An analysis of the working principle of the new Google Authenticator verification system introduced in Android _android

Source: Internet
Author: User
Tags hmac numeric value sha1

To improve the security of Android, Google has introduced Google's verification app (Google Authenticator) to secure its account in Android. Google verified the use of the application is: Users install mobile clients, generate temporary authentication code, submitted to the server authentication, similar verification system and authy. Robbie published its own version of the go language on its GitHub page and wrote a blog post to explain how it works.

In general, the authentication system implements a one-time-time cryptographic algorithm, known as TOTP (time-based one-time Password). The algorithm consists of three parts:

1. A shared secret key (a series of binary data)
2. An input based on the current time
3. A signature function

1. Shared secret key

Users need to obtain a shared secret key when creating a mobile-side authentication system. The method is obtained by scanning the given two-dimensional code with the recognizer or directly entering it manually. The key is 32-bit encryption, as for why not 64-bit, you can refer to the interpretation of Wikipedia.

For those who enter manually, the shared key given by the Google authentication system is formatted as follows:

Copy Code code as follows:

xxxx xxxx xxxx xxxx xxxx xxxx xxxx

256-bit data, of course, other verification systems may be shorter.

For scanned users, QR recognition is similar to the following URL link:

Otpauth://totp/google%3ayourname@gmail.com?secret=xxxx&issuer=google

2, based on the current time input

This input is based on the user's phone time, and once the user completes the first key sharing, it has nothing to do with the authentication server. But here is more important is the user's phone time to be accurate, because from the algorithm principle, the authentication server will be based on the same time to repeat the operation of the user's phone. Further, the server calculates the token for a few minutes before and after the current time, compared to the token submitted by the user. So if the time difference is too much, the authentication process will fail.

3. Signature function

Google's signature function uses the HMAC-SHA1. HMAC is a hash based message authentication code that provides an algorithm for generating signatures using a more secure one-way hash function, such as SHA1. This is how the validation algorithm works: Only shared key owners and servers can get the same output signature based on the same input (based on time). Pseudo code is as follows:

Copy Code code as follows:

HMAC = SHA1 (Secret + SHA1 (secret + input))

The TOTP and HMAC principles mentioned at the beginning of this article are similar, except that TOTP emphasizes that input must be current time dependent. Similar to the HOTP, the use of incremental counters, the need to constantly synchronize with the server.

Introduction to Algorithm Flow

First you need to use BASE32 to decode the key, in order to more user-friendly input, Google used a space and lowercase way to represent the key. However, base32 cannot have spaces and must be capitalized, and the processing pseudocode is as follows:

Copy Code code as follows:

Original_secret = xxx xxxx xxxx xxxx xxxx xxxx xxxx
Secret = Base32_decode (To_uppercase (Remove_spaces (Original_secret)))

The next step is to get input from the current time, usually using the Unix time, which is the number of seconds from the current cycle to the present.

Copy Code code as follows:

input = Current_unix_time ()

Here is a point to note that the verification code has a limitation, about 30 seconds. This design is for the convenience of user input, the change of the verification code per second is difficult to allow users to quickly and accurately input. To achieve this timeliness, you can achieve this by dividing the 30 by the way:
Copy Code code as follows:

input = Current_unix_time ()/30

The final step is the signature function, HMAC-SHA1, all pseudocode is as follows:
Copy Code code as follows:

Original_secret = xxx xxxx xxxx xxxx xxxx xxxx xxxx
Secret = Base32_decode (To_uppercase (Remove_spaces (Original_secret)))
input = Current_unix_time ()/30
HMAC = SHA1 (Secret + SHA1 (secret + input))

Complete this code, basically already achieved two times authentication function. Because HMAC is a SHA1 numeric value of a standard length, with a length of 40 characters, it is difficult for the user to enter it at once, so some formatting processing is required. Refer to the following pseudocode:
Copy Code code as follows:

Four_bytes = Hmac[last_byte (HMAC): Last_byte (HMAC) + 4]
Large_integer = INT (four_bytes)
Small_integer = large_integer% 1,000,000

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.