Figure 1 shows the Snap2Pass application running on the Android phone. To avoid adding spurious entries in the provider’s database, it should require a user login to complete the creation process. The web site then confirms that the account was created successfully. The user launches the Snap2Pass application on the phone and selects the “Set Account” button to activate the camera, consume and decode the QR code. Upon receiving an acceptable username, the server generates a shared secret for the account and then sends a QR code to the web page encoding the account information. The account creation web page invites a new user to sub- mit a username. The challenges are 128-bit length nonces embedded in a QR code, while the responses are 160 bits long and are sent over the wireless network. This key is used in the HMAC-SHA1 algorithm to compute responses to server-issued challenges. Our implementation uses a key length of 128 bits. In a symmetric key based challenge-response system, the client(s) and web server communicate using a pre-shared secret key. We present the basic work flow, from account creation, login, to revocation. We describe both challenge-response systems as implemented in Snap2Pass. Consequently, the same user secret key can be used to authenticate with many servers. It requires considerably more CPU power to generate responses to challenges, but the server only keeps the user’s public-key. The second is a system based on public-key cryptography. As a result, the user must maintain a different secret key for each server where she has an account. It uses little CPU power and generates very short messages, however it requires that the server pos- sess the user’s secret authentication key. The first is a system based on symmetric cryptography. Recall that challenge-response authentication comes in two flavors.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |