Security Basics mailing list archives
OTP with SOAP messages and swing client
From: dim () colebatch com
Date: 14 Aug 2006 23:44:20 -0000
I have a swing client that communicates with a server via soap messages. The powers that be have decided that for access outside the trusted network a higher level of authentication is required and at this stage we're looking at using SMS messages to distribute one-time passwords (there are also webapps that will use this and they are obviously easier to integrate with this sort of thing). At the moment we use a dodgy WS-Security header with username and (woo hoo) base64 encoded password in the soap header (transmitted over https). Obviously this approach doesn't work with OTP. What I'm thinking is something like the following: 1. User requests OTP via some mechanism where they provide username/password, server creates a nonce and a secret and sends it to their pre-configured mobile number via SMS 2. User enters said nonce and secret to client 3. App stores secret and nonce With subsequent messages we then have the following: 4. Client combines 'current' nonce and secret and generates a hash based on them to send to the server as auth 5. Server does auth check based on username/hash provided 6. Server responds with new nonce in the header along with the rest of the soap document response 7. Client stores new nonce for next message Steps 4,5,6,7 can then be repeated forever without exposing ourselves to replay attacks. At a glance, this seems ok, but of course these things shouldn't be done at a glance and it concerns me that I'm combining bits of this and bits of that - surely there are smarter people than me who have already been through this? I must be asking the wrong question because my googling so far turns up OTP stuff which is all nice and easy when something else is taking care of the session (which thinking aloud would still expose a webapp to a replay attack within the "session"), but doesn't really apply with a stateless protocol. Any ideas on this? cheers dim --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- OTP with SOAP messages and swing client dim (Aug 15)