Google Meet
GitHub Repository
Login Server
Bifrost

AIM:

The aim of this project is to develop a secure Bifrost Two-Factor Authentication (2FA) system using the Diffie–Hellman Key Exchange algorithm and TOTP authentication to enhance user security and protect sensitive data from unauthorized access. The project focuses on secure key exchange, encrypted communication, and generation of time-based OTPs using HMAC-SHA1 hashing, thereby providing an additional layer of authentication and improving cybersecurity in modern digital systems.
 

INTRODUCTION:

With the rapid growth of digital technology and online services, securing user data and communication has become essential in cybersecurity. Traditional password-based systems are vulnerable to hacking, phishing, and unauthorized access. To improve security, this project implements a Bifrost Two-Factor Authentication (2FA) system integrated with the Diffie–Hellman (DH) Key Exchange algorithm, which allows the secure exchange of cryptographic keys over a public network without directly sharing the secret key.

The project also utilizes the Time-Based One-Time Password (TOTP) algorithm to generate secure 6-digit verification codes. TOTP uses HMAC-SHA1 hashing to generate a 20-byte hash value, from which the OTP is dynamically extracted. Because this code changes at regular time intervals, it provides a rigorous additional layer of security.

To support these client-side cryptographic operations, a robust backend architecture was developed using Python and the Flask framework. This server-side implementation provides a secure, stateful environment by utilizing a persistent SQLite database managed via SQLAlchemy. The backend ensures the integrity of the key exchange and the subsequent TOTP verification through single-use API endpoints and automated lifecycle management of temporary connection states. Together, these components demonstrate a practical, full-stack application of cryptography and secure authentication in modern systems.

Methodology:

1. Problem Identification & System Architecture

    Traditional password-based authentication systems are vulnerable to cyberattacks such as hacking, phishing, and unauthorized access. To mitigate these vectors, this project implements a Two-Factor Authentication (2FA) system bridging a C++ client terminal (Bifrost) and a Python web server. The architecture is explicitly designed to separate cryptographic computations from state management. The backend utilizes the Flask framework and an SQLite database (managed via SQLAlchemy) to handle API routing and secure storage, while the C++ client leverages low-level memory management for rapid cryptographic execution.

2. Diffie–Hellman Key Exchange

    Diffie–Hellman is a cryptographic algorithm used to securely exchange secret keys over a public network. In this method:

• Both users generate private and public keys using a large prime number and generator value

• The C++ client utilizes the CPR library to execute HTTP POST requests, transmitting its public key to the server

• Both sides independently compute the same shared secret key without directly transmitting it. The C++ client utilizes the Boost library to accurately handle and compute these massive cryptographic integers

• This shared secret key is then used for secure communication and authentication

3. TOTP Authentication

    The project also uses the TOTP (Time-Based One-Time Password) algorithm for two-factor authentication.

• TOTP generates a temporary 6-digit verification code
• It uses the HMAC-SHA1 hashing algorithm to generate a secure 20-byte hash value
• Dynamic truncation is performed on the hash to extract the final 6-digit OTP
• Since the OTP changes every 30 seconds, it provides an extra layer of security

4. Backend Architecture & Security Protocols

    To support the client-side cryptographic operations and secure the entire authentication lifecycle, a robust backend architecture was developed using Python and the Flask framework. This server-side implementation provides a secure, stateful environment by utilizing a persistent SQLite database managed via SQLAlchemy:

• Ephemeral API Endpoints

     The network routes facilitating the Diffie-Hellman key exchange (e.g., /signup/<code>) are explicitly designed to be single-use. Once the C++ client completes the handshake, the server executes an atomic database DELETE operation. This "burn-after-reading" protocol permanently destroys the endpoint and temporary keys, neutralizing any risk of cryptographic replay attacks.

• Automated State Sanitization

     To prevent database bloat and mitigate exposure from abandoned login attempts, all pending connections are assigned a strict 5-minute Time-To-Live (TTL). The backend integrates an automated garbage collection routine that passively sweeps the SQLite database during incoming requests, actively purging any expired connection states to ensure a secure environment.

• Asynchronous UI Polling

    To provide a seamless user experience, the web frontend decouples from the backend using non-blocking JavaScript fetch API calls. The browser continuously polls a dedicated status endpoint every two seconds. The moment the server detects a successful terminal connection, it autonomously redirects the user to the final TOTP verification portal, eliminating the need for manual, synchronous page reloads.

Additional Utilities:

• Type Conversions

    The system utilizes various type conversions, transforming data between bytes, string, and cpp_int formats to ensure compatibility across different cryptographic operations.

• Key Resizing

    To maintain consistent hash outputs for identical numerical values, a key resizing mechanism has been implemented, ensuring the shared secret is formatted correctly prior to hashing.

• Large Prime Generation

    The system facilitates the secure generation of large prime numbers, which serve as the foundation for establishing the cryptographic secret key.

5. Working:

    To demonstrate working of Bifrost, we have created a login server where the user will enter credentials like username and password, then the OTP generated by Bifrost. 

Working of Bifrost:

Phase 1: Initialization & Network Handshake

• Session Creation: The user initiates a new device binding via the Flask web interface. The server generates a random 6-digit binding code and stores it in the PendingExchange database table with a strict 5-minute expiration timer
• Key Transmission: The user inputs this 6-digit code into the C++ Bifrost terminal. The terminal generates its Diffie-Hellman public key and transmits it to the server's single-use API endpoint (/signup/)
• Shared Secret Generation: Both parties independently compute the exact same shared secret key using their respective private keys. The server securely stores this secret in the database and immediately deletes the temporary endpoint to prevent replay attacks

Phase 2: Time-Based One-Time Password (TOTP) Generation

Once the secure channel is established and the asynchronous web UI redirects the user to the login portal, the OTP is generated using the strictly defined TOTP algorithm:

2.1 Time Step Calculation

The current Unix time is divided by 30 to generate a time step value, which changes every 30 seconds.

T = Unix Time / 30

2.2 HMAC-SHA1 Computation

The established shared secret key and the calculated time step (T) are provided as inputs to the HMAC function using the SHA-1 hashing algorithm. This operation produces a 20-byte hash output.

2.3 Dynamic Truncation

To derive a numeric value from the generated hash, dynamic truncation is performed as follows:

• The last byte of the HMAC output is examined
• Its lower 4 bits are used to determine an offset value between 0 and 15
• Starting from this offset, four consecutive bytes are extracted from the HMAC output
• These four bytes are combined to form a 31-bit integer sample value
• The most significant bit is ignored to ensure that the resulting value remains positive

2.4 OTP Generation

Finally, the positive sample value is reduced to the required number of digits using the modulo operation. If a standard 6-digit OTP is required, the following computation is performed:

OTP = Sample mod 10⁶

More generally, where d represents the number of desired digits in the OTP:

OTP = Sample mod 10^d

Result:

1. Successful Diffie–Hellman Key Exchange

The Bifrost Authenticator successfully establishes a secure communication mechanism using the Diffie–Hellman Key Exchange Algorithm.

During execution:

• A private key and public key pair is generated on the client side
• The public key is exchanged with the server
• Both the client and server independently compute the same shared secret
• The actual secret key is never transmitted over the network

Outcome:

• Secure key exchange achieved
• Confidentiality maintained
• Protection against eavesdropping attacks

2. Consistent Byte-Based Cryptographic Handling

One of the major improvements in the project was converting sensitive cryptographic data into a uniform Bytes-based representation.

Important implementation observations:

• Keys are internally handled as raw Bytes
• Conversion to strings or integers is performed only when required
• The shared secret is resized to a fixed length before hashing operations
• The resized secret is stored in lowercase hexadecimal format inside shared_secret.txt

Why this is important:

Even a very small variation in key length, padding, formatting, or encoding can generate completely different hash outputs.

Using a fixed byte representation ensures:

• Stable hashing behavior
• Reproducible cryptographic results
• Consistent HMAC generation
• Better interoperability between systems

Conclusion:

    This project successfully demonstrates the implementation of a secure Bitfrost Two-factor Authentication (2FA) system using the Diffie-Hellman Key exchange algorithm and TOTP authentication.The system improves security by enabling secure exchange of cryptographic keys and generating time based one time passwords for user verification . The use of HMAC-SHA1 hashing in TOTP provides secure and dynamic OTP generation, reducing the risk of unauthorized access and cyber attacks.

    The project also helped in understanding practical concepts of cryptography, secure authentication, key exchange mechanisms, and cybersecurity implementation using Python and C++. Overall, the system provides a reliable and efficient authentication method that can be applied in modern digital applications to enhance data security and user protection.