Dynamic IP Locking: A Poor Mans Multi-factor Authentication

[Taz]

Dynamic IP locking: A poor mans multi-factor Authentication

As some people know financial institutions have to implement Multi-factor authentication. FIL-103-2005

"What is Multi-Factor?
The authentication factors for humans are generally classified into three cases:

* Something the user is (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is

sufficient), voice pattern (again several definitions), signature recognition, unique bio-electric signals produced by the

living body, or other biometric identifier)
* Something the user has (e.g., ID card, security token, software token or cell phone)
* Something the user knows (e.g., a password, a pass phrase or a personal identification number (PIN))"-wikipedia

So what if you want to implement multi-factor authentication for your simple website and not have to pay for commercial solutions? One that is as easy to use as CAPTCHA that recently sites have implemented.

I present Dynamic IP locking. Which is simply the concept of only allowing login if the user's ip (something they have) matches the one on record.

In the security world there has always been the practice to deny hosts unless they were of a certain IP. However, the problem is that now days on the internet hosts need to access systems and their ips are not fixed. The idea is to put into place a logon system that adds a level of security but by no means is a cure-all. IPs can still be forged just like we use MAC to deny hosts even though they can be spoofed. Your login protocol still checks for a user id and a password while looking if the ip that they signed up with matches the one signing on. So a normal fixed IP person would use their IP. However, a dynamic ip user would enter Whatever.dyndns.com or whaetver.com. The server then would look up the ip of this sub domain and see if it matches the host. The host would be running with in the background a client (https://www.dyndns.com/support/clients/) that
sends their dynamic ip to the trusted third party DNS providers like no-ip.com and etc. Also with the release of Windows Vista all users will be able to be given a ipv6 address with its own sub domain to use from Microsoft called the "Windows Internet Computer Name"-- a unique domain name. This can be treated as a trusted third party. The attackers thus could still forge the address; however he would have to know the sub domain to look up to spoof to the server.

This Dynamic IP locking would not be the only validation the user would still have to match USER ID, PASSWORD, IP checking.

However to the user this would not be an extra step once a client was running in the background reporting the ip to a trusted third party.

One of the main benefits is that current brute forcing software would not have this factor built in for their password cracking attempts. Some might think this would cause problems if a user went to a library and didn't have that Ip allowed to log in. You still can login to your third party and update your Ip to the current place of login. Of course if login in on an untrusted machine you will be exposing yourself. If a third party Dynamic DNS provider was DOSed logins would fail with multiple systems.

At its simplest form the php code would look like this. Of course in actual implantation you your software would be more complex. A non production example of a login with Dynamic Ip locking is at the bottom.

Code:

 
<?php

$ip = gethostbyname('zat.isa-geek.com');


If ($ip ==$_SERVER["REMOTE_ADDR"]){
echo "success";
}else {
echo "fail";
}


?>

It is also best to have this as an option to enable instead of being forced just like AOL users were given the option to use SecureID but not required.


People could just hack into the site you use for your dynamic dns, but then they would have to know which one you use.

If wanting to get into say your message board account they would have to know where your dynamic dns is and crack into an additional pair on login password combination.


The following is example code only and SHOULD NOT be used in production.

Code:

 
<form method="post" action="http://whatever.com/iplogon.php">


<input name="user" type="text">
<input name="pw" type="password">
<input type=submit value="Submit" >

</form>

This is a simple form to use to submit to our php script.


Now we create the mysql entries we will pull. Meow: is user id and password is password. Moo also has the password “password. Zat.isa-ageek.com is the location you want script to look up ip on the hostname.

Code:

#
# Table structure for table `users90`
#

CREATE TABLE `users90` (
 `username` varchar(99) NOT NULL default '',
 `password` varchar(99) NOT NULL default '',
 `ip` varchar(255) NOT NULL default ''
) TYPE=MyISAM;

#
# Dumping data for table `users90`
#

INSERT INTO `users90` VALUES ('meow', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', 'zat.isa-geek.com');
INSERT INTO `users90` VALUES ('moo', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', '127.0.0.1');
   #


<?php
if ($REQUEST_METHOD=="POST") {
check();
}else{
}
function check()
{
mysql_connect("localhost", "user", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
array_pop($_POST);
if ( get_magic_quotes_gpc() ) {
  $_POST= array_map('stripslashes', $_POST);
stripslashes($_REQUEST['pw']);
}
$username= mysql_real_escape_string(trim($_POST['user']));
$password= mysql_real_escape_string(trim($_REQUEST['pw']));
// I used request because when I was testing the post was coming up empty
$sha1pwd= sha1($password);

$sql= sprintf("SELECT COUNT(*) AS login_match FROM `users90` WHERE
`username` = '%s' AND `password`= '%s'", $username, $sha1pwd);
$res= mysql_query($sql) or die(mysql_error());
$login_match= mysql_result($res, 0, 'login_match');
if ( $login_match == 1 ) {
$result = mysql_query ("SELECT ip FROM users90
WHERE username = '$username'
");
$row= mysql_fetch_array($result);
$iphmm = $row[0];
echo $iphmm . " This is ip from mysql <br>";
$ip = gethostbyname($iphmm);
echo "<br> This is ip from gethost " . $ip;
If ($ip ==$_SERVER["REMOTE_ADDR"]){
echo "You entered the magical place";
}else {
echo "failed";
}
} else {
 echo "failed";
}
}
?>

[johnboulder]

Brilliant note here taz.

I tend to stay away from IP or host locking, as with a lot of cases - the users' IP address is not even the same accross requests depending on their ISP.

You could also get multiple requests from the same IP being different users on the same network sharing infrastructure the ISP has.

However, a great post nontheless.

I've moved this post to tutorials, as it's more suited to this particular category.

Regards

[Taz]

Quote:

Originally Posted by johnboulder

Brilliant note here taz.

I tend to stay away from IP or host locking, as with a lot of cases - the users' IP address is not even the same accross requests depending on their ISP.

You could also get multiple requests from the same IP being different users on the same network sharing infrastructure the ISP has.

However, a great post nontheless.

I've moved this post to tutorials, as it's more suited to this particular category.

Regards

I would like to point out while the example code is in php there is nothing stoping this concept from being implemented in c++, perl, in anything!

Maybe you want to edit the code for your VNC.

[Taz]

also now the link that was posted on http://www.digg.com/programming/Dyna...uthentication/
http://www.ny-dev.com/forums/website...tion-1253.html
doesn't work since you moved it and it isn't symlinked

[johnboulder]

I can move it back if you'd like

The only reason I moved it here was I felt it was more of a tutorial concept.

As an aside, it may be better to reference the post by the thread number, as that isn't changed by the topic being moved. (In this case, http://www.ny-dev.com/forums/showthread.php?t=1263)

I humbly apologise if I've messed you about

Let me know

[danielmichel]

I'm not sure the link would even be the same if it were moved back.
Good call; no way you could have known about the whole digg thing.

He did however get 9 diggs in a very short time before the digg was retired.
I will re-submit the digg with this URL in a couple days if possible.

[danielmichel]

The new digg - Dynamic IP Locking: A Poor Mans Multi-factor Authentication

[iughk]

Got the #1 Google spot for Dynamic IP Locking search.

[danielmichel]

If only you could combine or edit diggs as the digg author.

This one has 4 diggs - digg - Dynamic IP Locking: A Poor Mans Multi-factor Authentication
This one has 11 diggs - digg - Dynamic IP locking: A Poor Mans Multi-factor Authentication
(broken link)
and the one you linked to has 2 diggs.

I'm going to contact digg about it when i get a chance.

[SHP]

Another one on Hotscripts
Dynamic IP Locking

[Contention]

This is curious
Detail: Dynamic IP Locking: A Poor Mans Multi-factor Authentication