Thursday, December 20, 2012

AeroGear and OTP

If you happen to use online banking systems, certainly you will have come across small security devices that provide you with an extra password during your login process. That is, in addition to your standard username/password combination, you are asked to provide an extra password, the so called "One Time Password" (OTP).  That has two effects a) the bank can verify that you are the actual person making the transaction because of the possession of this device that only you can have, the so called possession factor in the two-factor authentication system and b) prevents replay attacks cause the password is only valid for a limited amount of time. This generation of the OTP password can either be done using a hardware device (hardware token) as we described earlier, or with the help of a mobile application running on a smartphone (software token).

In general, there are two approaches to OTP generation, either Mathematical-algorithm-based or Time-synchronized. The former, as the name suggests uses a complex mathematical algorithm, typically a cryptographic hash function in a hash chain mode, together with a secret key to generate the password.  The latter, takes also into consideration the time, which causes the password to change constantly over a period of time e.g. once per minute, greatly enhancing security. On example of such approach is the Time Based One Time Password (TOTP).

So how OTP is related to the AeroGear project? Well recently, with the amazing work of my fellow developer abstractj, library implementations for both iOS and Android (and soon Javascript) of the OTP standard were introduced to the project. Currently they support only TOTP with SHA1 but work is in progress to add additional support for the other standard OTP algorithm, the event-based HOTP, together with more cryptographic hash functions support SHA-256/512.

So how do you use it?

First, a shared secret needs to be obtained that will be used for the calculation of TOTP. Here we use a static string for the purpose of the tutorial and in our demo we transfer it from the network. In practice, a QRCode encoded image of the secret should be used, so the secret should not travel across the network! In the future we will use encoded images for it.

Here is a snippet of code in the iOS land:
 // the secret key
 NSString *secret = @"B2374TNIQ3HKC446";   
 // initialize OTP  
 AGTotp *generator = [[AGTotp alloc] initWithSecret:[AGBase32 base32Decode:secret]];                       
 // generate token  
 NSString *totp = [generator generateOTP];  

Here is a snippet of code in the Android land:
 // the secret key  
 String secret = "B2374TNIQ3HKC446";
 // initialize OTP  
 Totp generator = new Totp(secret);
 // generate token  
 String totp =;  

In both cases variable "totp" now holds our token which can be send to the remote authentication server to validate.

Worth noticing is that the Java implementation has the verifier component also implemented, so if you back-end is Java, you can also use the implementation in your server-side back-end to verify totp tokens.

If you are an iOS developer, you can find the library already in the coccoapods. Further a demo application has been created that demos the library in action, so I suggest you have a look. You can find it here.

If you are an Android developer, you can find the library already in maven. Just include it in your project.
For more in-depth information about OTP and AeroGear, I suggest you to look at the official documentation page on the AeroGear web site here. The page includes nice diagrams showing the flow of the authentication process and will help you to better understand the concept.

So go ahead and give them a try. We will love your feedback and suggestions!


Tuesday, December 18, 2012

Long Live Open Source!

It has bean a long time since I've last updated this blog. Now that this year will soon come to an end (hopefully the year and not the world!), I want to post a small update of all the things that happened to me this year.

My friends know already the passion I share for JBoss technologies for a long time. Since September, I was given the life opportunity to work for the open source company I love most. In the true OSS spirit, it all started from an open source project of mine. If you follow JBoss development closely, probably you have heard about JBoss Admin, an iOS application that will allow you to remotely manage a JBoss 7 application server.  After announcing it in the development forum, I immediately got an interest from the developers and I was offered the chance to work together.

And here I am. For the past three months, I have been working with an extremely talented group of people, building amazing new technologies that will shake (in a true JBoss spirit!), the land in the mobile space.

My small advice to you. Find an open source project that you love and care, get involved with the community, find areas of work to contribute, spread your passion!. You never know where it can take you..