Practical Cryptography for Developers
  • Welcome
  • Preface
  • Cryptography - Overview
  • Hash Functions
    • Crypto Hashes and Collisions
    • Hash Functions: Applications
    • Secure Hash Algorithms
    • Hash Functions - Examples
    • Exercises: Calculate Hashes
    • Proof-of-Work Hash Functions
  • MAC and Key Derivation
    • HMAC and Key Derivation
    • HMAC Calculation - Examples
    • Exercises: Calculate HMAC
    • KDF: Deriving Key from Password
    • PBKDF2
    • Modern Key Derivation Functions
    • Scrypt
    • Bcrypt
    • Linux crypt()
    • Argon2
    • Secure Password Storage
    • Exercises: Password Encryption
  • Secure Random Generators
    • Pseudo-Random Numbers - Examples
    • Secure Random Generators (CSPRNG)
    • Exercises: Pseudo-Random Generator
  • Key Exchange and DHKE
    • Diffie–Hellman Key Exchange
    • DHKE - Examples
    • Exercises: DHKE Key Exchange
  • Encryption: Symmetric and Asymmetric
  • Symmetric Key Ciphers
    • Cipher Block Modes
    • Popular Symmetric Algorithms
    • The AES Cipher - Concepts
    • AES Encrypt / Decrypt - Examples
    • Ethereum Wallet Encryption
    • Exercises: AES Encrypt / Decrypt
    • ChaCha20-Poly1305
    • Exercises: ChaCha20-Poly1305
  • Asymmetric Key Ciphers
    • The RSA Cryptosystem - Concepts
    • RSA Encrypt / Decrypt - Examples
    • Exercises: RSA Encrypt / Decrypt
    • Elliptic Curve Cryptography (ECC)
    • ECDH Key Exchange
    • ECDH Key Exchange - Examples
    • Exercises: ECDH Key Exchange
    • ECC Encryption / Decryption
    • ECIES Hybrid Encryption Scheme
    • ECIES Encryption - Example
    • Exercises: ECIES Encrypt / Decrypt
  • Digital Signatures
    • RSA Signatures
    • RSA: Sign / Verify - Examples
    • Exercises: RSA Sign and Verify
    • ECDSA: Elliptic Curve Signatures
    • ECDSA: Sign / Verify - Examples
    • Exercises: ECDSA Sign and Verify
    • EdDSA and Ed25519
    • EdDSA: Sign / Verify - Examples
    • Exercises: EdDSA Sign and Verify
  • Quantum-Safe Cryptography
    • Quantum-Safe Signatures - Example
    • Quantum-Safe Key Exchange - Example
    • Quantum-Safe Asymmetric Encryption - Example
  • More Cryptographic Concepts
    • Digital Certificates - Example
    • TLS - Example
    • One-Time Passwords (OTP) - Example
  • Crypto Libraries for Developers
    • JavaScript Crypto Libraries
    • Python Crypto Libraries
    • C# Crypto Libraries
    • Java Crypto Libraries
  • Conclusion
Powered by GitBook
On this page
  • Digital Certificates, the X.509 Standard and PKI
  • Transport Layer Security (TLS) and SSL
  • External Authentication and OAuth
  • Two-Factor Authentication and One-Time Passwords
  • HMAC-based One-time Password (HOTP)
  • Counter-based One-Time Password algorithm (COTP)
  • Time-based One-Time Password Algorithm (TOTP)
  • Time-based One-Time Password in Practice
  • Infected Cryptosystems and Crypto Backdoors
  • Other Cryptographic Concepts and Standards

Was this helpful?

More Cryptographic Concepts

PreviousQuantum-Safe Asymmetric Encryption - ExampleNextDigital Certificates - Example

Last updated 5 years ago

Was this helpful?

...

Digital Certificates, the X.509 Standard and PKI

...

Transport Layer Security (TLS) and SSL

...

A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a symmetric encryption algorithm, and a message authentication code (MAC) algorithm.

External Authentication and OAuth

...

Two-Factor Authentication and One-Time Passwords

Multi-Factor authentication adds additional layers of identity authentication. Usually, those factors should be added to some of the following categories:

  • What I know

  • What I have

  • What I am

Two-Factor Authentication requires two of those three categories to be implemented. The most common case of Two-Factor Authentication is a user password and a device on which will be sent/generate one-time-password. To generate a one-time-password (OTP) the HMAC-based One-time Password algorithm is used.

HMAC-based One-time Password (HOTP)

HTOP(has_function, secret, value_length) -> htop
htop.generate() -> auth_code
htop.validate(auth_code) -> true/false

The hash_func can be any cryptographic hash function. The secret is the arbitrary byte string which must be shared between the parties and kept private. value_length defines the auth_code length.

Counter-based One-Time Password algorithm (COTP)

In the COTP scenario the HTOP function contains an internal counter. In order for parties to successfully authenticate each other they have to keep their counters in sync. Each time HOTP is requested to generate an auth_code the counter increments.

Time-based One-Time Password Algorithm (TOTP)

Time-based One-Time Password Algorithm (TOTP) is an extension of COTP, where the counter is the current time, defined as Unix time. The time-interval is another parameter used for the generation of TOTP, which defines a period of time of which a given authentication code will be valid.

htop_counter = (current_time - initial_time) / time_interval

For TOTP to work correctly both parties need to have synchronized clocks with minimal verification time-step window (delay based on user's input, network latency, and clock time deviation).

otp = TOTP(hash_function(secret), htop_counter)

Time-based One-Time Password in Practice

Infected Cryptosystems and Crypto Backdoors

Other Cryptographic Concepts and Standards

Just to mention, the practical cryptography is endless. This is a list of crypto concepts, algorithm, protocols and standards that we will not going to explain in this book, but you can read about them from the provided links:

  • Kerberos - ...

  • IPsec - ...

  • WiFi cryptography standards - ...

  • PGP - ...

  • S/MIME - ...

  • JSON Web Tokens (JWT)

The HOTP algorithm is based on and provides a symmetric generation of human-readable passwords, each used for only one authentication attempt. The key parameter of HTOP is a secret which has to be exchanged between the parties in advance:

A popular use case of Two-Factor Authentication is the Google Authenticator. A server generates a secret and shares it as a QR code with the client. The client scan and store the secret in the application on a phone. After that, the server and the phone start to generate the same one-time passwords.

An example of a web-based JavaScript for using and testing TOTP:

Object Identifiers (OID) - , e.g. the algorithm "SHA-256" has OID "2.16.840.1.101.3.4.2.1".

Cryptography Best Practices:

https://cryptography.io/en/latest/x509/
https://en.wikipedia.org/wiki/Transport_Layer_Security
HMAC
Google Authenticator
example
https://en.wikipedia.org/wiki/Kleptography
https://en.wikipedia.org/wiki/Object_identifier
https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a
Time-based One-time Password example