Authentication SMS OTP Consent

In order to benefit from the SMS OTP Authentication and Consent, the Service Provider must provide the end-user’s mobile number in his API request. The mobile number must be encoded (see below) added to the request using the login_hint query_string parameter.

Creating the login_hint for SMS OTP Authentication and Consent:

The mobile number must be cyphered (see below) and before to be added in the request through the "login_hint" parameter.

The login_hint is formed with the user’s MSISDN and a timestamp. It then is encoded in AES-256-CB.

In order to be added into the URL, the login_hint must be URL encoded.

Encoding process:

MSISDN to encode:

msisdn: 33612345678

UNIX Timestamp in millisecondes (i.e. new Date().getTime();)

timestamp: 1453891409214

MSISDN et Timestamp in clear ( timestamp "_" msisdn) (ASCII):

1453891409214_33612345678

Generation of a 128-bits Initialization Vector for each encoding:

f672e6d89b73dbfb0b97cbe18f89c2ba
(openssl rand -hex 16 )

Derivation of <key> from the <client_secret>:

key := bin_2_hexa( sha256( ascii_2_binary(<client_secret>) ) )
e.g. key = crypto.createHash("sha256").update(client_secret).digest();

Login_hint encoded in AES-256-CBC:

AES input (ASCII): "1453891409214_33612345678"
AES key (hexa): 617a65727479617a65727479617a65727479617a65727479617a65727479617a
AES IV (hexa): f672e6d89b73dbfb0b97cbe18f89c2ba
AES output (base64): CxaTp04yCdvx8JAqNHdGCK7GGObeGrGBCUvHtcXv1Nk=
openssl aes-256-cbc -v -a -K 617a65727479617a65727479617a65727479617a65727479617a65727479617a -iv f672e6d89b73dbfb0b97cbe18f89c2ba -in clear_1.txt -out cypher_base64_1.txt ; more clear_1.txt ; more cypher_base64_1.txt

Adding the Initialization Vector (de 128bits) to the encoded MSISDN in order to form the login_hint:

f672e6d89b73dbfb0b97cbe18f89c2ba_CxaTp04yCdvx8JAqNHdGCK7GGObeGrGBCUvHtcXv1Nk=

URL-encoded login_hint :

f672e6d89b73dbfb0b97cbe18f89c2ba_CxaTp04yCdvx8JAqNHdGCK7GGObeGrGBCUvHtcXv1Nk%3D

N.B.: Exemple of encoding javascript:

var cryptoModule = require('crypto'), //http://nodejs.org/api/crypto.html
       loginHint="msisdn_value", // A valoriser Exemple: 33112233445
       timestamp = new Date().toISOString(),
       iv = cryptoModule.randomBytes(16),
       key = cryptoModule.createHash("sha256").update("client_Secret").digest(); // Valoriser client_secret : password du partenaire
  console.log("key=" + key.toString('hex'));
  console.log("iv=" + iv.toString('hex'));
  var cryptoCipher = cryptoModule.createCipheriv("aes-256-cbc", key,iv),
       cypheredLoginHint = cryptoCipher.update(timestamp+"_"+loginHint,'utf8', 'base64') + cryptoCipher.final('base64'),
       finalcypheredLoginHint = encodeURIComponent(iv.toString("hex")+"_"+cypheredLoginHint);
  console.log("cypheredLoginHint = " + cypheredLoginHint);
  console.log("finalcypheredLoginHint = " + finalcypheredLoginHint);

Your user will be prompted with a UI requesting a SMS-OTP he received on the MSISDN provided in the request. The SMS-OTP reads as follows: « Orange Info : Vous recevez ce code (CODE) car un partenaire d'Orange (CLIENT_NAME) a formulé une demande d'accès à vos données personnelles. »

Anti-spam

As the Client is responsible for collecting and providing the MSISDN into the URL, it is his responsibility to ensure all antispam securities have been set in place in his application/service. If the Client’s application/service was to be used by a tier to perform an attack of the SMS-OTP authentication system, the service could be temporally suspended for that Client pending the deployment of upgraded securities.