Time Factor in OCRA Response
m.bahr...@gmail.com
I tried an OTP token that provides both TOTP and OCRA based on the same seed. The OTP generates OCRA response based on seed, challenge and time. I added the seed to LinOTP and successfully tested TOTP functionality. Then tried to validate a challenge/response from token with the simple challenge '123'. I used validate/check_s but modified source code of check_s() to get and use challenge parameter. My test for challenge/response functionality failed. I debugged the code and figured out that LinOTP's OCRA doesn't use time to generate response. Am I right? How can I use my token with LinOTP.
BTW I don't bind any user to my token and just validate with serial number.
Regards
Mehdi Bahrbegi
Cornelius Kölbel
how did you initialize or create the OCRA token?
There are two OCRA tokens at the moment, type "OCRA" and type "OCRA2".
For the OCRA token you can use the OCRAController:
http://www.linotp.org/doc/latest/part-module-dev/authentication/ocra.html?highlight=ocra#linotp.controllers.ocra.OcraController
There you have functions for creating a request/challenge and answering
the challenge.
Old, robust and sure about it.
The OCRA2 token works with the new challange response menchanism.
New, and only limited experiences ;-)
Both ocra tokens are able to work as timebased tokens.
You need to specify the orca suite!
How did you initialize or create the OCRA token?
You can import the token information with the "OATH CSV" import like this:
serial, key, ocra, [ocra-suite]
(linotp.lib.importOTP)
Kind regards
COrnelius
Cornelius Kölbel
(Head of Product Management)
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther
Kay Winkler
Hash: SHA1
Hi Mehdi,
hmm, I did not get all you want to do with an ocra
and a totp token with same seed.
The totp algorithm is of cause a simple hash
on seed + time/timeslice.
But the ocra algorithm is different and a little bit
more complex. Beneath the ability to choose between the
hash algo and the otp len, you could as well choose
if it is a time or counter based one. And the ability
to deal with several type of challenges - numeric, ascii
and hex plus the challenge length, which is padded beneath
the seed.
Did you have a look at the sources? You can have a look
on the lib/ocra.py which reflects the ocra implementation
and the test/test_ocra or test/test_ocra2 - which by the way
are using the same ocra algorithm, but where you can find
hints for the different ocra modes.
The main difference between linotp ocra and ocra2 token though
is the lifetime of the challenges.
If you want to play around with the ocra2 token though, you
could use the android / IOS token app searching for 1822*.
On the LinOTP side you then could use the selfservice
portal to rollout and to activate these ocra2 token -
after you have added the appropirate policies.
Using the ocra token app is realy fun, espeially using the
/auth/ocra2 test page, where you could do a ocra challenge
response on one html page.
Is it this, what you are searching for? Please feel free to ask?
Best regards,
Kay
Kay Winkler (Software Development), http://www.lsexperts.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iEYEARECAAYFAlMQ/I8ACgkQgcZli2OHtdEl4ACfQ8kRxspI/j9Hr5p7xvtAZjGO
KgQAoIZSV7Yx2RZAzSAz5BFhZ5cfBZCE
=kHf5
-----END PGP SIGNATURE-----
m.bahr...@gmail.com
> Hi Mehdi,
>
>
>
> how did you initialize or create the OCRA token?
>
>
>
> There are two OCRA tokens at the moment, type "OCRA" and type "OCRA2".
>
>
>
> For the OCRA token you can use the OCRAController:
>
>
>
> http://www.linotp.org/doc/latest/part-module-dev/authentication/ocra.html?highlight=ocra#linotp.controllers.ocra.OcraController
>
>
>
> There you have functions for creating a request/challenge and answering
>
> the challenge.
>
> Old, robust and sure about it.
>
>
>
> The OCRA2 token works with the new challange response menchanism.
>
> New, and only limited experiences ;-)
>
>
>
> Both ocra tokens are able to work as timebased tokens.
>
> You need to specify the orca suite!
>
> How did you initialize or create the OCRA token?
>
>
>
> You can import the token information with the "OATH CSV" import like this:
>
>
>
> serial, key, ocra, [ocra-suite]
>
>
>
> (linotp.lib.importOTP)
>
>
>
> Kind regards
>
> COrnelius
>
>
>
>
>
> >
>
> > I tried an OTP token that provides both TOTP and OCRA based on the same seed. The OTP generates OCRA response based on seed, challenge and time. I added the seed to LinOTP and successfully tested TOTP functionality. Then tried to validate a challenge/response from token with the simple challenge '123'. I used validate/check_s but modified source code of check_s() to get and use challenge parameter. My test for challenge/response functionality failed. I debugged the code and figured out that LinOTP's OCRA doesn't use time to generate response. Am I right? How can I use my token with LinOTP.
>
> >
>
> > BTW I don't bind any user to my token and just validate with serial number.
>
> >
>
> > Regards
>
> > Mehdi Bahrbegi
>
> >
>
>
>
> --
>
> Cornelius Kölbel
>
> (Head of Product Management)
>
> http://www.lsexperts.de
>
> LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
>
> Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089
>
> Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
>
> Geschaeftsfuehrer: Oliver Michel, Sven Walther
m.bahr...@gmail.com
>
> >
>
> > I tried an OTP token that provides both TOTP and OCRA based on the same seed. The OTP generates OCRA response based on seed, challenge and time. I added the seed to LinOTP and successfully tested TOTP functionality. Then tried to validate a challenge/response from token with the simple challenge '123'. I used validate/check_s but modified source code of check_s() to get and use challenge parameter. My test for challenge/response functionality failed. I debugged the code and figured out that LinOTP's OCRA doesn't use time to generate response. Am I right? How can I use my token with LinOTP.
>
> >
>
> > BTW I don't bind any user to my token and just validate with serial number.
>
> >
>
> > Regards
>
> > Mehdi Bahrbegi
>
> >
>
>
>
> - --
>
> Kay Winkler (Software Development), http://www.lsexperts.de
>
> LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
>
> Tel.: +49 6151 - 86086 262, Fax: 299, Mobil: +49 1515 4294 800
>
> Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
>
> Geschäftsführer: Oliver Michel, Sven Walther
>
> -----BEGIN PGP SIGNATURE-----
>
> Version: GnuPG v1
>
> Comment: Using GnuPG with Icedove - http://www.enigmail.net/
>
>
>
> iEYEARECAAYFAlMQ/I8ACgkQgcZli2OHtdEl4ACfQ8kRxspI/j9Hr5p7xvtAZjGO
>
> KgQAoIZSV7Yx2RZAzSAz5BFhZ5cfBZCE
>
> =kHf5
>
> -----END PGP SIGNATURE-----
The point is that the token is going to be used both for authentication (TOTP) and transaction confirmation (OCRA). For this case challenges that are transaction data are generated by a transaction processing system not by the authentication server. Is it possible to validate a response that corresponds to a challenge by LinOTP? I mean challenges are generated by an arbitrary system then given to the token owner and then both challenge and response from token is sent to LinOTP.
m.bahr...@gmail.com
It is very similar to Feitian. I think they are compatible but I'm not sure.
Its from a Singapore provider, called Edge, but are manufactured in China.
Kay Winkler
Hash: SHA1
Hi Mehdi,
- From the api side you have
- - a challenge and
- - a response for this challenge and
- - the token serial
and now you want to verify, if this response belongs to that
challenge for this token - is this correct?
We implemented something thosedays, which is similar, but I
have to search in the soures - as far as I remember I
implemented a validate/check for ocra, which takes a challenge
and a response and verifies if they correspond.
But as it has been a hidden feature it could be, that due to
refactoring - we completly overhauled the authenication processing
to support challenge response for all tokens - this might have
been lost - I have to reread the sources ... for ocra token it might
still be there ... I will verify on monday, ok?
But otherewise, to implement this in the new upcomming 2.6.1 for the
ocra2 token is no big deal.
What linotp version are you using? When will you need this
functionality?
Best regards,
Kay
>
>
> Hi Kay,
>
> The point is that the token is going to be used both for authentication (TOTP)
> and transaction confirmation (OCRA).
> For this case challenges that are transaction data are generated by a transaction
> processing system not by the authentication server. Is it possible to validate a
> response that corresponds to a challenge by LinOTP? I mean challenges are generated
> by an arbitrary system then given to the token owner and then both challenge and
> response from token is sent to LinOTP.
>
Kay Winkler (Software Development), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 6151 - 86086 262, Fax: 299, Mobil: +49 1515 4294 800
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
TlwAnRpwxkQ/NsnVP+NTiMhVESGtxxUH
=T0eC
-----END PGP SIGNATURE-----
Mehdi Bahribayli
Mehdi Bahribayli
challenge = getParam(param,"challenge",optional)
if challenge is not None:
options = {}
options['challenge'] = challenge
I think now I need OCRA suite for my token.
Cornelius Kölbel
I have a feitian C300 in an older design.
I imported it to linotp with such a CSV file:
<your serial goes here>, <your seed goes here>, ocra, OCRA-1:HOTP-SHA1-6:QN06-T1M
Kind regards
Cornelius
--
You received this message because you are subscribed to the Google Groups "LinOTP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linotp+un...@googlegroups.com.
Visit this group at http://groups.google.com/group/linotp.
To view this discussion on the web visit https://groups.google.com/d/msgid/linotp/CAAs1Gj%3DwCLm%3D1kZYEV0OEc_xsnCO5xb%2BCAxFyqt41nQzM3DTwA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
-- Cornelius Kölbel (Head of Product Management)
http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089 Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschaeftsfuehrer: Oliver Michel, Sven Walther
winkl...@gmail.com
the hidden feature is not lost - it's even part of the test suite :-)
have a look at **test_ocra2/test_ocra_challenge_check**
and works without a patch with validate/check_s, though this is not
in a test case.
So I've added a test using **validate/check_s** and your ocrasuite
'OCRA-1:HOTP-SHA1-6:QN06-T1M' which goes like this:
<pre>
def test_ocra_challenge_check_s(self):
'''
Test support for challenges in validate/check_s on timebased ocra
'''
ocrasuite = 'OCRA-1:HOTP-SHA1-6:QN06-T1M'
message = '783232123'
serial = "QR2_123"
ocra = OcraOtp()
response1 = self.init_0_QR_Token(ocrasuite=ocrasuite, user=None,
serial=serial)
ocra.init_1(response1)
(response2, activationkey) = self.init_1_QR_Token(ocrasuite=ocrasuite,
serial=serial,
message=message)
(challenge, transid) = ocra.init_2(response2, activationkey)
''' finish rollout '''
otp = ocra.callcOtp(challenge)
response = self.check_otp(transid, otp)
self.assertTrue('"value": true' in response, response)
challenge = '123456'
cout = ocra.counter
otp = ocra.callcOtp(challenge, counter=cout + 1)
parameters = {'pass': 'pin' + otp,
'serial': serial,
'challenge': challenge,
}
response = self.app.get(url(controller='validate',
action='check_s'),
params=parameters)
assert '"value": true' in response
self.removeTokens(serial=ocra.serial)
return
</pre>
Mehdi Bahribayli
.1 I use LinOTP 2.6.0.3 and couldn't find test_ocra_challenge_check_s in test_ocra2. I called validate/check_s with serial, pass and challenge parameters but it failed.
2. To test TOTP functionality I add a TOTP token with the same seed as my OCRA token. Is there a way to have both functionality through LinOTP just with a single token definition?
BTW my ocra suit is OCRA-1:HOTP-SHA1-6:QA40-T1M and my hardware token have 520 sec time shift.
winkl...@gmail.com
you got me wrong - I just posted a unit test, where you could see that it works -
refering to an existing test (**test_ocra2/test_ocra_challenge_check**), which is already in the release 2.6.0.3.
And the posted test used the ocrasuite 'OCRA-1:HOTP-SHA1-6:QN06-T1M', which is a
nummeric challenge of 6 digits len (QN06) - so your token using an Challenge of
40 chars (QA40) should be ok too, as it is part of the other tests.
For to find out what's going on and why it fails, we need of cause more information :-) like log files and configuration.
W.r.t. your hardware - you can have two tokens for the same seed and as they are both time based tokens, there might be no difference. To ease the handling though, I would suggest to use one user they are both assigned to and let LinOTP decided, which one is to be used.
Regards,
Kay
Mehdi Bahribayli
Mehdi