[intro] We frequently hear that if a website supports two-factor authentication, enabling it for our account is a good idea. That’s what the security guards say. But how does it work, and why does it make our accounts so much more secure? That’s what today’s episode is all about. It’s Necessary To Explain A Few Concepts To Fully Understand How Two-factor Authentication Works. I’ll start by explaining how the “time-basedone-time Password” algorithm works. It Is The Most Common Type Of Two-Factor Authentication To comprehend its implementation, you must first learn what the Sha1 and Hmac Sha1 algorithms are, as well as the differences between them. At the end of this episode, I’ll show you how to implement this solution in a few lines. The Totp Algorithm is a free and open standard that anyone can use. I’ll make an attempt to convert this document into a simple video. The Algorithm’s Security Is Based On The So-Called Secret It’s a randomly generated value that’s saved by both parties involved in authentication – for example, a website and the user who wants to authenticate. Safeguard His Bank Account And the secret is the element on which the entire solution’s security is predicated. If the assailant is able to guess or steal He Can Gain Access To An Account That Uses The Token Using These SeveralRandom Characters The Whole Point Of Two-Factor Authentication Is That The User Must Enter Several Digits Of The Token After Providing The Correct Login And Password. What’s the Point Is that the numerical value of these numbers fluctuates over time. As a result, remembering such a sequence of numbers and then using it in the future is impossible. Simply put, it will be invalid. To generate new values, the simplest solution is to use the currentdate and time. Of course, the present time is predictable in and of itself. It’s pointless to use it as a secret element. The “secret” is about to be revealed. It’s a piece of the puzzle. Is kept private and only two parties involved in the process – the site and the user – are aware of it. In a nutshell, the mechanism works as follows: The Token Generator takes the current date, multiplies it by a factor of ten, and generates a token. Then he adds our special ingredient. Then, from this sequence, a cryptographically secure value is calculated. This is the value that a user enters on a website. The same operation is carried out by the website itself. As a result, it is able to verify the value provided. The User’s We’ve already figured out how the process works in general. However, in order to comprehend its implementation, we must first explain a few key concepts. The Base32 Algorithm Will Be Our First Stop. We Can Write 256 Different Characters Using Ascii Encoding Beginning with letters and numbers and ending with special characters like the percent sign or the dollar sign It also includes difficult-to-express signals. The End Of Line Character is an example. It Simply Indicates The End Of A Line And The Beginning Of A New Line – It Is What The “enter” Key Does. Our “secret” is supposed to be safe because it is classified. As a result, it can include any characters. Supported by Asciiencoding This makes it more difficult for the attacker to guess. However, this raises some concerns. It’s possible that the user will have trouble entering characters that aren’t on the keyboard. For example, instead of entering a new line character, “pressing” the Enter key usually submits the form. How Can This Problem Be Solved? The Base32 Encoding Is The Answer. It is an algorithm that allows any Ascii character to be expressed using only 32 characters: 26 letters and numbers ranging from 2 to 7. Of course, such encoding has a major drawback: it takes up more storage space than a standard password. At Least Two Other Symbols Must Be Used To Present One Character It Does, however, Have One Significant Advantage: It Contains Characters That A Typical Supports for the keyboard Anyone can easily enter these symbols as a result of this. We already know how to get the “secret” into a user’s system. It’s finally time to present a cryptographically secure function for creating tokens. When we want to compare two documents, the most straightforward solution is to look at their content. Each character in turn This isn’t a big deal for small files. However, for larger documents, such as those exceeding 100 pages, this can be problematic. Hash functions were created for this reason. They convert the entire contents of the file into a short, several-character result. Sha1 Is One Of Thistype’s Most Popular Functions. Its output is only 40 characters long. A Key Characteristic of Hash Functions Even a minor change in the document’s content, such as replacing the letter “a” with “b” at the start, results in a total change in the resulting hash. In most cases, the difference is so significant that in comparing hashes, not a single letter coincides. And this is the function that was used to generate the token that resulted. We can compute the hash for a string that contains the current date and our “secret” information. As a result, we get a hash of 40 characters. As the properties of the function demonstrate, it’s enough for the date to change by one minute for the resulting hash to change completely. It Appears To Be The Ideal Solution For This Situation. However, this is not the case. It’s because of the so-called “length Extensionattack” is a term used to describe a type of attack To grasp this concept, we must first understand how the Sha function works. I’ll use some simplification to make the video easier to understand. This function is only applicable to 512-bit blocks. This implies that our input text is divided into equal-length blocks. After that, each of these blocks is processed separately. On their own, A Hash Is Generated After The Block Is Processed That hash is then used as an input when the next block is processed. The Last Hash Is Our Final Hash After All Blocks Have Been Processed Or, to put it another way, it’s the result of a predetermined function. Data Is Processed in Blocks, Which Is A Security Issue. I’ll use the metaphor of a letter to a beloved person to explain why: Suppose we write such a letter. With the words “I, Love You,” we confess our love at the very end. However, we want our beloved to be able to double-check that the letter’s content hasn’t been changed along the way. We Enclose Sha1 Hash Of The Letter At The End Following receipt of the letter, Our Beloved One can calculate the hash from the message’s body and compare it to the one provided by us. So far, everything appears to be in order. Assume, however, that our letter has been intercepted by a nefarious postman. He changed our love confession to “I Donot Love You.” He calculated the new hash of the letter to match the new message, in order to make everything look as authentic as possible. We can only imagine how upset the woman was when she got the news. We Set A Secret To Save Ourselves From A Similar Misfortune In The Future.
Between Us, We Have a Password Let’s pretend it’s “love.” We now include our password at the start of each letter. Then, and only then, do we calculate the hash from such a sequence of characters. The Postman is unaware of our agreement because it is confidential. He has no idea what he needs to add to the letter in order for the hash to be correct. Isn’t it clever? Not necessarily. Remember how I said that Sha divides the file into blocks and then performs a mathematical operation on each block separately? The result is Passedas.
The Postman Is Aware Of The Outcome Of The Mathematical Operation Performed On The Previous Block It’s the Hash We Got As A Result All he has to do now is add a message to the end of our letter and input our hash. Because the first block of message contains our secret word “love,” this hash already contains it.
It was contained. To calculate the correct hash, he doesn’t need to know our secret word. He doesn’t change the message’s beginning, but only adds something to the end. He Extends the Message’s Length And the other Algorithm was created to protect against this type of problem. Hmac Sha1 is the name of the program. The Basic Concepts Have Been Learned It’s finally time to start putting the plan into action. First, we use the Base32 algorithm to decode “secret.” As I previously stated, 2fa strongly relies on time. However, each country has its own time zone. As a result, the algorithm’s designers chose to use the Unix Time Format. The number of seconds that have passed since January 1, 1970 is known as Unix time. So, we’ve got some time. However, it is not a good idea to use a token that changes every second. A Second User Will Almost Certainly Not Be Able To Enter A New Phrase Within As a result, it was decided that the algorithm’s output would not change every second. It, on the other hand, changes at regular intervals. The Standard Time Is 30 Seconds Unix Time Is Divided By 30 As A Result. As a result, the time is rounded up to 30 seconds. As a result, the user has 30 seconds to enter the result. This time, the “secret” is not used as a number. First and foremost, we require
To Hexadecimal Number Conversion On A Windows Calculator, This Can Be Demonstrated We convert our time from “dec” to “hex” and pad it with zeros, so it only takes 8 bytes. Then we use the Sha1 Hmac Function to pass our converted time and secret. As a result, we have 40 characters to work with. As a result, It’s not the best idea to make a user type 40 random characters in 30 seconds. As a result, some techniques are used to simplify the entire mechanism, just as they were before. The Result When We Take The 20th Character Of We Look For The Equivalent Of A, Given LetterFour Hash Characters In The Ascii Table? This Method Of Retrieving These 4 Characters Is Called A “dynamic Truncation” It’s difficult to say whether the method proposed in the standard actually improves the security of the data stored in it based on the information I’ve gathered. Leave a comment if you can explain why it was used. The four hash characters are then changed back to the number. The Ascii Table is used once more. We look up the hexadecimal equivalent of each character and copy the digit into the calculator. We take the decimal value after we’ve entered everything. Now comes the final phase of the operation. It’s also not easy to enter ten random numbers. As a result, it was decided that the user would enter 6 digits in accordance with the standard, resulting in the Operation Modulo Million. Finally, we only need to add leading zeros to our resulting string of characters to ensure that it always has 6 digits. That’s all there is to it. All of them We found out what the algorithm looks like. It’s time for the last bit of information. We usually don’t enter our secret when activating 2FA, instead opting for the QR code. This Is The Answer Much faster and more error-resistant It can also include additional information in the mobile token, such as the user’s name and the URL of the website where it will be used. The Concept Behind Such An Address Is Quite Simple. It begins with the Protocol’s name, followed by the Account. Our 'secret' Value, Then Our Name This information is encoded as a QR code, which can be read with a camera. And that was all I had planned to show in today’s video. As You Can See, Two-factor Authentication Isn’t That Difficult To Understand, And It Can Significantly Improve Our Security.
Expenses If you liked this video, please subscribe to my channel and visit my security website. szurek szurek Thank you for watching, and please follow me on Twitter @kacperszurek. I’ll see you in the next video.