token generation
TRANSCRIPT
By : Mrunal Patil
Nikita Patil
Aishwarya Shekokar
Token
Token comprises of 3 parts :
• Header
• Payload
• signature
JWT(JSON Web Token)
• Info safe between 2 parties
Comprises of 3 parts :
• appln server
• authentication server
• user
4 steps :
• User sign in to the authenticating server
• Server authenticates if user is authentic
• User passes JWT when making API calls to application server
• Application server verifies the application and send it back to the user
• Application server receives secret key from authentication server
For creating a token in JWT
• Create header
• Create signature
• Payload
• Put together
Verify JWT(if sign matches user is authentic, id sign does not match then user is not authentic)
JWT advantages:
• Obscure data
• Proves data was sent and created by authentic source
• Encoded(transform data struct) data obtained
• Signed data(verified authenticity) obtained
JWT disadvantage :
• Does not hide data
• Does not encrypt data
RSA-ECDSA
• User asks for authentication • If token is verified then process is doneRSA secureID has :• hw(USB dongle) • sw(soft token)• Assigned to comp user and generates code at
fixed interval(60 sec)• Built-in clock is used and cards factory encoded
random key(seed)• Seed is different for each token
Rsa(1K rsa key)
Adv :
• Speed high
• Verifies rsa signatures faster
Disadv :
• Sign and public key is added to msg so high space
• Low security
ECDSA(192-bit ECDSA)
Adv :
• More secure
Disadv :
More space required
Speed slow
HMAC SHA1
• Used for checking tampered msg
• Keyed hash algo(secret key)
• Secret key + msg
• Hashes result with hash function
• Adds hash value
• Output is 160 bits in length
• Sender sends original data and hash value to receiver
• Sender computes hash value
• Receiver calculates hash value
• If mismatch then correct hash value is demanded
• Adv : faster
• Disadv :need for secret key to verify token
Comparison(JWT, RSA-ECDSA, HMAC SHA1)
• RCF 4226 HOTP based on SHA1
• Jwt and rsaecdsa requires SALTING
• Hmac-sha1 is best because it does not require SALTING strings(MD5 add)
• Salting is hash technique for reducing collision
• Hash function is found in db
• Salting is unknown element (random)