什么是MFA
虚拟MFAMulti-FactorAuthentication多因素认证,是需要一部智能手机并安装虚拟MFA应用程序即可在账户上加上一层安全保险
常见的MFA应用程序,
| 手机类型 | MFA应用程序 |
|---|---|
| iPhone | Google Authenticator |
| Android | 谷歌动态口令 ,身份宝,洋葱 |
| Windows Phone | 身份验证器 |
| Blackberry | Google Authenticator |
MFA应用程序的算法TOTP
TOTP(Time-Based One-Time Password基于时间的一次性密码),其核心内容包括以下三点:
- 共同密钥
- 共同时间
- 共同签署方法
什么系统需要用到
想要安全,什么系统都可以用
以上基本上从网络搜集的资料,接下来看看MFA加到web应用的效果
同样支持自动扫描,手动添加,二选一添加就可以了,添加之后,输入连续2组不同的动态密码,确认后,系统就会开启MFA认证,这样该用户登录系统就会多一次认证
需要保证:安装MFA应用程序手机的时间需要与服务器一致,不然动态密码无法一致
image.png
image.png
image.png
image.png
代码片段
//二维码图片生成
package controllers
import (
"github.com/boombuler/barcode"
"github.com/boombuler/barcode/qr"
"image"
"image/png"
"log"
"os"
)
func WritePng(filename string, img image.Image) string {
file, err := os.Create("./static/images/" + filename)
if err != nil {
log.Fatal(err)
}
err = png.Encode(file, img)
if err != nil {
log.Fatal(err)
}
file.Close()
log.Println(file.Name())
return "/static/images/" + filename
}
func GetQrCode(str string, filename string) string {
code, err := qr.Encode(str, qr.L, qr.Unicode)
if err != nil {
log.Fatal(err)
}
log.Println("Encoded data:", code.Content())
if str != code.Content() {
log.Fatal("data differs")
}
code, err = barcode.Scale(code, 200, 200)
if err != nil {
log.Fatal(err)
}
return WritePng(filename+".png", code)
}
//TOTP相关
package controllers
import (
"crypto/hmac"
"crypto/sha1"
"encoding/base32"
"fmt"
"math/rand"
"strings"
"time"
)
const (
length = 16
)
func toBytes(value int64) []byte {
var result []byte
mask := int64(0xFF)
shifts := [8]uint16{56, 48, 40, 32, 24, 16, 8, 0}
for _, shift := range shifts {
result = append(result, byte((value>>shift)&mask))
}
return result
}
func toUint32(bytes []byte) uint32 {
return (uint32(bytes[0]) << 24) + (uint32(bytes[1]) << 16) +
(uint32(bytes[2]) << 8) + uint32(bytes[3])
}
//密钥生成
func GetSecret() string {
str := "234567abcdefghijklmnopqrstuvwxyz"
bytes := []byte(str)
result := []byte{}
r := rand.New(rand.NewSource(time.Now().UnixNano()))
for i := 0; i < length; i++ {
result = append(result, bytes[r.Intn(len(bytes))])
}
return string(result)
}
func oneTimePassword(key []byte, value []byte) uint32 {
// sign the value using HMAC-SHA1
hmacSha1 := hmac.New(sha1.New, key)
hmacSha1.Write(value)
hash := hmacSha1.Sum(nil)
// We're going to use a subset of the generated hash.
// Using the last nibble (half-byte) to choose the index to start from.
// This number is always appropriate as it's maximum decimal 15, the hash will
// have the maximum index 19 (20 bytes of SHA1) and we need 4 bytes.
offset := hash[len(hash)-1] & 0x0F
// get a 32-bit (4-byte) chunk from the hash starting at offset
hashParts := hash[offset : offset+4]
// ignore the most significant bit as per RFC 4226
hashParts[0] = hashParts[0] & 0x7F
number := toUint32(hashParts)
// size to 6 digits
// one million is the first number with 7 digits so the remainder
// of the division will always return < 7 digits
pwd := number % 1000000
return pwd
}
//动态6位密码
func Totp(secret string, ago int64) string {
keynospaces := strings.Replace(secret, " ", "", -1)
keynospacesupper := strings.ToUpper(keynospaces)
key, err := base32.StdEncoding.DecodeString(keynospacesupper)
if err != nil {
fmt.Println(err)
}
epochsecond := time.Now().Unix()
epochsecond -= ago //ago可以为0,也可以为30,这样可以应付2组密码的情况
pwd := oneTimePassword(key, toBytes(epochsecond/30))
secondsRemaining := 30 - (epochsecond % 30)
//fmt.Sprintf("%06d (%d second(s) remaining)\n", pwd, secondsRemaining)
fmt.Println(secondsRemaining) //这个secondsRemaining没有用到,只是打印下
return fmt.Sprintf("%06d", pwd)
}
//二维码包含内容
func Getotpauth(name, secret, issuer string) string {
otpauth := "otpauth://totp/" + "testwd" + ":" + name + "?secret=" + secret + "&issuer=" + issuer
return otpauth
}
//MFA开启后,登录后验证MFA页面
func (self *UserController) MfaVerifyPage() {
self.TplName = "user/mfapwd.html"
}
//验证MFA动态密码是否正确
func (self *UserController) MfaVerify() {
email := self.GetSession("email")
code := self.Input().Get("code")
if email == nil {
self.Data["islogin"] = false
self.Ctx.Redirect(302, "/")
} else {
_, user := models.FindUserByEmail(email.(string))
if code == Totp(user.Secret, 0) {
self.SetSession("uid", user.Id)
msg := map[string]interface{}{"code": 0, "msg": "success"}
self.Data["json"] = &msg
self.ServeJSON()
} else {
msg := map[string]interface{}{"code": 1, "msg": "invalid code"}
self.Data["json"] = &msg
self.ServeJSON()
}
}
}
func (self *UserController) MFAPage() {
uid := self.GetSession("uid")
if uid == nil {
self.Data["islogin"] = false
self.Ctx.Redirect(302, "/")
} else {
user := models.FindUserDetialById(uid.(int))
//随机密钥
secret := GetSecret()
qrdata := Getotpauth(user.Nickname, secret, "测试村")
//把邮箱md5加密成字符串,当作二维码文件名,这样文件名应该是每个用户只有一个
//不会因为用户多次刷新而生成不必要的文件,以防造成空间浪费
md5ctx := md5.New()
md5ctx.Write([]byte(user.Email))
filename := fmt.Sprintf("%x", md5ctx.Sum(nil))
fmt.Println(filename, "pppp")
self.Data["qrimg"] = GetQrCode(qrdata, filename)
if user.Mfa != true {
user.Secret = secret
models.UpdateUser(&user)
self.Data["secret"] = secret
} else {
//开启MFA,密钥对用户不可见
self.Data["secret"] = "****************"
}
self.Data["islogin"] = true
self.Data["userinfo"] = user
self.Data["IsMFA"] = true
self.TplName = "user/mfa.html"
}
}
//开启MFA
func (self *UserController) SetMfa() {
code1, code2 := self.Input().Get("code1"), self.Input().Get("code2")
uid := self.GetSession("uid")
if uid == nil {
self.Data["islogin"] = false
self.Ctx.Redirect(302, "/")
} else {
user := models.FindUserDetialById(uid.(int))
fmt.Println(code1, code2)
fmt.Println(Totp(user.Secret, 30), Totp(user.Secret, 0))
if code1 == Totp(user.Secret, 30) && code2 == Totp(user.Secret, 0) {
user.Mfa = true
models.UpdateUser(&user)
msg := map[string]interface{}{"code": 0, "msg": "success"}
self.Data["json"] = &msg
self.ServeJSON()
} else {
msg := map[string]interface{}{"code": 1, "msg": "无效密码"}
self.Data["json"] = &msg
self.ServeJSON()
}
}
}
//关闭MFA,关闭也需要验证动态密码
func (self *UserController) CloseMfa() {
code1, code2 := self.Input().Get("code1"), self.Input().Get("code2")
uid := self.GetSession("uid")
if uid == nil {
self.Data["islogin"] = false
self.Ctx.Redirect(302, "/")
} else {
user := models.FindUserDetialById(uid.(int))
fmt.Println(code1, code2)
fmt.Println(Totp(user.Secret, 30), Totp(user.Secret, 0))
if code1 == Totp(user.Secret, 30) && code2 == Totp(user.Secret, 0) {
user.Mfa = false
models.UpdateUser(&user)
msg := map[string]interface{}{"code": 0, "msg": "success"}
self.Data["json"] = &msg
self.ServeJSON()
} else {
msg := map[string]interface{}{"code": 1, "msg": "无效密码"}
self.Data["json"] = &msg
self.ServeJSON()
}
}
}