开发者

How do mobile authenticators work

问答 作者:

I was wondering how mobile authenticators work (like Battl开发者_如何学Goe.net, rift, some banks have one, etc.), so I can make one for my own site (just for fun).

I understand the basics: authenticator has code related to the phone and code related to the website. Users enters the phone code on the website. Can then generate a token related (using the phone and website code).

I'm just wondering how the tokens are created. Is there a standard algorithm for this? How does the algorithm work? Any existing PHP libraries that can do something like this (as an example)?

Have a look at Google Authenticator. There are already iPhone, Android and Blackberry apps for that and it's an established protocol.

They have implemented it as an open-source PAM module which you may be able to use with the PECL PAM package.

There is a pure PHP version but I haven't used that so can't vouch for it.

The spec isn't that complex so you could probably implement it yourself, especially if you converted the C module. The specification linked there explains its working in full detail.

Edit: I guess to answer the original question, that's an RFC, so it's somewhat standardised, and it's a fully open specification and the tools to use it are fully open-source. The protocols are known as HOTP and TOTP. The former is HMAC based on a counter (so the nth password is used) whereas the latter is time-based (so the password cycles every 30 seconds).

Concerning the Blizzad Battle.Net authenticator, you can find an open source implementation in PHP : https://github.com/krtek4/php-bma

The implementation is used to provide a online authentication service for Battle.Net : https://authenticator.me

If you want to do something like it for your website, it's pretty simple. The only thing to share between the server and client part are the secret generated by the server. So when a client is requesting for a new secret, just store it and you will be able to compute the code at any moment to compare with what is sent to you.

I implemented this once. I use a 4 digit key with a subset of characters (notice that potentially confusing characters like 0oO and l1L are removed. I used 4 characters because the potential space of 4 digits from the characters set was larger than the 6 digits of an RSA key.

Anyway, I let the user log in with their username and password. If that is correct, generate a key and send it to the phone and save it in the session and show the user the next page, which requires the key be entered. The user gets the 4 digit key from their phone and enters it into the page. Then check what they entered against the session-saved key and there you go.

Some handy features to have: make the key expire after a few minutes, but long enough that text message delays don't make it impossible. Make it expire after a few bad tries. Give the users a link to resend the key or to send a new key.

//pick a random 4 digit string
$chars = "abcdefghjkrstwxyzABCDEFGHJKRSTWXYZ23456789";
$key = "";
for($i=0;$i<4;$i++){
    //here, rand is used, but any generator could be used
    //to choose the characters.
    $key .= $chars[rand(0,strlen($chars)-1)];
}
//save it to the session
$_SESSION['test']['KEY'] = $key;

If it were me I'd go with generating a hash based on the previously used hash and a common nonce, the tricky bit would be keeping the two systems in sync. e.g.

<?php

class otp {
   var $salt;
   var $previous_hash;
   var $user_id;

   function __construct($user_id)
   {
      $this->user_id=$user_id;
      list($this->$salt, $this->$previous_hash)
          =unserialize(file_get_contents(BASE_PATH . $user_id));
   }
   function authenticate($submitted_otp)
   {
      if (!$this->salt) {
          // user does not exist
          return false;
      }
      $new_hash=$this->previous_hash;
      // allow for the sequence to get out of sync by 5 steps....
      for ($x=0; $x<5; $x++) {
          $new_hash=md5($this->salt, $new_hash);
          if ($new_hash===$submitted_otp) {
              $this->update_token($new_hash);
              return true;
          }
      }
      // none of the next N iterations of the local password match
      return false;
   }
   function create_user($user_id, $salt, $init_hash)
   {
      return file_put_contents(BASE_PATH . $user_id, array($salt, $init_hash));
   }
   function update_token($new_hash)
   {
       file_put_contents(BASE_PATH . $user_id, array($this->salt, $new_hash));
   }
}

Of course, in practice you probably wouldn't want to use a whole 32 char md5 hash (just, say, the first 6 characters, and applying cleansing such as changing 'S' to '5' etc).

继续阅读:authenticationmobilephpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9