Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Other Security APIs, Tools, and Issues

Creating Token for Login Method

I am writing a login method that will authencticate user and return token for web services. Next time user will send is token and we will validate the token but requirement is that we donot wnat to keep any state of token at server.What does it mean that when we receive token, we should be able to detremine is it a valid token or not.(This implied token can't be forged by any user).

I have written a function using KeyPairGenerator, please have a look and let me know if you see any security issue.

Design is

token generateToken(userid) {

hash = hash(userid) - ONE

Signature = Encrypt (Private key , hash) TWO

return hash + " " + Signature

}

bool isValid(token) {

separate part 1 and part 2 of toekn (delimeter is space)

Signature = Encrypt (Public key , part1)

if signature == part2

token is valid

else token is invalid

}

Code is

PublicKey privateKey ;

PrivateKey publicKey ;

KeyPairGenerator keyGen;

SecureRandom random ;

KeyPair keypair;

public String generateToken() throws Exception{

keyGen = KeyPairGenerator.getInstance("DSA");

random = SecureRandom.getInstance("SHA1PRNG", "SUN");

keyGen.initialize(512 , random);

keypair = keyGen.genKeyPair();

privateKey = keypair.getPrivate();

publicKey = keypair.getPublic();

String token = userName;

byte[] part1 = getHash(1000, token , generateSalt());

/* Create a Signature object and initialize it with the private key */

Signature dsa = Signature.getInstance("SHA1withDSA", "SUN");

dsa.initSign(privateKey);

/* Update and sign the data */

dsa.update(part1, 0 , part1.length) ;

/* Generate a signature for it */

byte[] realSig = dsa.sign();

String tokenToReturn = byteToBase64(part1) + " " + byteToBase64(realSig) ;

return tokenToReturn;

}

public void verifyToken(String token) throws Exception{

int space = token.indexOf(" ");

String part1 = token.substring(0 , space);

String part2 = token.substring(space+1);

/* create a Signature object and initialize it with the public key */

Signature sig = Signature.getInstance("SHA1withDSA", "SUN");

sig.initVerify(publicKey);

byte[] bPart1 = base64ToByte(part1);

byte[] bPart2 = base64ToByte(part2);

/* Update and sign the data */

sig.update(bPart1, 0 , bPart1.length) ;

if ( sig.verify(bPart2) )

System.out.println("signature verifies: " );

else

System.out.println("signature does not verifies: " );

}

Does this code look right ? Please let me know if you see any pitfalls or know better way to create token

[2752 byte] By [namon20a] at [2007-11-27 3:53:58]
«« Loading Images
»» How to move a entire directory!
# 1

Hello,

one conceptual problem is the fact that once you generate such a token it is valid forever. One idea would be to incorporate the date/time of generation, so that you have some kind of timeout mechanism if the token is too old. Again, the token mechanism will be susceptible to replay attacks for the token's validity period.

For my part, I would tend to go with some kind of one-time token design. Even if you are constrained not to use a database, you could use an in-memory structure to keep track of the generated tokens, mapping them to the users requested them and removing them on an explicit logout or after an expiration time period. This way you don't depend on a timestamp, which implies that you keep a clock well-synchronized. Just my $.02.

Kind regards,

Anestis

mrAnesta at 2007-7-12 8:58:03 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
Security
Other Security APIs, Tools, and Issues

Security New Topic

Security Hot Topic

Security

All Classified