QRSA OTP Authentication
1K+
Okudawunilodiwe
Wonke umuntu
info
Mayelana nalolu hlelo lokusebenza
Lena lokusebenza ukugunyaza abasebenzisi nge cell phone yabo, ngokwezindlu decrypting iphasiwedi-isikhathi esisodwa ngekhodi by iseva usebenzisa ikhi yomphakathi. Uhlelo lokusebenza ezisebenzisekayo nganoma yisiphi isevisi web nokobana le ndlela ye ukuqinisekiswa.
(Bheka Tracker github ukuze uthole ulwazi olwengeziwe mayelana nendlela ukuqalisa le ubuqiniso on server-side)
Uhlelo lokusebenza ingasetshenziswa nge esingenakubalwa of amaqembu sokuncika, njengoba ukhiye efanayo umphakathi isetshenziswa nazo zonke izinhlaka. Once lokusebenza ababhalise, uhlelo lokusebenza yakha keypair eqondene nedivayisi elikhona ngoba wonke nempilo lokusebenza (kuze Kukhishiwe yayo). Ubuyekeza lokusebenza ngeke ukusula ukhiye Nokho.
Github Tracker: https://github.com/sebastiannielsen/QRSA
Okudingekayo ukuze egijima lokusebenza:
1. Ifoni kufanele sisekele hardware isitoreji esekelwe. Lena isitoreji esebenzisa "Security Chip" ngaphakathi kwefoni, okwenza kwaba nzima ukuba ukukopisha ukhiye ifon.
2. Isitolo kumele ukuqaliswa. Ngezinye izikhathi kungenzeka layo ukuqalisa esitolo ngokubeka i-PIN yokuvala isikrini, bese nje odala ukhiye. Ukususa ukuvala isikrini ngokuvamile ugcine izikhiya, ngaphandle uma izakhiwo isihluthulelo kwaba isethaphu zidinga isikrini.
3. Kwezinye izimo, indawo ephephile ukuvala isikrini kumele isetshenziswe. Lokhu kuncike imodeli yefoni.
4. Chip evikelekile ngaphakathi kwefoni, kumele basekele imisebenzi esekelwe 2048 bit RSA / ECB / PKCS1.5
5. Kwezinye izimo, ifoni nigxilile angase ukuvimbela chip ezokuphepha ngenxa yezizathu zokuphepha.
Ukuze Bantu babhalisele, kumele wena uqalise qrsa URL: // e kusuka kusiphequluli noma similiar. Ungase futhi ungene i-URL yokubiza futhi, ngokusebenzisa qrsa: // u. Ukuze usebenzise u, kumelwe kuqala ukwengeza "s" uma ufuna ukusebenzisa ama-HTTP, noma yini enye-HTTP. Khona-ke lonke URL ukubizwa, NGAPHANDLE scheme, ngo URLSafe Base64 format. Isihluthulelo yomphakathi uzobe anezelwe ekupheleni URL. Uma idivayisi ziyangqubuzana, kuzakubuyela INCOMPATIBLE_DEVICE kanye umthwalo walo wakho ukuze ubuyele ngomlayezo wephutha okunenjongo umsebenzisi.
Ukuze ukugunyaza, wena uqalise qrsa url: // noma qrsa: // c lilandelwa ngelithi URLSafe Base64 idatha okubhalwe we-RSA ukhiye umphakathi umbhalo ngekhodi ngefomethi okokugxusha :: OTP :: UMLAYEZO :: Hashi :: okokugxusha. I "s" action yenzelwe imicimbi bangahlola futhi sizobonisa njengoba OTP umbhalo screen. I "c" action yenzelwe ngokuchofoza imicimbi. Umehluko wukuthi izenzakalo ukuchofoza kuzokwenza ikhodi OTP ukuba bafake yokunamathisela yomsebenzisi kunalokho, ngakho umsebenzisi ngokushesha ungakwazi uqhubekele ukunamathisela ikhodi ngaphakathi OTP ensimini.
Hashi yakhiwa ngokwakha MD5 out of UMLAYEZO OTP + OTP, lapho + lisho string concatenation. Lokhu Hashi zivikela ezinye izinhlobo olunzima ukuhlaselwa malleability embhalweni ngekhodi. Ukwakhiwa sandwiched uvikela umhlaseli kusukela ezihamba isihlukanisi phakathi OTP kanye MESSAGE.
Phawula ukuthi sikrini lokusebenza iye ngamabomu zazihlolwa ukuvimbela lokuhweba kanye / noma i-copyright Ukwephula (UI Android nezinye izinhlelo zokusebenza ezivikelwe yi-copyright), njengoba ukuxhumana in lokusebenza Ilungiselelwe nge ibhokisi lengxoxo evela phezulu ukubizwa uhlelo lokusebenza ukuthi wabangela ukuqinisekiswa ukuthi kwenzeke.
Uma kukhona noma iyiphi nezindaba on lokusebenza, ungathola ikhodi isibonelo futhi imiyalo eminingi umphakathi ekhasini GitHub, njengoba lolu hlelo lokusebenza umthombo ovulekile.
Futhi, zizwe ukhululekile ukudala nezindaba zomphakathi github Tracker.
(Bheka Tracker github ukuze uthole ulwazi olwengeziwe mayelana nendlela ukuqalisa le ubuqiniso on server-side)
Uhlelo lokusebenza ingasetshenziswa nge esingenakubalwa of amaqembu sokuncika, njengoba ukhiye efanayo umphakathi isetshenziswa nazo zonke izinhlaka. Once lokusebenza ababhalise, uhlelo lokusebenza yakha keypair eqondene nedivayisi elikhona ngoba wonke nempilo lokusebenza (kuze Kukhishiwe yayo). Ubuyekeza lokusebenza ngeke ukusula ukhiye Nokho.
Github Tracker: https://github.com/sebastiannielsen/QRSA
Okudingekayo ukuze egijima lokusebenza:
1. Ifoni kufanele sisekele hardware isitoreji esekelwe. Lena isitoreji esebenzisa "Security Chip" ngaphakathi kwefoni, okwenza kwaba nzima ukuba ukukopisha ukhiye ifon.
2. Isitolo kumele ukuqaliswa. Ngezinye izikhathi kungenzeka layo ukuqalisa esitolo ngokubeka i-PIN yokuvala isikrini, bese nje odala ukhiye. Ukususa ukuvala isikrini ngokuvamile ugcine izikhiya, ngaphandle uma izakhiwo isihluthulelo kwaba isethaphu zidinga isikrini.
3. Kwezinye izimo, indawo ephephile ukuvala isikrini kumele isetshenziswe. Lokhu kuncike imodeli yefoni.
4. Chip evikelekile ngaphakathi kwefoni, kumele basekele imisebenzi esekelwe 2048 bit RSA / ECB / PKCS1.5
5. Kwezinye izimo, ifoni nigxilile angase ukuvimbela chip ezokuphepha ngenxa yezizathu zokuphepha.
Ukuze Bantu babhalisele, kumele wena uqalise qrsa URL: // e kusuka kusiphequluli noma similiar. Ungase futhi ungene i-URL yokubiza futhi, ngokusebenzisa qrsa: // u. Ukuze usebenzise u, kumelwe kuqala ukwengeza "s" uma ufuna ukusebenzisa ama-HTTP, noma yini enye-HTTP. Khona-ke lonke URL ukubizwa, NGAPHANDLE scheme, ngo URLSafe Base64 format. Isihluthulelo yomphakathi uzobe anezelwe ekupheleni URL. Uma idivayisi ziyangqubuzana, kuzakubuyela INCOMPATIBLE_DEVICE kanye umthwalo walo wakho ukuze ubuyele ngomlayezo wephutha okunenjongo umsebenzisi.
Ukuze ukugunyaza, wena uqalise qrsa url: // noma qrsa: // c lilandelwa ngelithi URLSafe Base64 idatha okubhalwe we-RSA ukhiye umphakathi umbhalo ngekhodi ngefomethi okokugxusha :: OTP :: UMLAYEZO :: Hashi :: okokugxusha. I "s" action yenzelwe imicimbi bangahlola futhi sizobonisa njengoba OTP umbhalo screen. I "c" action yenzelwe ngokuchofoza imicimbi. Umehluko wukuthi izenzakalo ukuchofoza kuzokwenza ikhodi OTP ukuba bafake yokunamathisela yomsebenzisi kunalokho, ngakho umsebenzisi ngokushesha ungakwazi uqhubekele ukunamathisela ikhodi ngaphakathi OTP ensimini.
Hashi yakhiwa ngokwakha MD5 out of UMLAYEZO OTP + OTP, lapho + lisho string concatenation. Lokhu Hashi zivikela ezinye izinhlobo olunzima ukuhlaselwa malleability embhalweni ngekhodi. Ukwakhiwa sandwiched uvikela umhlaseli kusukela ezihamba isihlukanisi phakathi OTP kanye MESSAGE.
Phawula ukuthi sikrini lokusebenza iye ngamabomu zazihlolwa ukuvimbela lokuhweba kanye / noma i-copyright Ukwephula (UI Android nezinye izinhlelo zokusebenza ezivikelwe yi-copyright), njengoba ukuxhumana in lokusebenza Ilungiselelwe nge ibhokisi lengxoxo evela phezulu ukubizwa uhlelo lokusebenza ukuthi wabangela ukuqinisekiswa ukuthi kwenzeke.
Uma kukhona noma iyiphi nezindaba on lokusebenza, ungathola ikhodi isibonelo futhi imiyalo eminingi umphakathi ekhasini GitHub, njengoba lolu hlelo lokusebenza umthombo ovulekile.
Futhi, zizwe ukhululekile ukudala nezindaba zomphakathi github Tracker.
Kubuyekezwe ngo-
Ukuphepha kuqala ngokuqonda ukuthi onjiniyela baqoqa futhi babelane kanjani ngedatha yakho. Ubumfihlo bedatha nezinqubo zokuphepha zingahluka kuye ngokusebenzisa kwakho, isifunda, nobudala. Unjiniyela unikeze lolu lwazi futhi angalubuyekeza ngokuhamba kwesikhathi.
Ayikho idatha eyabiwe nezinkampani zangaphandle
Funda kabanzi mayelana nendlela onjiniyela abaveza ngayo ukwabelana
Ayikho idatha eqoqiwe
Funda kabanzi mayelana nokuthi onjiniyela bakuveza kanjani ukuqoqwa
Yini entsha
1.4:
- Added Md5 hash verification, to further protect against malleability attacks.
1.3:
- Improved code so the app can more reliable kill itself.
1.2:
- Added OTP into @string/app_name to match Google Play app name.
1.1:
- Changed enroll function to exclude linebreaks in the public key.
- Added new "u" enroll function. Read the description or GitHub page for more information. The "u" enroll function is recommended when enrolling from a computer.
- Added Md5 hash verification, to further protect against malleability attacks.
1.3:
- Improved code so the app can more reliable kill itself.
1.2:
- Added OTP into @string/app_name to match Google Play app name.
1.1:
- Changed enroll function to exclude linebreaks in the public key.
- Added new "u" enroll function. Read the description or GitHub page for more information. The "u" enroll function is recommended when enrolling from a computer.
Ukusekelwa kwe-app
Mayelana nonjiniyela
Sebastian Nielsen
sebastian@sebbe.eu
Sweden
undefined
