[Soc-coordination] Status Report Week 2, Extending oath-toolkit and dynalogin to provide CROTP/OCRA authentication

[Fabian Grünbichler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello fellow soc-ers,

here's my report for the last week. As always, all committed code can
be found on github[1], this week's changes got their own branch (aptly
named "ocra").

This week's goal was to implement methods for generating and
validating OCRA authentication values. This goal was almost completely
fulfilled.

I introduced two new API methods (oath_ocra_generate and
oath_ocra_validate) as well as test cases for both.

I encountered two obstacles:

.) The OCRA specification (RFC 6287[2]) allows three different types
of challenges: numeric, hexadecimal and alpha-numeric. I had to dig
into the reference implementation to find out that numeric challenges
are apparently supposed to be converted to base-16 before being
converted to a byte-array. This stole quite a bit of precious
debugging/coding time ;)

.) oath-toolkit currently only contains library functions for
generating SHA1 HMACs. Besides SHA1, OCRA is supposed to also support
SHA256 and SHA512. My code is designed to be easily extendable once
the necessary wrapper methods for gnulib's SHA256 and SHA512 API are
written (how to proceed is not yet discussed with oath-toolkit's
maintainer).

So far all the test-cases indicate full support for all the different
OCRA generation combinations (except for SHA256/512 support). I
converted most of the reference test vector data to SHA1 and used the
reference JAVA implementation to generate the OCRA values which are
used to check correctness of the new API.

My plans for the next week are to use the new API to extend
oath-toolkit's PAM module to allow authentication via OCRA (limited to
SHA1 for now, see above) as well as integrating feedback by my
mentors. If possible, I would also like to extend the current code to
support SHA256/512 this week.

After this or next week, the implementation of OCRA in oath-toolkit
should be finished and sufficiently tested. Afterwards I will proceed
to extend dynalogin to also support authentication via OCRA.

Kind regards,
Fabian

1: https://github.com/Fabian-Gruenbichler/oath-toolkit/commits/ocra
2: http://tools.ietf.org/html/rfc6287
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBAgAGBQJRzbyqAAoJEK4xK/RwikTnKssQALtYcCtvX0IxjDhUmZUFGAOl
oi/blNHTYqm0WVG8Dm1+jYPlTVrrUlHC/pQSe5NHytQ3qnZocF89Dm2Chx3qudJF
RMg2HSjTj1KwK6AWtgz+VBwzub8tQVHyvGmLkhmHkLD4vYOyWCd8czquD9rOnAo6
ji2SN0CQNaTd8eOz/C4rcSdYmJkhWdoMCxNaF/vFZi8F/eo5yOpOdlDeVScXcaL/
QzfwAchXeB3K+64Gsn0o+selUlZTsswB4tMYNYCUu6sdHMbbgpEN5P6OjjYcjHy9
weWok04v4BuUQeLP0BPi1Ic44ojsY6nTOUJuv7rgaAHf9bCwDkY2MTb9sObn99TT
Ek+wxze03zbk1NtLOBOzXAZTX/rJzhHtAjuwS+PNx36cHDSjPXPkdcEjCzyTLwFc
pQaDUwmJVLz5b9X5x5vdk4Or/77YwJr7FxsfC3cxiy5YQFP3wpyDh6GfVgRYeCo1
C2vlM/LEINc7zAdZQWfKJ7A81GcSqRp5kWIjF/ZqAU7BMO85wZvXXurmB1KVm9y9
/fO5OJQi7UgJxdmI56bZZzPKg/8YO64+F5kJpzbP3eJw1ZjC8bP20d7J3UzPHhzo
J/VFxcdoBKvh+EYNgUPl4ddg2BeDU8tyOQW+I2PggeKFipf2KWiQiQFAh2Lw7b8Q
eVZYnDKvlojbagMGnLu+
=G4by
-----END PGP SIGNATURE-----