Scalability Blog

Scaling tips, insights, updates, culture, and more from our Server Experts.
 

Protect Big Data With Two Factor Authentication

big-data-blog-header

Big data security is everyone’s responsibility.  Using weak passwords or entering your password from compromised workstations can undermine your organization’s entire infrastructure.  Even on a workstation free of trojans, viruses, and software based keyloggers, there is still a threat from hardware keyloggers.

Hardware based keyloggers for USB and PS/2 devices, such as keyboards and mice, are very affordable and easy to conceal. For $40-$60 anyone can buy a hardware keylogger and introduce it in your environment. You may not even notice that one has been attached between your keyboard and your PC.  This is especially true with larger offices that have interns, cleaning crews, delivery couriers, and others frequenting their place of business.  It does not even have to be an outsider trying to infiltrate your infrastructure – the threat could come from users with lower level access who would like to gain access to accounting, billing, or research and development information.  Once they have your credentials, there is nothing that a client – server architecture can do to stop them from using it, or is there?

The last line of defense is a two-factor authentication. You don’t have to buy expensive key fobs or recurring licenses to get it to work.  Although there are commercial products out there that provide two factor authentication, most of them have a commercial interest, offer complex setup, and a solution that only works on one phone or standalone device.  Google Authenticator is a good choice because it can be used on multiple devices as well as your desktop.  If you prefer to use your own implementation, there are simple solutions based on Time-based One-time Password Algorithms (TOTP).  The code is publically available and mathematically sound.  It is worth mentioning that the clocks need to be in sync, but the drift rate can be as high as a second and still remain usable. For simplicity, we’ll use QR barcodes with Google Authenticator.

Generating a QR code can be accomplished by using Google Charts Tools.  For example, to generate a QR code for key ‘secretkey’ we need to convert ‘secretkey’ to base32 first. Make sure to pick your own combination.

Using Python:

>>> import base64
>>> base64.b32encode('secretkey')

'ONSWG4TFORVWK6I='

Now you can generate a QR code for any account using that secretkey.  Suppose your account name is username@domain.com and combined with base32 encoded key from above, the URL to generate a QR code is:

https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/username@domain.com?secret=ONSWG4TFORVWK6I=

qr-code

You can import this account into your Google Authenticator by scanning the barcode:

google-authenticator

Google Authenticator data can also be physically backed up since it is just a SQLite database file located in /data/data/com.google.android.apps.authenticator/databases/databases on your Android device.  Your device would have to be rooted in order to access that folder.  Unfortunately the file is not encrypted, so losing your device is not recommended.

On rooted Android with Terminal Emulator, the file can be read directly:

# su
# sqlite3 /data/data/com.google.android.apps.authenticator/databases/databases
sqlite> select * from accounts;

10|username@domain.com|ONSWG4TFORVWK6I=|0|0|0

If you lost your phone or iOS device where you have Google Authenticator installed, you would have to login to your Google account and revoke the keys.  If you have made a backup of the database file, you can either re-create the barcode and enter it on another device, or obtain the 6 digit combination directly using the following Python code (make sure to change my_secret to your own value).


import hmac, base64, struct, hashlib, time

def get_hotp_token(secret, intervals_no):
    key = base64.b32decode(secret, True)
    msg = struct.pack(">Q", intervals_no)
    h = hmac.new(key, msg, hashlib.sha1).digest()
    o = ord(h[19]) & 15
    h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
    return h

def get_totp_token(secret):
    return get_hotp_token(secret, intervals_no=int(time.time())//30)

my_secret = '4V5OYJGQ5PIZXINF'
my_token = get_totp_token(my_secret)
print my_token

python

As you can see it closely matches what is displayed on Google Authenticator:

google-authenticator-2

Tune in next time when we cover how to incorporate TOTP authentication into your infrastructure.