FreeAuth MIDLet

From FreeAuth Wiki

Jump to: navigation, search

Contents

[edit] What is the Free Auth MIDLet?

The !FreeAuth MIDLet (was known as mOTP+) is an extended version of Mobile OTP created to be used among other things as a Single Sign On client. It generates one time passwords (a hash of time+magic+pin) on Java enabled mobile phones. These passwords can be used on systems that support One Time Passwords.

  • Current stable version: 2.4.5
  • 2.3 version: 2.3.10
  • 2.1 version: 2.1.0
  • 2.0 version: 2.0.4
  • Old protocol version: 1.3.6
  • ["FreeAuth MIDLet Old Changes"]
  • ["FreeAuth MIDLet Screen Shots"]


Please don't use any 2.2.x versions, the method of encryption is being revisited and re-written to work differently.

I've tested the 2.1 version heavily and it seems to be bug free to me, please post any/all bug reports in the footer of this page.

If you are using version 2.0.4 or less you might want to check out the FreeAuth MIDLet Cheat Sheet.

[edit] Update

Moved content from Mediawiki to Trac, as well as adding SVN repository for the code and all code is now online. By using Trac there is now a ticket tracking system for tracking bugs etc, any problems with the MIDlet or feature requests should go in there from now on.

[edit] 2.4 Change Log

  • 2.4.5 Code updates for 2.4.4 broke the ability to delete a secret
  • 2.4.4 Updated code to add a confirmation screen when selecting wipe/load defaults from main menu
  • 2.4.3 changes timezone config from +/-12 hours to +/-13 hours as New Zealand observes DST during the year and goes from +12 to +13 GMT.
  • 2.4.2 fixes restore bug
  • 2.4.0-1 Have sucessfully added RSA code to the midlet, size of the applet increased by 25k as a result and is now about 120k, but the good news is backups and restores can be completely secured even over non-secure http connections. Part of the management interface specs need to cover generation of the RSA public/private keys, as per most recommendations it's advised to utilise 1024 or bigger keys, although with most smaller devices with limited CPU cycles, 1024 bit keys are probably a good trade off.
  • RSA modulus stored in JAD file, 1024 bit key storage in JAD tested fine.
    • Use the following command to create/export required data: 
openssl genrsa -out private.key 1024
openssl rsa -in private.key -modulus -noout

You should end up with something that looks like: 

Modulus=CDA79E85C6163FD23CB91B3D9E8FDEF63712AED9BFDA5EDF1BAA966C071EF4B8EAAFE03CD9C23DE7DE2B0
        A12FEDE1E97EADEE0F05A24FC9C11A396B0659BD6582A828C106532717236A3234865A81C9A2CC9192896
        6D9DBFC9CD81893C446C734DE4FCD5A1CF15EB7C8727D809DB3A4D2A05C64A8B5F027BE2A95F5EF54B6FCD

Paste that into your jad file until a management interface exists. Must all be on a single line, the above is wrapped for display purposes only.

  • Has primative backup/restore functionality, this is the basis of enterprise management functionality.
    • backup.txt - Proof of concept, fairly basic functionality, requires openssl.

[edit] Phones know to work

  • Nokia N73
    • Tested with Version 2.4.5
  • Nokia 6230
  • Nokia 6233
    • Had to compile the source myself to get it to work, otherwise it would not get past the "Wait for crypto init" dialog
    • Had to replace the 7 in showString() with 10 to see all the strings properly
  • Nokia 6070
    • I've tried to get version 2.4 to work, it seems to not load the entered pincode correctly. However, 2.3 works good.
  • Nokia 6021
  • Nokia 2610 (works with 2.3)
  • Motorola Razr V3
  • Sony Ericsson K300i
  • Sony Ericsson K770i
    • Had to copy .jad and .jar to phone via cable then install.
  • Sony Ericsson K790i
  • Palm Treo 650 with Java Virtual Machine installed
  • Motorola v525
  • Cingular 2125 (AKA: HTC Faraday, T-Mobile SDA)
    • Had to copy .jad and .jar to phone via cable then install.
  • Motorola L7
  • LG KU380
  • Blackberry 8300

[edit] Phones know NOT to work

  • Nokia 6230i
    • Tested with version 2.4
  • Nokia e70
    • version 2.4 works almost perfectly the first time you use it but after quitting the application, it won't generate correct OTP anymore if you come this far at all...
  •  !SonyEricsson K750i
    • version 2.4 doesn't work at all (can't be started)
    • version 2.3 partially works but is not usable either
  •  !SonyEricsson W810i
    • Tested with 2.4 halts at crypt eng init
    • Tested with 2.3 halts at crypt eng init
  •  !SonyEricsson W880i
  •  !SonyEricsson W900i with 2.4.5
    • Startup: When first Action is "Info", you can't go "Back" and therefore even don't leave the program
    • Init: You have to use "Info" and "Back" after you type in your own password - otherwise you stuck to the init
    • Alias: There's no chance to save the shared secret, because "Next" button don't work if you have to type in the alias
    • Comment: I didn't get it work and I'm not happy that everything work with menues and not with the dedicated keys
  • Samsung Z500
    • like Nokia e70, it works only once, tested all versions with the same result
  • LG Fusic LX-550
    • Tested with 2.4, halts with "Abnormal Java exit"
  • Nokia 6220 Classic
    • Menues dont work, with some effort you can get keys and with "switch charset" they work, however after closing the program and reopen you have to enter all details again, and get new init key, so new keys...
Retrieved from "http://freeauth.org/wiki/index.php?title=FreeAuth_MIDLet"
Personal tools