Key-Based Authentication

G5 Cyber Security

2 weeks ago

TL;DR

This guide explains how to authenticate users using a key that can decrypt a specific phrase, instead of relying on passwords stored in a database. This method is generally more secure than password authentication.

1. Understanding the Concept

Traditional password authentication involves storing a hash of the user’s password in a database. When a user tries to log in, their entered password is hashed and compared to the stored hash. Key-based authentication works differently:

User generates a key: Each user creates a unique secret key (e.g., using OpenSSL).
Phrase Encryption: A specific phrase is encrypted only with the user’s key. This encrypted phrase isn’t stored anywhere except potentially temporarily during login.
Authentication Process: During login, the user provides their key. The system attempts to decrypt the phrase using that key. If decryption succeeds, the user is authenticated.

Because you never store the key itself (or the decrypted phrase), it’s much harder for attackers to compromise accounts.

2. Generating User Keys

Users need a way to generate secure keys. Here’s an example using OpenSSL:

openssl rand -base64 32 > user_key.txt

This command generates a random 32-byte key encoded in base64 and saves it to the file user_key.txt. Users should store this key securely (e.g., using a password manager or hardware security module).

3. Encrypting the Authentication Phrase

Choose a secret phrase that will be used for authentication. This phrase doesn’t need to be complex, but it must be consistent.

openssl enc -aes-256-cbc -salt -in phrase.txt -out encrypted_phrase.enc -k "your_user_key"

Replace "your_user_key" with the actual user’s key obtained in step 2. The phrase.txt file contains your secret authentication phrase.

4. Implementing Authentication Logic (Python Example)

This example uses Python and the PyCryptodome library to demonstrate the authentication process:

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import os

def decrypt_phrase(encrypted_file, key):
    try:
        with open(encrypted_file, 'rb') as f:
            data = f.read()
        cipher = AES.new(key.encode('utf-8'), AES.MODE_CBC)
        decrypted_data = cipher.decrypt(data)
        return decrypted_data.decode('utf-8').strip()
    except Exception as e:
        print(f"Decryption failed: {e}")
        return None

# Example usage:
user_key = "your_user_key"
enrypted_phrase_file = "encrypted_phrase.enc"
decrypted_phrase = decrypt_phrase(enrypted_phrase_file, user_key)

if decrypted_phrase == "secret_authentication_phrase":
    print("Authentication successful!")
else:
    print("Authentication failed.")

Important: This is a simplified example. In a real-world application, you’d need to handle key storage securely and implement proper error handling.

5. Security Considerations

Key Storage: The biggest risk is secure key storage on the user’s device. Encourage users to use strong password managers or hardware security modules.
Encryption Algorithm: Use a robust encryption algorithm like AES-256.
Salt: Always use a salt when encrypting the phrase, as shown in the OpenSSL example. This prevents rainbow table attacks.
Transport Security: Ensure that keys are transmitted securely (e.g., using HTTPS).
Key Rotation: Consider implementing key rotation to further enhance security.

6. Advantages and Disadvantages

Advantages: More secure than password authentication, eliminates the risk of password breaches in a database.
Disadvantages: Requires users to manage keys securely, can be more complex to implement than traditional authentication.