OTP with SOAP messages and swing client
- From: dim@xxxxxxxxxxxxx
- Date: 14 Aug 2006 23:44:20 -0000
I have a swing client that communicates with a server via soap messages. The powers that be have decided that for access outside the trusted network a higher level of authentication is required and at this stage we're looking at using SMS messages to distribute one-time passwords (there are also webapps that will use this and they are obviously easier to integrate with this sort of thing).
At the moment we use a dodgy WS-Security header with username and (woo hoo) base64 encoded password in the soap header (transmitted over https). Obviously this approach doesn't work with OTP.
What I'm thinking is something like the following:
1. User requests OTP via some mechanism where they provide username/password, server creates a nonce and a secret and sends it to their pre-configured mobile number via SMS
2. User enters said nonce and secret to client
3. App stores secret and nonce
With subsequent messages we then have the following:
4. Client combines 'current' nonce and secret and generates a hash based on them to send to the server as auth
5. Server does auth check based on username/hash provided
6. Server responds with new nonce in the header along with the rest of the soap document response
7. Client stores new nonce for next message
Steps 4,5,6,7 can then be repeated forever without exposing ourselves to replay attacks.
At a glance, this seems ok, but of course these things shouldn't be done at a glance and it concerns me that I'm combining bits of this and bits of that - surely there are smarter people than me who have already been through this? I must be asking the wrong question because my googling so far turns up OTP stuff which is all nice and easy when something else is taking care of the session (which thinking aloud would still expose a webapp to a replay attack within the "session"), but doesn't really apply with a stateless protocol.
Any ideas on this?
cheers
dim
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Prev by Date: Re: What is best way to log all traffic on a windows box?
- Next by Date: RE: [OFF-TOPIC] Help to fellow Infosec professional: Home User Information Security Awareness survey
- Previous by thread: Linux shared-secret encryption for burning CD ROM
- Next by thread: SF new article announcement: Dynamic Linking in Linux and Windows, part two
- Index(es):
Relevant Pages
|
|
