Fabian Gr├╝nbichler's Application

Personal and Contact Information

Name: Fabian Gr├╝nbichler E-Mail: fabian.gruenbichler[a]tuwien.ac.at (GPG-encrypted preferred) XMPP: fabian[a]jabber.at (OTR)

Background

I am a 24 years old software engineering master's student from Vienna, Austria. I have been using Debian in different setups for quite some time (around 6 years), but have never actively contributed before. I am most proficient in C and Java, but can also churn out code in Python, Ruby or PHP if need be. One of my main interests regarding IT and software is security, which was one of the reasons why I chose a security evaluation of a typical Typo3 installation as my bachelor thesis and project. I am an advocat of free and open source software as well as meaningful security solutions for everyone (such as accessable encrypted communication methods and secure information storage). My native tongue is German. More information about me can be found in my introduction email to the pkg-auth-maintainers list.

CROTP support for oath-toolkit and dynalogin

Project Details

Currently oath-toolkit supports two of the main one time pad standards: the event-based HOTP algorithm (RFC 4226) and its time-based extension TOTP (RFC 6238).

This project would introduce another possibility to perform authentication via one or both of the following new challenge-response-based mechanisms: OCRA (OATH Challenge Response Authentication, RFC 6287) and/or CROTP (IETF Draft), which is itself an extension of the Salted Challenge Response Authentication Mechanism described in RFC 5802.

OCRA has a similar structure as HOTP/TOTP, but offers more flexibility regarding the information and hash algorithm which are used for computing and validating authentication data, as well as allowing for (additional) non-SSL/TSL based (i.e., challenge-response based) authentication of one or both parties involved in the authentication process. These benefits (and the fact that it is officially part of the mechanisms specified by the OATH foundation) make it well suited for integration into oath-toolkit and dynalogin.

SCRAM on the other hand is already in widespread use as SASL and GSS-API authentication mechanism, therefore CROTP could play an important role in furthering secure, connection oriented authentication for various applications (such as LDAP or mail servers). CROTP basically extends SCRAM by including an OTP value in its client-side signature calculation (as well as the server's verification thereof).

Because a Challenge-Response based authentication mechanism requires back and forth communication between a client and a server, I would like to first implement the necessary API functions in the relevant packages:

These functions could then be used to integrate challenge-response and OTP based authentication into other software packages. As part of the project I would like to implement such functionality for the dynalogin packages, allowing a client using libdynaloginclient to authenticate with a dynalogind server using the CROTP and/or OCRA mechanism instead of plain HOTP or TOTP.

A (not yet publicly disclosed) vulnerability report regarding a Typo 3 extension is currently in the works (this was a result of my BSc thesis project) A small bugfix for dynalogin can be found here.