Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/hbyxzpf/twofactor
totp
This package implements the RFC 6238 OATH-TOTP algorithm;
go get github.com/sec51/twofactor
Built-in support for secure crypto keys generation
Built in encryption of the secret keys when converted to bytes, so that they can be safely transmitted over the network, or stored in a DB
Built-in back-off time when a user fails to authenticate more than 3 times
Bult-in serialization and deserialization to store the one time token struct in a persistence layer
Automatic re-synchronization with the client device
Built-in generation of a PNG QR Code for adding easily the secret key on the user device
Supports 6, 7, 8 digits tokens
Supports HMAC-SHA1, HMAC-SHA256, HMAC-SHA512
The key is created using Golang crypto random function. It's a secret key and therefore it needs to be protected against unauthorized access. The key cannot be leaked, otherwise the security is completely compromised. The key is presented to the user in a form of QR Code. Once scanned the key should never be revealed again. In addition when the QR code is shared with the client for scanning, the connection used must be secured (HTTPS).
The totp
struct can be easily serialized using the ToBytes()
function.
The bytes can then be stored on a persistent layer (database for example). The bytes are encrypted using cryptoengine
library (NaCl)
You can then retrieve the object back with the function: TOTPFromBytes
You can transfer the bytes securely via a network connection (Ex. if the database is in a different server) because they are encrypted and authenticated.
The struct needs to be stored in a persistent layer becase its values, like last token verification time, max user authentication failures, etc.. need to be preserved. The secret key needs to be preserved too, between the user accound and the user device. The secret key is in fact used to derive tokens.
Generation of recovery tokens.
Integration with Twilio for sending the token via SMS, in case the user loses its entry in the Google authenticator app.
1- Import the library
import github.com/sec51/twofactor
2- Instanciate the totp
object via:
otp, err := twofactor.NewTOTP("info@sec51.com", "Sec51", crypto.SHA1, 8)
if err != nil {
return err
}
3- Display the PNG QR code to the user and an input text field, so that he can insert the token generated from his device
qrBytes, err := otp.QR()
if err != nil {
return err
}
4- Verify the user provided token, coming from the google authenticator app
err := otp.Validate(USER_PROVIDED_TOKEN)
if err != nil {
return err
}
// if there is an error, then the authentication failed
// if it succeeded, then store this information and do not display the QR code ever again.
5- All following authentications should display only a input field with no QR code.
totp
was written by Sec51 info@sec51.com.
Copyright (c) 2015 Sec51.com <info@sec51.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.