Providing Awareness about Innovative Lesson Syllabus Implemented in Cyber Security Technologies in Information Technologies
London 25th MAY 2018
BUCKINGHAMSHIRE NEW UNIVERSITY
Autor: Gabriel Piñero (Telefonica – Cybersecurity Expert)
Introduction to 2FA
TOTP is used to protect digital identity with a second factor authentication in a service (Gmail, Dropbox, Paypal and many more) and gives us an alternative way to check digital identity.
In this way we have:
First factor: based on something we know – that is user and password of the account.
and a second factor: based on something we have, that is the token generated by TOTP application in the mobile phone (or text message).
If we want to protect our Gmail account and someone steals your password, the hacker will not be able to access your mail if we have activated the second factor authentication.
The hacker has a username and password but does not have the mobile phone to pass the second factor authentication.
TOTP as its name indicates is used to generate tokens, codes, passwords (…or whatever you want to call it) that are valid for a short time.
This codes are generated using an algorithm that computes a one-time password from a shared secret key and the current time
This algorithm is HMAC type that is based on using a hash function and a shared secret.
In the case of TOTP, it is HMAC-SHA1 (by default)
This way of generating the codes using hash (SHA1) and timestamp has been adopted as a standard IETF six two three eight.
Because the hash uses the timestamp the time is important and the NTP protocol is generally used to synchronize this time.
With the timestamp we add security to the code since it can not be remembered by the user (because it changes over time) and if it is stolen it will not be valid either.
Time is counted in what is called UNIX epoch time that measures the seconds elapsed since January 1, 1970
There are many applications to generate TOTP codes that meet the standard:
- Google Authenticator
These applications are based on the IETF standard to generate the codes that will allow us to validate the second factor authentication.
The applications is not linked to the service (This is important)
For example you can use Authy to generate codes to Gmail account second factor authentication.
Any application based on the standard is valid to generate TOTP codes
HOW TOTP Works?
Normally the configuration of two factor authentication is really simple
The service presents a QR code that is scanned with the mobile app and stored in the device.
The application understands this type of URI (OTP Auth)
Basically the application keeps a secret:
the name of the service:
and the user:
(It is also possible to configure other values such as the time window which by default is 30 seconds or the hash algorithm).
It may seem that there is communication between the service and the application to validate the codes but this is not true.
This QR code is the only thing they share and they follow the standard to generate the codes
As you can see in the image Gmail and Google authenticator do not need to communicate to know that the code is valid.
This is the really interesting thing the application generates the codes autonomously, it can work offline, and it doesn’t need internet connection
Last, If the code calculated by the application and the code calculated by the service are equals it permit access, is really simple.
As we can see in this example the code changes every 30 seconds (the default value)
POC – Python script
As proof of how TOTP works, we show below a code written in Python.
There are many libraries, not only in python, there are libraries for .NET, C, Java, PHP and other programming languages, it’s just an example
In the example we will use two libraries.
PyOTP to generate the codes and validate them.
PyQrCode to generate the QR code that the application understands to configure the service.
import pyotp import pyqrcode print ("--- Testing TOTP with python libraries \n\n") print ('Generating OTPAuth QR Code in file otpauth_qr.png (scan it with your app)') random_n = pyotp.random_base32() totp = pyotp.TOTP(random_n) qr = totp.provisioning_uri("firstname.lastname@example.org", issuer_name="TEST TOTP Python") url = pyqrcode.create(qr) big_code = pyqrcode.create(qr, error='L', version=27, mode='binary') big_code.png('otpauth_qr.png', scale=6, module_color=[0, 0, 0, 128], background=[0xff, 0xff, 0xcc]) print ('-- Test TOTP code -- \n') loop=True while loop: print ('TOTP code now is: '+ totp.now()) totp_input = input("Input the app code (0 - to exit):") if totp.verify(str(totp_input)): print ('\n ## OK your code is valid !!!'+str(totp_input)) else: print ('\n WRONG code, not is '+str(totp_input)) if totp_input==0: print "Bye..." loop=False
Ok, its demo time
In the next video that we will see now, we checks how the python code generates a shared secret and write it using OTP Auth in a QR code.
Later we will open the image with the QR code and read it with a mobile application (Google Authenticator)
A new service will be added and we will check how the codes generated are valid
This is basically how a service like Gmail does when activating double factor authentication and how check it.