In the previous User Registration HOWTO we saw how to register a user. In this guide we explain how the server provisions Hauskeys applications for user accounts using the account activation application.

Bundled Account Activation Web Application

Besides the registration application Triplesec has another web application bundled with the server. It is added as a web application to Triplesec's embedded web server. This application manages the creation, provisioning, and activation of Hauskeys applications for newly created accounts.

Once a new user account is created a unique activation key is assigned to the user. This activation key is uniquely identifies the user in the realm. The activation application waits for new users to navigate a special URL containing this activation key. An example of the URL for a new account is shown below:

http://demo.safehaus.org/activation/831902388104/Hauskeys.jar

This URL is sent to cell phones and email addresses using SMS or email respectively. When the user navigates to this URL to download their personal customized Hauskeys application for their new account the activation application goes through the following steps:

  1. Look up the new user account with the activation key 831902388104
  2. If no account exists for this activation key then a decoy midlet is built and sent back without further processing to dupe attackers.
  3. Builds a Hauskeys.jar for this account with security information encrypted and bundled into the jar
  4. Responds to the request streaming the newly assembled Hauskeys.jar to the client
  5. Finally it sends another notification to the user with a URL for activating this account

These steps are taken to provision the application to the client. After the client downloads the application and installs it onto their cell phone they receive the second notification message containing the following URL for this example:

For SMS Notifications
http://demo.safehaus.org/activation/831902388104/activate.wml
For Email Notifications
http://demo.safehaus.org/activation/831902388104/activate.html

When the user navigates to this URL the server takes the following actions:

  1. Look up the new user account with the activation key 831902388104
  2. If no account exists for this activation key then no futher action is taken
  3. If the account exists the activation key is removed effectively activating the account

As can be seen no activation key means the account has been activated. Hence using the admin tool you can reprovision a new Hauskeys application to existing users who's phones have broken or have been lost by changing the mobile number, and adding a new activation key to the account.

  • No labels