Project notebook
Prelim Report Stage
17th February
Read Who Goes There? Authentication though the lens of privacy.
The report raises some interesting points about authentication and the implications that authentication has on privacy.
'inherent tension between authentication and privacy, because the act of authentication involves some disclosure and conformation of personal information'
'useability is a significnt concern when determining how authentication systems should be deployed and used in practice such systems will fail if they do not
incorporate knowledge of human strengths and limitations. user-centered design methods should be integral to the devlopment of authentucation schemes and privacy policys.'
'in designing or choosing an authentication system one should begin by articulating a threat model in order to make intelligent choices amoung competing technologies, policys and management strategies.
The threat model should encompass all of the threats applicaable to the system.'
Ideas - authentication system
create a hardware token similar to a RSA securID token. could use an arduino microcontroller.
the OTP password generated by the token would be used to login to a website. best application for OTP is protecting communication over network as eavesdropping does not work.
Is it possible to achieve a two way authenticaton system using OTP.
Generation of OTP
Could use some unique information about the user (userID) and pass it though multiple secure hash function to produce a OTP. On each use the number of applications is reduced by one. Thus
a unique sequence of passwords is generated. (similar to leslie lamports technique)
18th February
when comparing OTP to other authentication methods, the following could be compared:
Security, advantages and disadvantages
Usability, (human factor)
Privacy
Idea - Authentication System
All Software Based
1. Users Register to Site
2. Site Displays Unique Code for user
3. Download Software OTP generator
4. User Enters Unique Code Displayed by site
Users dispose of unique code forever (very important to stop replication of users OTP generator)
Generator will now start genrating OTP everytime the program is started (requires no more user input)
5. User now authenticate themself with the site using their username and OTP
6. Invited to take Online Survey.
23rd February
Key Generation
Several methods already exist for the generation of OTP; these include Lamport, Time Synchronization and Challenge/Response.
I'm considering a Time Syncronization method for the generation of my OTP at the moment
Also found serveral interesting reports in IEEE Xplore that discuss OTP
26th February
Key Generation
random seed
random seed used in the generation of the key will be poduced using a pre-defined fuction UUID().
UUID generates a 16 byte (128 bit) number. Theroretically possible UUID is therefore about 3x10 to the 38.
function exists in java, mysql and php.
OTP generation
two methods, variation on S/Key using UUID as secret key or method using time syncronisation.
Java Application Development
8th March
Design and Devlopment of java OTP generator started. will post details shortly
At this stage six modules have been identified that will allow the complete system to be modeled, these are:
UUID Generator
MD5 Hash Generator
HASH CHain Generator
GUI Interface
Database Connectivity
Main Class
More modules may be added/removed as devlopment of the application continues.
UML diagrams will be uploaded shortly detailing the interation between these objects.
13th Match
The first class that was devloped handles the generation of the UUID. The UUID is generated using a bulit in function that is availble in one of the java librarys.
UUID Class
The UUID is essiential in the generation of the MD5 Hashes.
Code for UUID generation:
Hash Generator Class
The genration of MD5 hashes are essential in the creation of the One Time Passwords.
Java provides a built in function for creating MD5 hashes, I simply meed tp create an object of this class and access the functions availble in that class.
I developed my code by adapting some code from
http://snippets.dzone.com/posts/show/3686
As you can see from the code above this function takes in a string variable, this will be the UUID generated by the UUID class.
I encountered some problems when creating this class, as i adapted code i found on the internet there was aproblem with the MD5 generation. if the
Md5 hash started with 0 or 00 then this would be truncked.
I added lines 19 to 29 to correct this problem.
14th March 2010
Hash Chain
The hash chain class is responsible for using the hash generator class to produce a seriers of MD5 hashes that form a hash chain. This hash chain forms the basis of the OTP system, i tested the theroy behind the S/key system before creating the hash chain class so i had a better idea of how to code the hash chain class.
To test the theroy of an SKey system i used the UUID and hash_generator class to create 10 MD5 hashes, reversed the order in a text file then ran though the process of vaildating the users OTP. See below:
My implemenation of the hash_chain class is shown below, within this class i create an object of the hash_generator class and keep pasing it the different hashes, see below:
15th March 2010
Main Class
The main method for the OTP Generator is in a class called OTP_Generator. This class creates and controlls objects and handles the passing of variables between objects.
The first version of this class was text based returning all output to the console.
16th March 2010
GUI Class
With the basic funcationallity of the system working i created a class to make a GUI.
This creates a GUI as shown below:
17th March 2010
Orginally the OTP Generator was going to connect to the SQL database to send the first element of the hash chain to the server. However it was decided that this was too risky to have the SQL connection details hardcoded into the application.
18th March 2010
To solve the problem of no SQL connection in the OTP Generator i decided to make the application display the first OTP as an 'Activation Key' that the user needs to enter into the website during registration. The OTP stored by the server can then be updated by the website upon each successful authentication attempt by the user.
19th - 21st March 2010
This days were spent devloping and improving the main class in the java application, OTP_Generator. The code for this class is shown below:
This class is responceble for being all the other classes together.
Website Development
22nd March 2010
A website is needed to be used in conjunction with the OTP Generator to allow the user to login to a system using a OTP.
I have identified 6 pages for the site:
1.Home
2.Register
3.Logon
4.Survey
5.Download
6.Help
An SQL database will also be need to store the users standard logon details and the sever OTP used for authentication.
23rd March 2010
To speed up devlopment of the website i decided to adapt a free template. I found a suitable template on ww.interspire.com/templates - free template 329.
This template is free for public use without having to note the creators on the site or within the code.
I kept the basic layout of the site, removing all pictures and adding my own links.
Two pages will require server side code to communicate with the SQL database. These are the registration and logon page. I will be using PHP as the server side code because it works nicly with
MySQL and is a lanuage that i am familar with.
Registration Page - HTML
PHP code for register button:
24th March 2010
Standard Logon Page
This is the page where the users enter their username and password they setup during registration:
PHP code for submit button on standard Login page:
OTP Login
The user is taken to the OTP login page is their username and password match an entry in the data base:
PHP code for submit button on OTP page:
Survey Questions
25th, 26th and 27th March 2010
My research question is, is it the added inconvenience and complexity of One Time Passwords that prevent them from being accepted by the common internet user.
This question is converned with useability and can be broken down into two sections 'inconvenience' and 'complexity'.
My survey questions will be targeted at these two sections.
The first survey section is about the user, finding out if they are technical or non technical and if they use online banking.
The second section is about easy of use for the OTP system
The third section is find out the convenience of the system
The forth and final section is comparing the system to existing authentication methods.
22nd April 2010
Past two weeks have been spent surveying, getting as many people to do it.
E-mail send to people at placement company.
group created on facebook and invites sent out.
spoken to sarah avision from portsmouth uni, will be having a article posted on uni lookup page soon.
File manager
