01-06-2016 05:58 PM
jemandel,
We DM'd offline, but I wanted to share the primes publicly in case others run into the same question.
It would be awesome if you could link to your working python code once you get it working!
Here you go:
I believe the information your implementation is missing is our list of large primes and generators, which are the N and g SRP values. The N value returned by the first GET /login request is a (non-base64-encoded) index into that list that varies per user. I haven’t tried using the Python SRP module, but from the documentation, I think this is the API you need:
# 1024-bit primes used by NI-Auth encoded as hex strings
primes = [
'89e254be99e30e74bc0a340bb1e54c57af9b2cf1f66cd40b1558f59d5812ac2744ae42c6506868b2e6dc824e88ed7a2a338d7b445aae54c66faa05ccc2082fa09cafcb4d37a972b56ee90e2e55b57115ba28b0b34419633ec306e9678d6caa806ad557d4c0c7b5cfdddf9078ab6649fd45c3cc5084d87fcc6db247ef2ca5af67',
'd571662aeca6cb26dadf529c1285971c9728d9eaa0811c54f7fa2330f3c090c68c446c3d5b12201297d91acc413a563f65c8816855a16d977a8182b70046181225b537e9e81438c1432a273e4dd982e125bfd0e007c6effdbc3df94f68f032b549c8c992b7a312fa0fdabf419fa9c034f779da5d3976282457af2fdba7f36f47',
'889590ff134b81a40cf00ad7810e239abe323b0e0443ca5c8d0aa9244368b98f4a7cce648ce18976238b9d5619ab30cce9b93bc085420683bcf377675a8e225d5be3b0fd443d9f1fb3d0f6feed5b5ed7dcabbf995a0bd618099a8aff64d92014f2dab85b87edb1e320f820f5aada465f2948c635a24781ad7997606c5012f0c7',
'e5ac60d3ae3e2c8dea44fb9835b8298e512aa052e903a54c7497c7b389091a8ef80a5da8e04e495f091c783dba5b14fa3f3c211d97aaa436c93a0147677d8ea8b89bae40eb2e72f6a70ac60e6a10ea520f38b8142630a692b377e52f9d5ec1713335ce2ec670cfc270a239a317e0f09d1282bfe51fe3d577efcc6f5fba60e217',
'a0e1695049f409dbd690217785e0ff7ad8da94e8ae8ace771a06e021a35b87a2532a2160b39a8dd4fb8a5c120686d43db66c63f8989901433357903296275b07560afe5d4332affb619a03d67c92903c05d184b768932df90e12e4fcc7ba80dacc223ffd9cc22fc9c31b9eb902e9db831fa4420af7eddb1849d0d8f2b74e3957'
]
generators = [ '0b', '11', '05', '05', '05' ]
usr = srp.User( username, 'password', ng_type=srp.NG_CUSTOM, n_hex=primes[N], g_hex=generators[N] )
Otherwise the implementation you posted looks like the correct way to get A and M to POST.
06-01-2016 06:01 AM
Has any more detail documentation been put anywhere on this?
Going through the same process with Javascript so we can share authentication between webDAV and a thin client.
Found a suitable SRP library that will have to be modified to take the NI primes so think I should be able to get as far as the authentication, just curious to know if there are any other pitfalls along the way.
Cheers,
James
06-02-2016 04:56 PM
Hey James,
It looks like this forum has been dead for about six months.
If you didn’t find the information that you need here, I’d recommend posting a new forum post over on this community page.
https://decibel.ni.com/content/groups/web-services?view=discussions
You probably have a greater chance of getting your question answered there.
06-02-2016 05:48 PM
James -
Unfortunately my last post is still the latest and greatest info on this topic.
Let us know if you get it working!
10-21-2016 12:39 AM
Hi,
Any update on this discussion. I need some support on the following…
I have enabled web service in C-RIO and able to access the web methods from the Internet Explorer (with Silverlight installed). First time it always redirect to the NI authentication page... after entering user name and password, web method is getting executed properly.
Find below the normal handshake between Internet Explorer (with Silverlight) and C-RIO for NI authentication
Need support to do the same NI authentication from the C# code… It will be helpful if you share any working sample code for the NI authentication (without Labview client)
From C# code:
I am able to get the ”N”, ”s”, ”B”, ”ss” values from C-RIO. I am getting stuck in calculating the “A” and ”M” values.
I hope to compute "A", we need the random number which is used to create the variable "B" in server, Please let me know how to compute A and M values in C# code.
Note: As a work around, I have created an DLL from Labview for NI authentication and included that DLL in my C# code then it works fine but client need to install NI run time engine also… We don’t want to install NI run time engine in the client systems.
Regards,
Johnson
10-21-2016 08:05 AM
I've had an off-line discussion with several engineers at NI. The problem is that SRP is not really a standard. Depending on which BASE64 encoding you use, and which of the many SRP libraries you call, you may get different results. I got as far as writing the client in Java (3 different ways) before giving up. I'm moving my efforts to Open ID. The advantage of SRP is that the password is protected, and the assumption is that if you have an "NI device" and the password, you are an authorized user. Once you move to hardware like a Raspberry PI, you can easily make hundreds of copies of the device for the cost of one RIO and share the password amongst them. So for me, having a unique key (HOTP, TOPT) that gets passed to a verifier is the better solution. This could be Google Authenticator, Yubikey, etc. I'm working on this in Apache Tomcat 8.5, and hope to have something working soon. If NI Web Services could call an external verifier, implementing this would be easy, but it doesn't seem to be in their roadmap.
Jeff
08-24-2017 09:53 AM
Hi Jeff,
Sad to hear you didn't get very far.
I've picked this up again at the minute and started a new thread at https://forums.ni.com/t5/LabVIEW-Web-Development/Using-NI-Auth-from-Javascript/td-p/3680229 if anyone comes across this and has any input.
Cheers,
James