Offline Technician Authentication

TL;DR

This guide explains how to securely authenticate an unlimited number of technicians when they are working offline (no internet connection). We’ll use a combination of pre-shared keys, one-time passwords (OTPs), and a simple database to manage technician access. It focuses on practicality and security without needing complex infrastructure.

1. Key Generation & Distribution

1. Master Key Creation: Generate a strong, random master key. This is the root of trust for your system. Keep this extremely secure – ideally offline in a hardware security module (HSM) or protected by robust access controls.
2. Technician Keys: Derive unique keys for each technician from the master key using a Key Derivation Function (KDF) like HKDF. This ensures that even if one technician’s key is compromised, others remain secure. The number of technician keys isn’t limited by the system itself; it’s limited by your KDF implementation and storage capacity.

   # Example using OpenSSL (for demonstration - use a proper library in production)
   openssl rand -base64 32 > master_key
   openssl kdf -pbkdf2 -iter 100000 -salt "your_unique_salt" -digest sha256 -in master_key -out technician1_key
   

3. Secure Distribution: The most challenging part. Distribute the technician keys securely to each technician *before* they go offline. Options include:
   • In-person delivery: The most secure method, but not always practical.
   • Encrypted USB drives: Encrypt the key file with a strong password known only to the technician and a trusted administrator.
   • Trusted courier: Use a reputable service for physical delivery.

   Never transmit keys electronically without encryption!

2. One-Time Password (OTP) Generation

1. Algorithm Choice: Use a Time-based One-Time Password (TOTP) algorithm like RFC 6238. This generates passwords that change periodically, even without an internet connection.
2. Seed Value: Each technician’s key from Step 1 acts as the seed for their OTP generator. The same key will always generate the same sequence of OTPs at a given time.

   # Example using Python and pyotp (install with pip install pyotp)
   import pyotp
   secret = "your_technician_key"
   totp = pyotp.TOTP(secret)
   password = totp.now()
   print(password) # This will change every 30 seconds by default.
   

3. OTP Validity: Configure a short OTP validity window (e.g., 30-60 seconds). This limits the impact of compromised passwords.

3. Offline Authentication Process

1. Technician Input: The technician enters their key and the current time (or a timestamp) into an application or device.
2. OTP Calculation: The application uses the TOTP algorithm with the technician’s key to generate the expected OTP for that time.
3. Database Lookup: When the technician attempts to authenticate, their key is used as a lookup in a local database (see Step 4). The database stores valid OTPs for each technician.
   • If the calculated OTP matches an entry in the database for that technician and time window, authentication succeeds.
   • Otherwise, authentication fails.

4. Local Database Management

1. Database Choice: Use a lightweight embedded database like SQLite or LevelDB. These databases require no server and are easy to deploy offline.
2. Schema Design: A simple table structure is sufficient:
   • TechnicianID: Unique identifier for the technician (e.g., employee number).
   • KeyHash: A hash of the technician’s key (for security – never store keys in plain text!). Use a strong hashing algorithm like SHA-256.
   • OTP: The generated One-Time Password.
   • Timestamp: The time the OTP was generated.
3. Pre-population: Before technicians go offline, pre-populate the database with a batch of valid OTPs for each technician. Generate enough OTPs to cover their expected offline period.

   # Example SQLite insertion (using Python)
   import sqlite3
   conn = sqlite3.connect('technician_auth.db')
   c = conn.cursor()
   c.execute('''CREATE TABLE IF NOT EXISTS technicians (
     TechnicianID TEXT PRIMARY KEY,
     KeyHash TEXT,
     OTP TEXT,
     Timestamp INTEGER
   )''')
   # ... (Code to generate OTPs and insert them into the database for each technician)
   conn.commit()
   conn.close()
   

4. Database Security: Protect the database file with appropriate file system permissions. Consider encrypting the entire database if highly sensitive.

5. Revocation & Key Rotation

1. Key Compromise: If a technician’s key is compromised, immediately invalidate all OTPs associated with that key in the local database. This can be done remotely if possible (e.g., through a secure update mechanism) or manually when technicians return.
2. Periodic Rotation: Regularly rotate keys to minimize the impact of potential compromises. This involves generating new keys, distributing them securely, and updating the database schema accordingly.

Important Security Considerations

• Master Key Protection: The security of your entire system relies on the protection of the master key.
• KDF Strength: Use a robust KDF with sufficient iterations and salt length.
• Hashing Algorithm: Use a strong hashing algorithm (SHA-256 or better) for storing technician keys.
• Time Synchronization: Accurate time synchronization is crucial for TOTP to function correctly. Ensure technicians’ devices have reliable time sources.
• Physical Security: Protect the physical security of devices and databases used in the authentication process.