Opened 6 years ago

Closed 6 years ago

#1055 closed task (fixed)

Implement extension for logging in with OTP

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: OTP login v1.0
Component: net.sf.basedb.otp Keywords:
Cc:

Description (last modified by Nicklas Nordborg)

Inspired by https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).

The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.

Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:

  • Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
  • Be able to specify applications that are required to use OTP (inluding the web client).
  • To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
  • The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.

Links:

Change History (29)

comment:1 by Nicklas Nordborg, 6 years ago

Component: not classifiednet.sf.basedb.otp
Milestone: OTP login v1.0
Owner: changed from Jari Häkkinen to Nicklas Nordborg

comment:2 by Nicklas Nordborg, 6 years ago

(In [4845]) References #1055: Implement extension for logging in with OTP

Adding Eclipse project files and some additional source code folders.

comment:3 by Nicklas Nordborg, 6 years ago

(In [4846]) References #1055: Implement extension for logging in with OTP

Adding some code, the build file and some other requried files (META-INF folder) to make compilation and packaging work.

comment:4 by Nicklas Nordborg, 6 years ago

(In [4847]) References #1055: Implement extension for logging in with OTP

Proof-of-concent code. Basic structure is inspiered by the YubiKey extension. The password field has been replaced with an OTP field. The secret key is currently hard-coded and all user can log in with the same OTP generator.

comment:5 by Nicklas Nordborg, 6 years ago

Description: modified (diff)

comment:6 by Nicklas Nordborg, 6 years ago

(In [4848]) References #1055: Implement extension for logging in with OTP

Added configuration file to make it possible to disable or force OTP for specific client applications.

Removed the hard-coded secret key and changed the implementation to use an extended property instead. This has only been added manually so far. It is not the best solution since the extended properties are visible and searchable in the gui and may cause the secrets to be revealed. We should either stored them outside of BASE or wait for BASE to implement "hidden" extended properties.

comment:7 by Nicklas Nordborg, 6 years ago

(In [4849]) References #1055: Implement extension for logging in with OTP

Started to work on functionality for setting up OTP for an account. The login page should now contain links to a popup dialog.

The dialog asks for the user to enter the username and password. This should trigger the server to generate a new OTP secret key and display it for the user as a QR code (not implemented). The user should then scan the code with the phone and let it generate a password code. The password code should be entered in the dialog and saved to complete the setup (not implemented).

comment:8 by Nicklas Nordborg, 6 years ago

(In [4850]) References #1055: Implement extension for logging in with OTP

Implemented QR code generation in the OTP configuration dialog. The user must first enter the username before the QR code can be generated (since implementations typically requires a name identifying the QR code).

A servlet is used for creating OTP secret key and the generating the QR code. We create 2 keys to get a 160-bit key instead of the default 80-bit. The QR code is generated with a library from: https://www.nayuki.io/page/qr-code-generator-library

We output it as a png image and encode it with Base64 to be able to transfer it with JSON to the browser which can then display it with <img src="data:image/png;base64,...">

Basic error handling has been implemented but can probably be improved. It is still not possible to save the secret key.

comment:9 by Nicklas Nordborg, 6 years ago

(In [4851]) References #1055: Implement extension for logging in with OTP

Saving the generated secret key has now been implemented. It will perform checks that the user login and password are correct and that a valid OTP is given. It is not allowed to overwrite an existing secret key.

There are some weak points remaining:

  • The secret key for generating the QR code is temporarily stored in a global variable which means that if two users start the OTP setup in the same time it will be messed up.
  • Secret keys are stored in the database as "extended properties". This is not good since they are visible in plain text in the browser.

comment:10 by Nicklas Nordborg, 6 years ago

(In [4852]) References #1055: Implement extension for logging in with OTP

The auto-generated secret keys are now stored temporarily in a WeakHashMap with the SessionControl as the key. This should get rid of the problem with multiple users setting up OTP at the same time.

comment:11 by Nicklas Nordborg, 6 years ago

(In [4853]) References #1055: Implement extension for logging in with OTP

The OTP secret keys are now encrypted before the are stored in the database. Unfortunately we can't use a simple hashing method since we need to decrypt back to the original keys.

Instead we use a master password from the base-otp.properties file and the internal ID of the user account to create an encryption key for AES-128. This makes sure that each OTP key is encrypted with a unique key. The inclusion of the internal ID makes sure that it is not possible to copy an existing encrypted key to another user account.

Note that once the master password has been used once it is not possible to change it without having to reset all existing keys and force users to redo their OTP setup.

comment:12 by Nicklas Nordborg, 6 years ago

(In [4854]) References #1055: Implement extension for logging in with OTP

If the OTP setup wizard is started from the login page and a username is already entered, the OTP setup is pre-filled with the same username.

comment:13 by Nicklas Nordborg, 6 years ago

(In [4855]) References #1055: Implement extension for logging in with OTP

The numer of iterations used in the key generation step is now saved as part of the encrypted string. This should be safer in case we need to change some parameters in the future.

comment:14 by Nicklas Nordborg, 6 years ago

(In [4856]) References #1055: Implement extension for logging in with OTP

Added a cache that keeps track of used OTP codes to prevent the same code from being used more than once.

comment:15 by Nicklas Nordborg, 6 years ago

(In [4857]) References #1055: Implement extension for logging in with OTP

Added support for setting a new password at the same time as setting up OTP.

comment:16 by Nicklas Nordborg, 6 years ago

(In [4858]) References #1055: Implement extension for logging in with OTP

Added support for a flag that can be set on user accounts to require them to use OTP when logging in. This makes it possible to configure OTP to be optional for the web client but require it for some users.

comment:17 by Nicklas Nordborg, 6 years ago

(In [4859]) References #1055: Implement extension for logging in with OTP

Include the otp-extended-properties.xml file in the distribution.

comment:18 by Nicklas Nordborg, 6 years ago

(In [4863]) References #1055: Implement extension for logging in with OTP

Some minor changes:

  • Added image to the help text on the login page.
  • If OTP is required the input is limited to numbers only and autocomplete is turned off
  • Changed icon on the "Close" button after OTP setup.

comment:19 by Nicklas Nordborg, 6 years ago

(In [4864]) References #1055: Implement extension for logging in with OTP

Fixed incorrect comment.

comment:20 by Nicklas Nordborg, 6 years ago

(In [4917]) References #1055: Implement extension for logging in with OTP

Change minimal requirements to BASE 3.13 since we really want to use the new functionality and there is no need to rush the release of this extension.

comment:21 by Nicklas Nordborg, 6 years ago

(In [4918]) References #1055: Implement extension for logging in with OTP

The login form extension has been updated with support for both otp-only and otp+password authentication.

comment:22 by Nicklas Nordborg, 6 years ago

(In [4919]) References #1055: Implement extension for logging in with OTP

The login manager should now support both the otp-only and otp-password modes.

comment:23 by Nicklas Nordborg, 6 years ago

(In [4920]) References #1055: Implement extension for logging in with OTP

HTML in the login error messages is causing lots of trouble since it is passed on in the URL by the web client.

comment:24 by Nicklas Nordborg, 6 years ago

(In [4921]) References #1055: Implement extension for logging in with OTP

The 'otpIsRequired' flag should be set to true when a OTP is being configured since this is more logical (though it doesn't affect functionality if it is set to false).

Some more changes to error messages.

comment:25 by Nicklas Nordborg, 6 years ago

(In [4922]) References #1055: Implement extension for logging in with OTP

Made the otpSecretKey extended property a hidden property so that it doesn't show up in lists or other pages in the web interface.

Added "OTP" tab in the "Edit user" dialog with the possibility to remove an existing secret key. The "Require OTP" option has also been moved to this tab and disabled in the tab with other extended properties.

comment:26 by Nicklas Nordborg, 6 years ago

(In [4923]) References #1055: Implement extension for logging in with OTP

Added a tab in the "BASE - User information" dialog for displaying the OTP QR code. Before the code can be displayed an OTP value must be entered.

comment:27 by Nicklas Nordborg, 6 years ago

(In [4924]) References #1055: Implement extension for logging in with OTP

Cleaning up the script/css for the QR code dialog.

comment:28 by Nicklas Nordborg, 6 years ago

(In [4926]) References #1055: Implement extension for logging in with OTP

The minimal BASE version should be 3.13.

comment:29 by Nicklas Nordborg, 6 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.