AeroGear and OTP
If you happen to use online banking systems, certainly you will have come across small security devices that provide you with an extra password during your login process. That is, in addition to your standard username/password combination, you are asked to provide an extra password, the so called "One Time Password" (OTP). That has two effects a) the bank can verify that you are the actual person making the transaction because of the possession of this device that only you can have, the so called possession factor in the two-factor authentication system and b) prevents replay attacks cause the password is only valid for a limited amount of time. This generation of the OTP password can either be done using a hardware device (hardware token) as we described earlier or with the help of a mobile application running on a smartphone (software token).
In general, there are two approaches to OTP generation, either Mathematical-algorithm-based or Time-synchronized. The former, as the name suggests uses a complex mathematical algorithm, typically a cryptographic hash function in a hash chain mode, together with a secret key to generate the password. The latter, takes also into consideration the time, which causes the password to change constantly over a period of time e.g. once per minute, greatly enhancing security. One example of such approach is the "Time Based One Time Password" (TOTP).
So how OTP is related to the AeroGear project? Well recently, with the amazing work of my fellow developer abstractj, library implementations for both Android and iOS (and soon JS) of the OTP standard were introduced to the project. Currently they support only TOTP with SHA1 but work is in progress to add additional support for the other standard OTP algorithm, the event-based HOTP, together with more cryptographic hash functions support SHA-256/512.
So how do you use it?
First, a shared secret needs to be obtained that will be used for the calculation of TOTP. Here we use a static string for the purpose of the tutorial and in our demo we transfer it from the network. In practice, a QRCode encoded image of the secret should be used, so the secret should not travel across the network! In the future we will use encoded images for it.
Here is a snippet of code in the iOS land
// our secret key
NSString *secret = @"B2374TNIQ3HKC446"
// initialize OTP
AGTotp *generator = [[AGTotp alloc] initWithSecret:[AGBase32 base32Decode:secret]];
// generate token
NSString *totp = [generator generateOTP];
Here is a snippet of code in the Android land:
// our secret key
String secret = "B2374TNIQ3HKC446";
// initialize OTP
Totp generator = new Totp(secret);
// generate token
String totp = generator.now();
In both cases variable "totp" now holds our token which can be send to the remote authentication server to validate.
Note that transmitting shared secrets across the network is not recommended,
Worth noticing is that the Java implementation has the verifier component also implemented so if you back-end is Java you can also use the implementation in your server-side back-end to verify totp tokens.
If you are an iOS developer, you can find the library already in the coccoapods. Further a demo application has been created that demos the library in action so I suggest you have a look.
If you are an Android developer, you can find the library already in maven. Just include it in your project.
<dependency>
<groupId>org.jboss.aerogear</groupId>
<artifactId>aerogear-otp-java</artifactId>
<version>1.0.0.M1</version>
<scope>compile</scope>
</dependency>
For more in-depth information about OTP and AeroGear, I suggest you to look at the official documentation page on the AeroGear web site here. The page includes nice diagrams showing the flow of the authentication process and will help you to better understand the concept.
So go ahead and give them a try. We will love your feedback and suggestions!
Enjoy!
ok great, I've updated the gist