Wednesday, August 28, 2013

Basics - One Time Passwords and Two Factor Authentication

Two-factor authentication requires the use of two of the following three authentication factors.

  • Something the user knows (e.g., password, PIN, pattern);
  • Something the user has (e.g., ATM card, smart card, mobile phone); and
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).

A clear explanation can be found on wikipedia:  http://en.wikipedia.org/wiki/Two-factor_authentication


The most popular and easiest way of implementing second factor in authentication is the use of OTP (one time passwords).

A one-time password (OTP) is a password that is valid for only one login session or transaction.
The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks.

There are also different ways to make the user aware of the next OTP to use.

  • Some systems use special electronic security tokens that the user carries and that generate OTPs and show them using a small display. 
  • Other systems consist of software that runs on the user's mobile phone (mobile apps)
  • Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging.


There are also well-known algos in this area such as HOTP = HMAC based OTP and TOTP = Time based OTP.

Some things to note:

  • Use of hardware token genenators is more expensive
  • Use of SMS channel requires the server sides to have capability to send SMS through reliable SMS gateways which may be paid options
  • Use of mobile apps, often requires internet connectivity to the server

To further clarify the OTP options, I am providing a few self explanatory slides below:


--------------------xxx----------------------


-------------------xxx----------------------





Finally, there are several open source and paid providers of two factor auth and OTP solutions.Most of these require a custom authentication server as backend.

M-PIN          - http://www.certivox.com/m-pin/

and many more...


Also you can develop, a custom implementation using standard algorithms like HMAC for OTP

cheers!

Monday, August 26, 2013

Web Application Development with REST - Rapid and Easy

Increasing demands are being made by businesses to build custom web applications not only in record time, but also for these to be made available on a variety of devices like iPhones, iPads or android devices.

Using frameworks such as grails one can very quickly develop the server side of such web applications. With minor tweaks, a grails app can be exposed through REST controllers. These REST web services can be consumed by a variety of user interfaces like native mobile platforms, mobile web applications, single page thin client apps, HTML5 based web apps, etc. These user interfaces can also be integrated into portals such a Liferay, to complete the enterprise applications picture.

The above mentioned technologies and frameworks, relevant for rapid development of web and mobile applications, have been captured in the slide below. I will be periodically updating these slides, to raise awareness about contemporary frameworks that can be used for rapid web applications development.

(Note: this is just one good combination of frameworks with several alternatives on the tech landscape,  like Play instead of Grails, etc)

cheers!




Wednesday, August 21, 2013

Digitally Signed Documents - Simplified

Unless you have been living under a rock, you must have encountered, digitally signed documents. Increasingly all of us are using digital signatures in everyday life.

Ever wondered, what a digitally signed document means and how it works. Well here is a brief explanation through some pictures. Its from a lay man's point of view. If you are more interested in knowing the next level of technical details, have a look at the next slide which is technically more accurate.





Technically, more accurate depiction




Several free desktop softwares and online web applications allow you to digitally sign documents. for example, HelloSign, is a chrome plugin, which allows you to digitally sign documents, without leaving gmail.


Wednesday, August 14, 2013

Using REST with Grails - Quick and Dirty

Aim: To combine the RAD features of Grails with easy consumption of REST


Grails has been around for a bit and Grails 2.x is a great framework for rapid web application development. One of the things that might be a bit limiting is grails' use of server side gsp for the presentation layer. You know how everybody's grandmother, has an opinion about how the UI should be built, well...

That set me thinking, how about, if I wanted to leverage all the great feature of grails minus, its presentation layer, that is to say, how easily can I access grails server side from say HTML5/javascript framework or from android or iOS mobile app. Of course all that needs to be done, is to be able to invoke grails controllers from say javascript via REST calls.

So I started out with a default out of the box grails CRUD app with a POJO domain class called Item.

class Item {
static constraints = {    }
String name = "Item1";
String description = "Item1 Desc";
Date createdDate = new Date();

}

And I tried accessing the grails controllers from HTML/javascript/jquery. Seems you do it as easily as shown below:

For creating a new Item, all I need to do is a POST as seen below:
Notice the URL, HTTP verbs and $.param(myobj), which serializes, any javascript object attributes as HTTP request parameters

  //most of below object properties are same as grails domain POJO
var myobj = new Object();
myobj.createdDate = "date.struct";
myobj.createdDate_day = 13;
myobj.createdDate_month = 8;
myobj.createdDate_year = 2013;
myobj.description = "fromJSObject";
myobj.name = "fromJSObject";
myobj.create = "Create";

$.ajax({
 url: '/itemstore/item/save',
 type: 'POST',
 data: $.param(myobj),
 success: function(data) { alert('Insert was performed.');  }
});

On similar lines, we can do an update Item from jquery/javascript as follows

var myobj = new Object();
myobj.id = itemId;
myobj.version = 3;
myobj.createdDate = "date.struct";
myobj.createdDate_day = 13;
myobj.createdDate_month = 8;
myobj.createdDate_year = 2013;
myobj.description = "fromJSObjectUpdatedNew";
myobj.name = "fromJSObjectUpdatedNew";
myobj._action_update = "Update";

$.ajax({
 url: '/itemstore/item/edit/'+myobj.id,
 type: 'POST',
 data: $.param(myobj),
 success: function(data) { alert('Update was performed.');  }
});


Deleting an Item is as easy as:

var myobj = new Object();
myobj.id = itemId;
myobj._action_delete = "Delete";

$.ajax({
 url: '/itemstore/item/delete/'+myobj.id,
 type: 'POST',
 data: $.param(myobj),
 success: function(data) { alert('Delete was performed.');  }
});


The above way of invoking grails controllers is a bit of hack since, we did not modify the out of box or rather I should say "generated" controllers, which usually are geared up for server side invocation and have often have server side redirects. Sample grails controller server side code is shown below:

    def create() {
        [itemInstance: new Item(params)]
    }

    def save() {
        def itemInstance = new Item(params)
        if (!itemInstance.save(flush: true)) {
            render(view: "create", model: [itemInstance: itemInstance])
            return
        }

        flash.message = message(code: 'default.created.message', args: [message(code:        'item.label', default: 'Item'), itemInstance.id])
        redirect(action: "show", id: itemInstance.id)
    }


We were able to make do with shown jquery code because, we did not expect any return values from the controller invocations. Its always better to tweak the "generated" controller code, so that, it is oriented for REST, by commenting out the redirect and returning back either json objects as data or as validation messages.

But how about if we need some getters from the grails controller.Well, in such all you need to do is write your own little Grails controller with suitable methods.

Here I am showing the original controller code for a list() method returning all Items in database.

    def list(Integer max) {
        params.max = Math.min(max ?: 10, 100)
        [itemInstanceList: Item.list(params), itemInstanceTotal: Item.count()]
    }


And following is the slightly tweaked new method which will return JSON objects array

    def list(Integer max) {
        params.max = 100
render Item.list(params).encodeAsJSON()
    }

The significant difference is in calling the method groovy encodeAsJSON() and returning its result from the controller.

Next you have to add the following mapping to the UrlMappings.groovy file

"/restful/$controller/listall?"{
constraints {
         //maps the http verb GET to controller method list( )
action = [GET:"list"]  
}
}


Calling such a controller method from jquery/javascript is as easy as shown below:

$.getJSON("/itemstore/restful/item/listall", function(mydata) {
      
     // this will output valid JSON containing the array of Items we returned back
     console.log(mydata) 
});


Exposing grails controllers in such a fashion via REST or simply consuming them, in javascript, means you can have an alternative UI done in HTML5/javascript,, in a very short time.

Combining the RAD features of Grails with the ease of consumption of REST, is something truely valuable, wont you agree?