How do I generate a secure token for a mobile app to protect its data?

1149705 pts.
Tags:
Authentication
Mobile applications
Security tokens
I recently developed a back end REST API for my mobile application and now I'm looking to implement token-based authentication so I avoid having the user to login every run on the application. My first thought was using basic authentication over SSL. So once the user sends the credentials through the server, it creates a secure token and it sends back to the user so they can use it in subsequent requests until the token expires. How would I be able to generate a token that won't be susceptible to things like MoM attacks? Also I would need to make sure the data is stored properly. Does anyone have any advice?
1

Answer Wiki

Thanks. We'll let you know when a new response is added.
Hi,
The “validation token” works by how the server recalls it.

A general token is a random string; the server keeps in its database a mapping from emitted tokens to authenticated user names. Old tokens can be removed automatically in order to prevent the server’s database from growing indefinitely. Such a token is good enough for security as long as an attacker cannot create a valid token with non-negligible probability, a “valid token” being “a token which is in the database of emitted tokens”. It is sufficient that token values have length at least 16 bytes and are produced with a cryptographically strong PRNG (e.g. /dev/urandom, CryptGenRandom(), java.security.SecureRandom… depending on your platform).

It is possible to offload the storage requirement on the clients themselves. In the paragraph above, what “memory” should the server have of a token ? Namely the user name, and the date of production of the token. So, create your tokens like this:
  • Server has a secret key K (a sequence of, say, 128 bits, produced by a cryptographically secure PRNG).
  • A token contains the user name (U), the time of issuance (T), and a keyed integrity check computed over U and T (together), keyed with K (by default, use HMAC with SHA-256 or SHA-1).
Thanks to his knowledge of K, the server can verify that a given token, sent back by the user, is one of its owns or not; but the attacker cannot forge such tokens. I hope this is helpful for you

Thanks & Regards
Clark kent

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: