-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
my GSOC project for Debian is extending oath-toolkit and dynalogin to enable authentication via challenge-response based One Time Pad mechanisms. The two mechanisms I selected are OCRA (by the Open Authentication Foundation, which also designed the HOTP and TOTP specifications) and CROTP (which is an extension of SASL). To familiarize myself with the codebases of oath-toolkit and dynalogin I started this week by getting rid of some code duplication in the library functions for validating TOTP tokens. Generating or validating a time-based TOTP value is done by calculating a counter value based on a timestamp, an offset and a time step size. This counter value is then used to calculate a OTP value with the HOTP algorithm. liboath already provided API functions for validating TOTP values, one of which also returned the position within a specified window (i.e., not only the TOTP for the current timestamp, but also for +- x time steps is accepted as valid). An application which uses HOTP or TOTP for authentication is supposed to keep track of the OTPs already used (to prevent replay attacks). This is done by storing the last used counter value. For HOTP, this is easy, as the counter is controlled by the application (the server side is required to increment the counter iff it accepts an OTP value, the client side is required to increment it everytime it generates a OTP value). Since TOTP is time-based, this is not as easy. The counter is calculated by liboath during generation/validation, and is based on the timestamp and the two paramaters time step and offset. Prior to my changes, the only way to get the counter value inside an application using liboath was to calculate it twice - once inside the application (e.g., dynalogin) and once inside liboath. I extended liboath's API to include another set of validation methods for TOTP which include a new parameter for storing the counter value. By also accepting NULL values (for not storing the counter value) I could simply move the code from the old API methods (which are now just wrappers) to the newly introduced methods and extend it. I also extended the TOTP validation test cases to test the new API methods and documented my changes. The changes to liboath/oath-toolkit will be part of the next stable release (2.2.0) and have already been shared with upstream (i.e., one of the pkg-auth-maintainers). I removed the now unnecessary duplicated code from libdynalogin and replaced it with calls to the new methods. This change has already been sent upstream (to my mentor) via a pull request. I started writing stubs for a future liboath API for generating and validating OCRA values, but these changes have not been committed yet. Next week, I would like to finish an initial version of this API (including tests) to get feedback from my mentor(s) and be able to start working on other parts of the code base using this API the week after that (oathtool, liboath's PAM module and dynalogin). Kind Regards, Fabian p.s. I track my projects on github, you can find the branch with updated liboath TOTP validation API here: https://github.com/Fabian-Gruenbichler/oath-toolkit/tree/expand-totp-api and my dynalogin fork here: https://github.com/Fabian-Gruenbichler/dynalogin . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJRxFwnAAoJEK4xK/RwikTnrYYP/jeuYtQ/qBLywsEVyWWtgWfD 5ep3Zwd4TblXd89DPBuO0u51ZFZem7YhxoNxPY8y2ovwAXCInDVCfrHcM7Z1GhUL H5C7FxG1UJkBX2kxSKFRNYaNdBXvBblzd8Wh3eFz6Y25vi0b/5Axj5XN1asyFBwu sXeHGxg8t0LJNxrJUrISKUF5IUjtYIs3gzDQ88s6p33QYhlkqo1KXJkpI4TAKdnO zsZ5lgKOMazKWjuymou/hcrjURPdFb1ZZAjco2HWLufGgH3fhOOwRR97/sNF0rwr V9jB+ERQxe7dmW0wMhX0gMhnwnLR5eEdLBnhhHp4GSpYzsr9kgNFyrKVU+Yxdtf3 GK21lq703D9ByWZ5rWUJLK4a5Lt/LgZHOAye3ytK3KWjor9zUxCJwSU0T+5BGzEj G3YTWmPq0X6lzvGSU+3B2tT/88oS3To/Nbdilc4Q7XKZV9s6E3Wp05W6BXhpecB0 QGrbSbSKRYAjEKA91fSkKOHy0lJKYDSE+v0/0MPIwL13h2T7GZYsQ5lPyZ9Q/AKj dKop171xadx5yi5iFHyl2/w6iQhgGwEf/9WsaVPD5o6WxxGqq077JpvMNte3eldH wNrzkkxzrKwGZlpmPuNRFjEBi7vjAc7aZwWzyVtFuZ66M2osmcqesCNSc+1/oUPZ eaBrnAwl51eQU7Njd7CJ =K/b2 -----END PGP SIGNATURE----- _______________________________________________ Soc-coordination mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/soc-coordination
