This semester, I created an Android application which processes approval of transactions on the internet in conjunction with a web interface. I walked through the AMPED web interface and server code with my faculty mentor, and we conducted a security analysis of the protocol used in the project. The end result is an application which can be used to handle arbitrary authentication requests, as generated by a server. It performs secure authentication of these requests, and cryptographically signs approved transactions as per the initial proposal. I also produced a reusable Java library which can be incorporated in other projects.
Source code for all parts of the project are available on the web. The code has been released under the GNU General Public License, which allows for free use, modification, and redistribution under certain terms.
- Server + Python client software: http://github.com/lfaraone/mtnas
- Java library and client: http://github.com/lfaraone/mtnac-java
- Android application: http://github.com/lfaraone/mtnac-android (not available yet)
The application is static, and programmatic provisioning for, say, wide deployment, isn’t possible at the present time. In future research I would like to investigate mechanisms for securely provisioning new devices so that we could limit dependence on a secure channel for initial communication, while maintaining the non-repudiation capabilities of AMPED. For example, some combination of a QR code (for an initial shared secret) and a device’s cellular radio could be used to ensure a secure key exchange. After receiving a shared secret, the device would then generate a secret key and transfer the public portion to the server, using the shared secret as an ephemeral key for this purpose. This is similar to what’s used in Google Authenticator, but GA requires both the server and the client be able to generate valid authentication tokens, preventing non-repudiation.
Integrating AMPED into existing software systems would also be potentially fruitful, as this would allow us to see how the project would function under normal usage conditions. To this end, Dr. Simon has expressed interest in the possibility of using a future iteration of AMPED in the administration of wireless sensor networks.