Python Code For Time-based Dynamic Key Generation

10.12.2020
52 Comments
  1. Python Code For Time-based Dynamic Key Generation Free
  2. Python Code For Time-based Dynamic Key Generation 2017

by Prakash Sharma

With the increase in cyber security threats, it has become more and more necessary to upgrade the security standards of your web applications. You need to make sure your users’ accounts are safe.

Steps to follow for Python Generate HTML: Get data to feed in the table (Here ASCII code for each char value is calculated.) Keep Loops over a number of rows in the table and feed data on HTML table. Save the generated HTML code in.html file. Open a file in the browser. There are code generation tools for python, like PeachPy for Assembly. You can also write code very similar to python with Cython, which then gets compiled to C or C code. But Python itself isn't going to have a model-based design tool. That is outside the scope of the project.

Nowadays, a lot of online web applications are asking users to add an extra layer of security for their account. They do it by enabling 2-factor authentication. There are various methods of implementing 2-factor authentication, and TOTP (the Time-based One-Time Password algorithm) authentication is one of them.

This article explains what it is, and how and why to use it. But before understanding that, let’s first briefly take a look at what two-factor authentication means.

What is Two Factor Authentication?

Two-factor authentication (or multi factor authentication) is just an extra layer of security for a user’s account. That means that, after enabling two factor authentication, the user has to go through one more step to log in successfully. For example, the usual steps for logging in to an account are:

But after enabling 2-factor authentication, the steps look something like this:

So this adds one more step to the login process. This method is more secure, because a criminal cannot access the user’s account unless they have access to both the user’s regular password and one time password.

Currently, there are two widely used methods to get that one time password:

  1. SMS-based: In this method, every time the user logs in, they receive a text message to their registered phone number, which contains a One Time Password.
  2. TOTP-based: In this method, while enabling 2-factor authentication, the user is asked to scan a QR image using a specific smartphone application.
    That application then continuously generates the One Time Password for the user.

The SMS-based method does not need any explanation. It’s easy, but it has its own problems, like waiting for the SMS on every login attempt, security issues, and so on. The TOTP-based method is becoming popular because of it’s advantages over the SMS-based method. So let’s understand how the TOTP-based method works.

How the TOTP-based method works

Before understanding this, let’s first discuss what problems this method will solve for us.

By using the TOTP method, we are creating a one time password on the user side (instead of server side) through a smartphone application.

This means that users always have access to their one time password. So it prevents the server from sending a text message every time user tries to login.

Also, the generated password changes after a certain time interval, so it behaves like a one time password.

Great! Now let’s understand the workings of the TOTP-method and try to implement the above solution ourselves. Our requirement here is to create a password on the user side, and that password should keep changing.

The following could be a way to implement this solution:

This should work, but there are three main problems with it:

  1. How will the application generate a one time password using a secret key and counter?
  2. How will the counter update? How will the web server keep track of the counter?
  3. How will the server share the secret key with the phone’s application?

The solution to the first problem is defined in the HOTP algorithm.

Understanding HOTP:

HOTP stands for “HMAC-Based One-Time Password”. This algorithm was published as RFC4226 by the Internet Engineering Task Force (IETF). HOTP defines an algorithm to create a one time password from a secret key and a counter.

You can use this algorithm in two steps:

  1. The first step is to create an HMAC hash from a secret key and counter.

2. In this code, the output would be a 20 byte long string. That long string is not suitable as a one time password. So we need a way to truncate that string. HOTP defines a way to truncate that string to our desired length.

It might look scary, but it is not. In this algorithm, we first obtain offset which is the last 4 bits of hmacHash[19]. After that, we concatenate the bytes from hmacHash[offset] to hmacHash[offset+3] and store the last 31 bits to truncatedHash. Finally, using a simple modulo operation, we obtain the one time password that’s a reasonable length.

This pretty much defines the HOTP algorithm. The RFA4226 doc explains why this is the most secure way to obtain a one time password from these two values.

Great! So we have found a way to obtain a one time password using a secret key and counter. But what about the second problem? How to keep track of the counter?

The solution to second problem is found in the TOTP.

Understanding TOTP:

TOTP stands for “Time-Based One-Time Password”. This was published as RFC6238 by IETF.

A TOTP uses the HOTP algorithm to obtain the one time password. The only difference is that it uses “Time” in the place of “counter,” and that gives the solution to our second problem.

That means that instead of initializing the counter and keeping track of it, we can use time as a counter in the HOTP algorithm to obtain the OTP. As a server and phone both have access to time, neither of them has to keep track of the counter.

Also, to avoid the problem of different time zones of the server and phone, we can use a Unix timestamp, which is independent of time zones.

However the Unix time is defined in seconds, so it changes every second. That means the generated password will change every second which is not good. Instead, we need to add a significant interval before changing the password. For example, the Google Authenticator App changes the code every 30 seconds.

Python Code For Time-based Dynamic Key Generation Free

So we have solved the problem of the counter. Now we need to address our third problem: sharing the secret key with the phone application. Here, a QR code can help us.

Using a QR code

Though we can ask the users to type the secret key into their phone application directly, we want to make secret keys quite long for security reasons. Asking the user to type in such a long string would not be a user friendly experience.

Since the majority of smartphones are equipped with a camera, we can use it and ask the user to scan a QR code to obtain the secret key from it. So all we need to do is to convert the secret key in the QR code and show it to the user.

We have solved all three problems! And now you know how TOTP works. Let’s see how to implement it in an application.

How to implement TOTP

There are some free phone applications (like Google Authenticator App, Authy, and so on) available which can generate an OTP for the user. Therefore, in most cases, creating your own phone application is not necessary.

The following pseudo codes explain a way to implement TOTP-based 2-factor authentication in a web application.

The user is asked to scan that QR code. When the phone application scans the QR code, it gets the user’s secret key. Using that secret key, the current Unix time, and the HOTP algorithm, the phone application will generate and display the password.

We ask the user to type the generated code after scanning the QR code. This is required, because we want to make sure that the user has successfully scanned the image and the phone application has successfully generated the code.

Here we use the HOTP algorithm on the server side to get the OTP-based authentication on the secret key and current unix time. If that OTP is the same as the one typed by the user, then we can enable 2-factor authentication for that user.

Now after every login operation, we need to check if this particular user has 2-factor authentication enabled. If it is enabled, then we ask for the one time password displayed in the phone application. And if that typed code is correct, only then is the user authenticated.

What happens if the user loses the code?

Python Code For Time-based Dynamic Key Generation 2017

There are a couple of ways to help the user to recover the code. Usually when they are enabling 2-factor authentication, we can show the secret key to them along with the QR code and ask them to save that code somewhere safely.

Applications like Google Authenticator App let you generate the password by directly entering the secret key. If the user loses the code, they can enter that safely saved secret key in the phone application to generate the OTP again.

If we have the user’s phone number, we can also use the SMS-based method to send an OTP to the user to help them recover the code.

Wrapping Up

Two factor authentication is gaining popularity. A lot of web applications are implementing it for extra security.

Unlike the SMS-based method, the TOTP method does not require a lot of extra effort either. So this feature is worth implementing for any application.

Description

Attendance Monitor and Control System (A.M.C. System) is an attempt to automate the process of attendance. It uses computer webcam to scan for QR codes, where based on it's authentication and validation algorithm, decides to either record or ignore the decoded data.

It is a cost efficient, yet fully functional method of attendance automation which integrates as front interface for monitoring and recording with already existing cloud storage.

It features time-bound attendance monitor, encrypted session generator, attendee QR code generator, schedule generator, ability to configure AMC system values, feedback mechanism, record exporter, along with direct mailing capability, with robust connection loss recovery.

Quick Background

My college has this peculiar method of record keeping - first onto a sheet of paper (which were oftentimes compiled by students themselves, or the faculty during their lecture), then onto a register, after which each faculty member would manually enter their lecture's record into an excel sheet and upload that to our colleges' database.

Clearly this is not the most sophisticated or efficient method of recording attendance. And since it is to be expected that no institute would allow a non-faculty member direct-or-connection access to their central database, this left little room for improvement to be brought about by a student like myself.

So I worked out a solution which would not only allow for monitoring attendance, but also record keeping without direct interaction with the main server or their database. This solution needed to be legacy-compatible, so it could be installed without changing the structure of the current system.

Solution

AMC system is integrated with the time-slots, which are pairs of start and end time of a lecture. This enables the system to account for attendance per lecture. Furthermore, to prevent exploit from students scanning and walking away before a faculty comes in, the system is equipped with authentication and validation mechanism.

It'll only accept input (which it further evaluates for a match in attendee record), after a faculty scans their own QR code, setting the system state to 'activated'. These codes are session tokens assigned to faculty members. Session tokens are both encrypted, and are only valid for a day. Each day, new set of tokens are generated and sent over mail to the respective faculties. These need not be printed - and can be scanned directly from their phone screens. Rsa key pair generation java.

Since the system is integrated with time-slots, attendance can only be registered during the lecture, not before or after. Also, it sends off a high-frequency warning beep before a set period of time against lecture end time, as a reminder that last few minutes are left before lecture is over. Once the lecture is over, it flushes the attendance record to an excel sheet, a copy of which is sent over as attachment to the faculty taking the lecture, one copy is saved to the filesystem, and when all the lectures in a day are over, or if monitor mode is stopped before that, then a collective record of all the lectures taken throughout the day get saved locally with a copy sent over as email attachment to the head faculty of the department.

The state of the system is reset back to 'deactivated' and the cycle of authentication is repeated.

The mail that is sent over to the faculty taking the lecture, contains meta info on number of attendees, along with an excel sheet logging their names and roll numbers. So the faculty can do a simple headcount to match number of attendees in the log vs the number actually present, to catch the case if a student tries to play around with the system by scanning multiple QR codes to mark someone else's attendance. In case of mismatch, they may decide a necessary course of action.

Upgrade Option

In case QR code system doesn't serve to suffice, there is an option for easy upgrade to biometric scanning, which doesn't deal with issues of proxies and duplicity. The core of the application is the the automation algorithm which can be used interchangeably with biometric scanning.

Of course this upgrade comes at the cost of having to train the biometric model with each entry containing multiple biometric scans of the same person, without certainty of accurate recognition.

Requirements

  • Python3.7+ (and all required python3 modules)(Download Python 3.7.4)
  • Pip Modules:
    • colorama0.4.1
    • numpy1.17.3
    • opencv-python4.1.1.26
    • pandas0.25.2
    • Pillow6.2.0
    • PyQt55.13.1
    • PyQt5-sip12.7.0
    • python-dateutil2.8.0
    • pytz2019.3
    • pyzbar0.1.8
    • qrcode6.1
    • six1.12.0
    • XlsxWriter1.2.2
  • Visual C++ Redistributable Packages (x64 or x86)(Download Here)

Instructions

(Make sure you have python, above mentioned pip modules, and visual C++ redistributable packages installed on your system)

Check 'Add Python 3.x to PATH' during installation.

  1. Download and extract the zip file.

  2. Install requirements (navigate to root directory on command line). Run command:

  3. Go to 'resources' folder and edit all the JSON files. (You may use the dummy files for testing - check 'dummy-data' directory) (Use this online editor to check formatting errors)

  4. From root as present working directory, run the following command:

  5. In the window that opens, click on 'Configure AMC values'. Enter required values. Restart application using the above command.

  6. Generate Session Tokens and Attendee Tokens and distribute them as per your requirement.

  7. Make sure you have a webcam connected and installed on your system. AMC System uses primary camera for capturing sessions, make sure its not being used by another application. (Try connecting through different ports if you're using an external webcam)

  8. Start Attendance Monitor.

Version

AMC System v2.0.0 is its first public release (see commit: 61c13ab).

Contributions

Contributions are welcome. Make a pull request.

License

This project is available for free use under GNU General Public License v3.0.