Download - token generation
![Page 1: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/1.jpg)
By : Mrunal Patil
Nikita Patil
Aishwarya Shekokar
![Page 2: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/2.jpg)
Token
Token comprises of 3 parts :
• Header
• Payload
• signature
![Page 3: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/3.jpg)
JWT(JSON Web Token)
• Info safe between 2 parties
Comprises of 3 parts :
• appln server
• authentication server
• user
![Page 4: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/4.jpg)
4 steps :
• User sign in to the authenticating server
• Server authenticates if user is authentic
• User passes JWT when making API calls to application server
• Application server verifies the application and send it back to the user
• Application server receives secret key from authentication server
![Page 5: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/5.jpg)
For creating a token in JWT
• Create header
• Create signature
• Payload
• Put together
Verify JWT(if sign matches user is authentic, id sign does not match then user is not authentic)
![Page 6: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/6.jpg)
JWT advantages:
• Obscure data
• Proves data was sent and created by authentic source
• Encoded(transform data struct) data obtained
• Signed data(verified authenticity) obtained
![Page 7: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/7.jpg)
JWT disadvantage :
• Does not hide data
• Does not encrypt data
![Page 8: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/8.jpg)
RSA-ECDSA
• User asks for authentication • If token is verified then process is doneRSA secureID has :• hw(USB dongle) • sw(soft token)• Assigned to comp user and generates code at
fixed interval(60 sec)• Built-in clock is used and cards factory encoded
random key(seed)• Seed is different for each token
![Page 9: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/9.jpg)
Rsa(1K rsa key)
Adv :
• Speed high
• Verifies rsa signatures faster
Disadv :
• Sign and public key is added to msg so high space
• Low security
![Page 10: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/10.jpg)
ECDSA(192-bit ECDSA)
Adv :
• More secure
Disadv :
More space required
Speed slow
![Page 11: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/11.jpg)
HMAC SHA1
• Used for checking tampered msg
• Keyed hash algo(secret key)
• Secret key + msg
• Hashes result with hash function
• Adds hash value
• Output is 160 bits in length
![Page 12: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/12.jpg)
• Sender sends original data and hash value to receiver
• Sender computes hash value
• Receiver calculates hash value
• If mismatch then correct hash value is demanded
![Page 13: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/13.jpg)
• Adv : faster
• Disadv :need for secret key to verify token
![Page 14: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/14.jpg)
Comparison(JWT, RSA-ECDSA, HMAC SHA1)
• RCF 4226 HOTP based on SHA1
• Jwt and rsaecdsa requires SALTING
• Hmac-sha1 is best because it does not require SALTING strings(MD5 add)
• Salting is hash technique for reducing collision
• Hash function is found in db
• Salting is unknown element (random)
![Page 15: token generation](https://reader038.vdocuments.mx/reader038/viewer/2022100514/5aabc52f7f8b9aaf528b4da3/html5/thumbnails/15.jpg)