ToTP
0 likes800 views
This document discusses Time-based One Time Passwords (TOTP) as a method for two-factor authentication. TOTP uses a cryptographic hash function along with a shared secret and timestamp to generate one-time use passwords. It works by having an authentication application generate codes based on the current time synchronized with a time server, with no communication to the service after an initial QR code setup. Python libraries are used for testing TOTP generation and QR code creation.
ToTP
- 1. TOTP – Time based One Time Password Digital Identity – Two factor authentication - Proof of concept - Gabriel Piñero Gonzalez Security administrator https://www.linkedin.com/in/gpinero/
- 2. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere. Your text here Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere. Your text here Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere. Your text here Murcia Healthcare Service
- 3. About me Network security specialist, now working with a lot of Cisco technologies. Cisco Prime, Cisco ISE focused in Network Security. Cisco CCNP Working with Fortigate FW devices in healthcare environment. Next Generation Firewalls. Fortinet NSE-4, NSE-5 Covers installation, troubleshooting and monitoring of network devices to maintain integrity, confidentiality and availability CISCO CCNA Security Certified Ethical Hacker Certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective
- 4. TOTP What is this? Two factor authentication 2 Factor Authentication First Factor - User and password Second Factor - TOTP generated with the APP TOTP is used to introduce a 2FA For example: Someone steals your password from your Gmail account, the hacker will not be able to access your mail if we have activated the second factor authentication.
- 5. TOTP … a more technical introduction Time based One Time Password Importance of TIME • Shared token is not safe – the user could memorize it. • MitM attacks are very effective to steal the token. With the Time Windows the token is changed every 30 seconds. NTP is used to synchronize the time. TOTP used UNIX epoch as its time scale in seconds Code calculation • Password valid only for a short time • Use HOTP + time window • Cryptographic hash function HMAC-SHA1 using shared secret and timestamp. Standard described in RFC 6238 https://www.ietf.org/rfc/rfc6238.txt
- 6. TOTP applications The application is independent of the service because it is based on the standard
- 7. TOTP – Time based One Time Password How it works? otpauth://totp/2step- test:user@gmail.com?secret=JBSWY3DPEHPK3PXP&issu er=2step-test OTPAuth is used by the application to configure the service RFC6238 to generate codes using HMAC-SHA1 No communication between the app and the service (only one time using QR code) Code changes every 30 seconds (by default)
- 8. TOTP – Time based One Time Password Testing with Python For testing we used two Python libraries: Pyotp - https://github.com/pyotp/pyotp To generate an validate codes Pyqrcode - https://pythonhosted.org/PyQRCode/ Generate QR Code to register the service in the application. Available for download - GitHub https://github.com/gpinero007/totp-python PyOTP to g
- 9. DEMOTIME
- 10. References Python TOTP test script – My github https://github.com/gpinero007/totp-python OTP Auth QR Code generator https://dan.hersam.com/tools/gen-qr-code.html Algorithm https://en.wikipedia.org/wiki/Time-based_One- time_Password_algorithm https://en.wikipedia.org/wiki/HMAC RFC https://tools.ietf.org/html/rfc6238 https://tools.ietf.org/html/rfc4226 Online version of the PowerPoint https://www.error509.com/2018/05/otp-time-based- one-time-password/
Editor's Notes
- #2: Hello everyone! Good morning is a pleasure for me to be here. My name is Gabriel Piñero and I work as senior security administrator at Telefonica. Currently my job is to administer the security of the network of hospitals in the community of Murcia. This is Murcia ( y señalo el mapa)
- #3: My job is for Murcia's Healtcare Service We have ten hospitals and more than one hundred offices connected by a metropolitan are network. Currently I administer more than five thousand computers and ten thousand users Mainly the technologies that we use are from manufacturers such as CISCO in the local area network Fortinet firewalls for check connections between hospitals F5 for load balancers for medical applications.
- #4: A litte about me I am a computer engineer with a master's degree in network and systems security, and I have several certifications in networking, security and ethical hacking. mainly focused to the manufacturers of the technologies we have in our network Cisco CCNP for LAN Fornitet Network Security Expert 4 and 5 for Firewalls Certified Ethical Hacker for network audit Cisco CCNA Security and many more.
- #5: All right. Let's start with the important thing, TOTP What is this? TOTP is used to protect digital identity with a second factor authentication in a service (Gmail, Dropbox, Paypal and many more) and gives us an alternative way to check digital identity. In this way we have: - First factor based on something we know - that is user and password of the account. - And a second factor based on something we have, that is the token generated by TOTP application in the mobile phone (or text message) For example: If we want to protect our Gmail account and someone steals your password, the hacker will not be able to access your mail if we have activated the second factor authentication. The hacker has a username and password but does not have the mobile phone to pass the second factor authentication
- #6: TOTP as its name indicates is used to generate tokens, codes, passwords (…or whatever you want to call it) that are valid for a short time. This codes are generated using an algorithm that computes a one-time password from a shared secret key and the current time This algorithm is HMAC type that is based on using a hash function and a shared secret. In the case of TOTP, it is HMAC-SHA1 (by default) This way of generating the codes using hash (SHA1) and timestamp has been adopted as a standard IETF six two three eight. Because the hash uses the timestamp the time is important and the NTP protocol is generally used to synchronize this time. With the timestamp we add security to the code since it can not be remembered by the user (because it changes over time) and if it is stolen it will not be valid either. Time is counted in what is called UNIX epoch time that measures the seconds elapsed since January firt nineteen seventy.
- #7: There are many applications to generate TOTP codes that meet the standard such as: Authy Google Authenticator Latch or LastPass These applications are based on the IETF standard to generate the codes that will allow us to validate the second factor authentication. The applications is not linked to the service This is important You can use Authy to generate codes to Gmail account second factor authentication. Any application based on the standard is valid to generate TOTP codes
- #8: How TOTP Works? Normally the configuration of two factor authentication is really simple The service presents a QR code that is scanned with the mobile application and stored in the device. The application understands this type of URI (OTP Auth) Basically the application read the URI for store the secret, the name of the service and the username (It’s also possible to configure other values such as: time window (by default is 30 seconds) or the hash algorithm HMAC-SHA1 It may seem that there is communication between the service and the application to validate the codes but this is not true. This QR code is the only thing they share and they follow the standard to generate the codes As you can see in the image Gmail and Google authenticator do not need to communicate to know that the code is valid. This is the really interesting thing the application generates the codes autonomously, it can work offline, and it doesn’t need internet connection Last, If the code calculated by the application and the code calculated by the service are equals it permit access, is really simple. As we can see in this example the code changes every 30 seconds (the default value)
- #9: As proof of how TOTP works, we show below a code written in Python. There are many libraries, not only in python, there are libraries for .NET, C, Java, PHP and other programming languages, it’s just an example In the example we will use two libraries. PyOTP to generate the codes and validate them. PyQrCode to generate the QR code that the application understands to configure the service.
- #10: Ok, its demo time In the next video that we will see now, we checks how the python code generates a shared secret and write it using OTP Auth in a QR code. Later we will open the image with the QR code and read it with a mobile application (Google Authenticator) A new service will be added and we will check how the codes generated are valid This is basically how a service like Gmail does when activating double factor authentication and how check it.
- #11: and that’s all, thank you very much for your time. Thank you