One Time Passwords in C#

Illustration

Recently I was working on a project where time-based one-time password algorithm might come in handy. You know the one - you have token that displays 6-digit number and you enter it after your user name and password. It used to be restricted to hardware (e.g. RSA) but these days Google Authenticator is probably the best known.

While rolling something on your own is always possibility, following the standard is always better because all tough questions have been answered by people smarter than you. In this case all things needed were covered in RFC 6238 (Time-Based One-Time Password Algorithm) and RFC 4226 (An HMAC-Based One-Time Password Algorithm).

While specifications do grant you some freedom in algorithm choice and number of digits you wish to generate, looking at other services implementing the same algorithm, 6-digit SHA-1 based code seems to be unwritten rule. Also universal seems the rule to use (unpadded) Base32 encoding of a secret key. Any implementation of one-time password algorithm has obey these rules if it wants to use existing infrastructure - both server side services and end-user applications (e.g. Google Authenticator or Pebble one).

With my OneTimePassword implementation, basic code generation would looks something like this:

var otp = new OneTimePassword("jbsw y3dp ehpk 3pxp");
txtCode.Text = otp.GetCode().ToString("000000"); //to generate new code

If you are on server side, verification would look just slightly different:

var otp = new OneTimePassword("jbsw y3dp ehpk 3pxp");
var isValid = otp.IsCodeValid(code); //to verify one that user entered

If you want to generate a new secret key for end-user:

var otp = new OneTimePassword();
var secret = otp.GetBase32Secret();

Pretty much all basic scenarios are covered and then some. Sample with full code is available for download.

PS: OneTimePassword class supports many more things than ones mentioned here. You can use it in HOTP (counter) mode with TimeStep=0; you can generate your own keys; validate codes; use SHA-256 and SHA-512; other digit lengths… Play with it and see.

Two Factor Authentication for WordPress

Illustration

Beside getting HTTPS working, probably the most important security feature you can get for free on WordPress is two factor authentication.

How does two-factor authentication work? In addition to your usual user name and password, you get to enter a 6-digit number changing every 30 seconds or so. Since that number is based on a key only you should know, you can consider it as another password. However, due to its constant change nature, anybody snooping only gets to know your login for next 30 seconds or so. After that time has passed previously captured code becomes useless. Two factor authentication essentially makes fact your password is known irrelevant.

It is not a fool-proof protection - somebody can just steal your key in addition to your password. However, since key itself is never transmitted over wire, it makes things considerably more difficult for attacker. And it will definitely make common every day non-targeted password attacks irrelevant.

Even if you run without HTTPS (which I don’t recommend) and you have to login over public wireless (scary!) this will keep anybody snooping from getting full account details he might need to login. Yes, there is possibility of somebody using your authentication cookie but, as long as you logout, you can rest assured that nobody can login after you. In a plain-text world there are many other attacks somebody might try against you but two factor authentication closes the most obvious doors.

I personally use Two Factor Auth plugin for this purpose. Although it officially doesn’t support WordPress 4.1 I found it works perfectly fine. Installation is WordPress-simple and by default you will get a pretty usable system of getting codes mailed to your users when they attempt login.

However, each user gets an opportunity to enable “third party” delivery type. That will give QR code you just scan into e.g. Google Authenticator and you mobile phone can generate codes every time you need them. System of generating these codes is completely standardized and I am sure you can find your favorite application - whether is on desktop, mobile phone, or even a watch.

It is a small change that will help security a lot.

PS: If you have Google mail and two-factor authentication is not enabled, what are you waiting?

How Fast Can You Charge?

Recently I saw SONICable Indiegogo project promising to double the charging speed on computer. It is supposedly an advanced USB cable with a magic switch cutting your charge times in half. But not everything is as it seems.

First onto a topic of “unleashing double the charge power of the regular charge cable”. As you might know, USB standard limits current to any USB device at 500 mA. What is not obvious from this is that even now you can have devices pulling much more than this - all the way until small fuse stops you. Devices obeying the standard pull 500 mA because they are well behaving citizens - not because USB restricts them from more. Just measure current of any USB cup warmer. :)

Some devices, mobile phones in particular, also have a fast charging mode that triggers when they detect a wall charger. Detection method itself used to be different for every manufacturer. Fortunately they got standardized into two camps - Apple and everybody else. Leaving Apple aside, most phones use USB Battery Charging Specification. Deep in technical text there is a Dedicated Charging Port (DCP) detection method consisting of “short D+ to D- through resistance RDCP_DAT”. At end specification we have RDCP_DAT defined as maximum resistance of 200 Ω. In laymans terms - just connect the freaking D+ and D- wire together.

Since standard USB cable has four wires (5V, D-, D+, and GND - let’s forget about ID for now), whole high-tech solution is to connect two wires together. That will make device think it is connected to a wall charger and that it can stop being good 500 mA citizen. It is the phone who will then pull around 1000 mA (rarely more) from computer. Since fuses on USB port are intentionally overdimensioned, computer will generally allow it.

There are thousands of YouTube videos alone showing you how you can do this. All you need is to get an old USB cable and cut it open. Then short data wires (white and green) together and voila - you have a cable giving you 1000 mA magic.

There are devices enabling this on eBay. Quick Google search found me The Practical Meter and USB Meter Pro on Kickstarter using exactly the same “magic” as SONICable. Heck, even my UsbAmps uses exactly the same principle from 2013 onward as a button option. Unofficially, there were people seeing me use small screwdriver to connect D+/D- lines way before that. :)

This functionality is nothing special, nothing secret, nothing patentable, and definitely not magic. Paying for a $25 cable promising you magic when all it does is enabling something you can get either for free or for fraction of a cost is crazy in my opinion. To be completely fair, just based on images, it does look as a nice cable - those with fashion in mind might be able to justify $25 cable. Just don’t buy it for its technology.

And remember - with USB 3.1, its new connector, and a new USB Power Delivery standard all this will become pretty much irrelevant side note in the history of USB.

The Lost Vikings

Illustration

As my kids keep growing (damn food!) I keep introducing them to games I used to play and love. Most of them I find on GoG but I do have my other sources too. :)

One of those old favorites was definitely Blizzard Vikings. It is a platform game with you in a role of the three vikings taken from their home by evil aliens. Fortunately they got out of jail and through many levels they will try to get home.

To make things interesting, each of them has their special skill. Eric is fast, Baleog has weapons, and Olaf can take care of defense. Only by using each of them you can pass the conundrums in front of them. While first few levels are tutorial and they aren’t hard at all, further you go the more of your gray matter has to be used.

Keyboard controls are probably the worst part of the game. They have to be learned and they are not intuitive at all. Yes, first few levels will teach you everything you need but if you leave the game alone for a few days you are back to square one. Cheat sheet is mandatory.

Of course, it is noticeable that this is an old game. Everything is blocky and resolution is as low as it gets. However, puzzles are interesting enough that you don’t care much. My kids (8 and 6 years) spent hours playing this game and not in one moment they mentioned anything was wrong with graphics. Yes, they do notice it is “different” but they didn’t see it as a negative thing.

Best of all, I found Vikings on battle.net as a free download. Thank you Blizzard.

How Not to Trim?

Illustration

In order to play with electronics, one has to get some sweet parts. Ever since I moved to States my supplier was DigiKey. They have good part selection, decent prices, and while their interface is not really the newest thing out there, it is good enough. Yes, I do occasionally have an issue or two but when my orders arrive, everything is in perfect order. Usually.

Since I always have multiple projects in parallel, I got into habit of using Customer Reference field to the fullest. I always fill not only my name for the component but also project name (e.g. C 10nF /16V NP0 (0805) [Esp8266Plug A1452]). That way I can easily sort stuff when it arrives and this has worked for me for long time. But with latest order I got a few packages where Customer Reference text was Character Limit Exceeded and my component sorting got interesting.

It was obvious what happened. One of many components that deals with data entry and printing labels didn’t like the field length. Not ideal situation but nothing uncommon either. However, decision of handling this situation is really bad.

First of all, line has enough space for at least 72 characters. Why would you put software limit to 48? My best guess is that limit was decided some time long ago for completely different kind of label. They switched labels and simply forgot to update the length. Or there might be some legacy component in the middle that can handle only 48 characters. I think that would be also a good reason for limiting length so low. Most realistic reason is that somebody simply copy/pasted the same limit as defined for Description field. I can completely understand how that could happen.

But there is NO EXCUSE in deciding to drop the whole customer’s text and replace it with your own. Your system has limitations, and you obviously had them in mind during design. Perfect A in my opinion. But why wouldn’t you just WARN me when I enter that reference in the first place? There is data verification done on that page for the other fields. Why is this field so special that no verification can be performed?

And, if you really have to do anything, don’t replace MY text - trim it. What would help customer better: Character Limit Exceeded or Q MOSFET, P-channel (SOT23-3) [ElectroPiggy A...? I am not sure what was going through the head of person who made that particular decision but they definitely didn’t think of customer.

I guess my script for ordering the parts will get another update…