1

Requiring Multiple Authentication Mechanisms

asked 2015-11-02 08:27:18 -0700

EricC gravatar image

Hello all,

I am working on an AllJoyn service for a device, and I would like to require clients to authenticate via an exchange of PIN (representing a serial number on the physical unit) as well as a personally unique username/password.

Building off of the secure examples in the C++ SDK, I have been able to enable peer security on both ends with SRP_KEYX for the PIN exchange, as well as SRP_LOGON for the username/password authentication. However, the authentication interface only seems to require one, and will therefore allow consumer app access to the secured interface after just exchanging the PIN number.

Is there a way to force a request of all three (PIN, username, & password) and then compare them to the service keystore?

Thanks,

Eric

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
2

answered 2015-11-03 12:42:02 -0700

praveenb gravatar image

updated 2015-11-06 11:22:44 -0700

Your observation is correct. Authentication mechanisms in AllJoyn are independent of one another. When two peers authenticate with one another in AllJoyn, they exchange a list of auth mechanisms and choose the strongest one that is common to both. Once authentication (using any authentication mechanism) is complete, a master secret gets established which is used for further communication (the expiration of master secret is configurable by the application).

You are looking to chain these authentication mechanism to mandate multiple authentication mechanisms. Because what you are looking for is not the usual state of affairs in AllJoyn, you would need to write your application in one of the two following ways:

  • Create two BusAttachments, BA1 & BA2. Enable auth mechanism M1 on BA1 and auth mechanism M2 on BA2. Have the consumer app authenticate against both BA1 and BA2. This method of using multiple BusAttachments in one application is usually not recommended due to higher resource usage.
  • Create one BusAttachment BA and enable auth mechanism M1. As soon as authentication using M1 is complete, clear the keys using ajn::BusAttachment::ClearKeys, disable auth mechanism M1 and enable auth mechanism M2. You will need to exercise a greater care to handle multiple devices authenticating simultaneously and ensure that the flow is correct.

What you are looking to do hasn't been attempted before, and hence your mileage way vary. If you are looking for additional guidance with Security in AllJoyn, you might want to contact: allseen-security@lists.allseenalliance.org.

edit flag offensive delete publish link more
Login/Signup to Answer

Question Tools

Follow
1 follower

Stats

Asked: 2015-11-02 08:27:18 -0700

Seen: 118 times

Last updated: Nov 06 '15