Two-Factor Authentication using TOTP
Features implemented:
- Command line tool for user registration and user login
- Client and server communicate over a TLS socket
- Self signed cert for TLS
- SRP protocol for password based authentication
- 2FA registration and QR code generation
- TOTP token generation and verification
- Database encryption/decryption using AES
Requirements:
The code was tested on Ubuntu 20.04 with python3. To run, use: python3 server_tls.py python3 client_tls.py
To install dependencies run: sudo apt install python3-crypto python-typing python3-pandas python3-qrcode python3-srp
Packages installed above provide: For import Crypto.Cipher: python3-crypto For import typing: python-typing For import pandas: python3-pandas For import qrcode, 'qr'command: python3-qrcode For import srp: python3-srp
For ssl package: I think 'import ssl' is provided by default in ubuntu, it is installed by libpython3.8-minimal package.
For TOTP: Google authenticator app installed on any phone/tab
How to run: (Steps which need user inputs are marked with > )
- Run "server_tls.py" first in a terminal. Command : "python3 server_tls.py"
- Server prompts for admin password. This is because database is being AES encrypted. Enter a password for the first time and remember it, as it is required for running server again.
- If password is lost, delete "registered_users.enc" and start again.
- In another window, run "client_tls.py". Command : "python3 client_tls.py". For client to work, server should be running and admin password should be verified
- Client prompts to select 1 for User registration and 2 for User login. For new user, select 1
- Enter username and password (minimum length sepcified, max set to 50 characters)
- A secure TLS connection is formed between client and server. SRP protocol is followed where client only sends username, verifier key and salt.
- Server decrypts .csv file and checks if user already exists. If the file does not exists, new file gets created.
- Server registers using SRP protocol where it stores verification key, salt and username for new user in an encrypted file.
- Once this registration is successful, server will generate a TOTP secret using a random number generator.
- This is shared with client which displays secret as QR code.
- Use Google Authenticator to scan this QR code
Login: 13. Once a new user is created, option 2 can be selected for login. 14. Enter user name and password of a registered user. 15. If user credential is invalid, error is displayed. (Server verifies user from the encrypted database) 16. Once username and password is entered, authentication is done based on SRP. Client generates "A" and sends this to server along with username. 17. Server decrypts the database, retrieves user details from database (verification key, salt, secret) 18. SRP protocol is followed as below:
Client => Server: username, A
Server => Client: s, B
Client => Server: M
Server => Client: HAMK
See https://pythonhosted.org/srp/srp.html for more details
- Once all of the steps in the protocol are done, authentication process is marked complete. Client displays success message to user. 20.> Now client prompts to enter 6 digit TOTP token. This is the current token being displayed in Google Authenticator. 21.> Enter those 6 digits. Server then generates TOTP using current timestamp and secret, and matches with the 6 digits entered by user.
- If the tokens match, two factor authentication is successful
- Login successful message is displayed. 24.> Ctrl+C command can be used to stop the client and server applications.