challenge during the registration and login procedure of a user.