Two-step verification killer: Java Access Google Authenticator combat

Source: Internet
Author: User
Tags hmac sha1
Two-Step verification


Should everyone be familiar with two-step verification? If Apple has its own two-step verification strategy to prevent user account password theft and lock the phone to blackmail, this is not uncommon, so Apple recommends that you open two-step verification.



Google's authenticator is also typically used for two-step verification of login, and Apple's two-step verification is the same. Only Google's authentication is used more broadly, such as GitHub's two-step verification is based on Google authenticator.


About Google Authenticator


Google Authenticator Authenticator is a two-step verification software token based on a time-and-hash one-off cryptographic algorithm that users need to download the mobile app (Authenticator), which binds to the website, When the Web site verifies the user name and password, the corresponding generated 6-digit verification code number is verified on the APP, and the login is successful, otherwise the logon fails.


Google Authenticator Use


Let's take a look at the app on Github that uses Google authenticator to turn on two-step verification.



, the default Github is no two-step verification, click the Settings button to set.






Github provides two-step verification based on the APP (Google Authenticator) and SMS verification code, and we choose the first Google authenticator.






Enter the first verification mode, and then a bunch of recovery codes are displayed to use when the APP validator doesn't work in an emergency situation. Save them, then click Next.






This is the key to the authenticator, download Google'sAuthenticatorAPP, and then scan the QR code for binding.






After the binding, the APP Github module will display a 6-bit verification code below and enter it into the box above.






As shown, two-step verification has been successfully turned on.






Next we exit Github and log in again, and the page will prompt you to enter Google's authenticator verification code, and if the APP doesn't work properly, you can log in at the bottom with a previously saved recovery code.






Well, Google Authenticator use it here, how does it work, and what does it do? Our website, APP How to access Google Authenticator, then we pull the puzzle.


Google Authenticator Workflow


In fact, Google Authenticator uses the TOTP algorithm (time-based one-time Password, a time-based one-off password), and its core content includes the following three points.



1. Security key



Is the client and the service side of the agreed security key, is also the mobile phone APP authenticator binding (mobile phone side through scanning or hand-lost security key to bind) and verification code verification requires a unique security key, the key is generated by the encryption algorithm, and finally by BASE32 encoded.



2. Verification time



Google chose 30 seconds as the time slice, and the number of T is 30 seconds from the Unix epoch (January 1, 1970 00:00:00), so in Google Authenticator we can see that the verification code is refreshed every 30 seconds.



More detailed principle Reference:


blog.seetee.me/post/2011/google-two-step-verification/


3. Signature Algorithm



Google uses the HMAC-SHA1 algorithm, the full name is: Hash-based message authentication Code (hash operation message authentication code), it is a key and a message as input, generate a message digest as output, here to SHA1 The algorithm is entered as a message.



The HMAC algorithm is used because only the user knows the correct input key, and therefore the output is unique, and the algorithm can be simply expressed as:


HMAC = SHA1 (Secret + SHA1 (secret + input))


In fact, TOTP is a superset of HMAC-OTP (one-time password generation based on HMAC), except that TOTP takes the current time as input, while HMAC-OTP is the input of the self-increment calculator, which needs to be synchronized when used.


Google Authenticator Combat


Knowing the above principle, we can apply the actual combat.


/ **
  * Public number: Java technology stack
  * /
public class AuthTest {

     @Test
     public void genSecretTest () {
         String secret = GoogleAuthenticator.generateSecretKey ();
         String qrcode = GoogleAuthenticator.getQRBarcodeURL ("Java technology stack", "javastack.cn", secret);
         System.out.println ("QR code address:" + qrcode);
         System.out.println ("key:" + secret);
     }

     @Test
     public void verifyTest () {
         String secret = "ZJTAQGLVOZ7ATWH2";
         long code = 956235;
         GoogleAuthenticator ga = new GoogleAuthenticator ();
         boolean r = ga.verifCode (secret, code);
         System.out.println ("Is it correct:" + r);
     }
} 


The first method is to generate a key and a URL that scans the two-dimensional code bindings.



The second method is to validate against the key and the verification code.



The source code logic reference for the Googleauthenticator class is provided here only.


http://awtqty-zhang.iteye.com/blog/1986275


If there is a harvest welcome to the forwarding, you can also leave a message to publish your questions and views.



Tutorial: The most powerful Spring Boot & Cloud Tutorial Summary in history



Tools: Recommend an online authoring flowchart, mind mapping software


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.