During the previous sessions we mentioned things about internet security nowadays and the fact that most internet users are unaware of the dangers tha arise each time they store sensitive data to their online accounts. A new method of authentication was also introduced (two factor authentication) as a way of preventing hackers from accessing users accounts and making user authentication stronger. The thing that we will be discussing in this topic is how we will use smartphones as security tokens in order to implement two-factor authentication. For this purpose, a mobile application has to be made from scratch and of course we will need to have a website and a database made in order to show how the procedure will be done.
The choice to make an android mobile application is not by chance. Google has given the chance to developers from all over the world, no matter how young or old, to implement their own applications in Google play market. Since we have every tool that we need for free, we can easily create an android application that does exactly what was discussed in the previous session. On the other hand, Google makes it easier for developers to publish their applications on the market. That's why the specific OS was chosen. We'll be using eclipse as a tool for developing our application.
We don't need anything more than a simple website to show how the application works. We created a simple registration and login form in order to illustrate how a user will act each time he creates an account in a website. This website can be anything, from online banking to social networking sites such as Facebook, twitter etc. So we'll be using dreamweaver for our website and XAMPP in order to create a database using phpmyadmin for this example. The database that we will create will have five fields. An ID,a username, a password, a Response and a SecretKey columns as it is shown in the figure below.
We don't need anything more than a simple website to show how the application works. We created a simple registration and login form in order to illustrate how a user will act each time he creates an account in a website. This website can be anything, from online banking to social networking sites such as Facebook, twitter etc. So we'll be using dreamweaver for our website and XAMPP in order to create a database using phpmyadmin for this example. The database that we will create will have five fields. An ID,a username, a password, a Response and a SecretKey columns as it is shown in the figure below.
figure 1.
I will explain what each column represents in a while. First we will see some things about Challenge-Response protocols and how they work.
CHALLENGE-RESPONSE PROTOCOLS
In computer systems security, a challenge-response protocol is a family of protocols in which there are two sides. The first side (server) presents a challenge and the other side (user-client) produces a valid response to that challenge. The general idea here is that it's not enough for the user to know his username and password in order to access his account. He needs to answer correctly to a presented question in addition as a second step of verification. Only then the system knows who he really is and grants him access to his personal account. Otherwise access will be denied.
In our situation, each time a user tries to access our website, a challenge will be presented to him and he'll be using his android smartphone in order to produce the correct answer. He will then insert that response to the website and he will gain access to his account. Otherwise access will be denied to him. This challenge will be calculated on the server side and the response is going to be calculated accordingly from the application that we will make. Furthermore, that challenge is going to be presented as a QR code to the user's screen because QR codes can only be scanned by smartphones. So it will be impossible for a hacker to see the challenge on the user's screen and read it. In addition, the challenge each time the user tries to authenticate will be different so the response is going to be different as well and by doing this we increase security.
So now we can explain the database columns. In the first one (ID) we store a value for each member of the website. The second one (Username) stores all chosen usernames of all members and the third (Password) is a hashed representation of a user's chosen password. The valid response is pre calculated on the server side and it is then compared to the answer given by the user. If we have a match, then the user gains access to his account. The SKEY column is a Secret Key which is calculated during the registration of a new member. I will explain later how the values under this column are calculated.
In our next session we will see how the application is implemented, how it actually works, what it does and how it calculates a valid response to a challenge during the registration and login procedure of a user.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου