[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: how to properly secure non-ssl logins (php + ajax)
From: Ivan_Krstić <krstic () solarsail ! hcs ! harvard ! edu>
Date: 2009-02-18 1:36:40
Message-ID: 9A70FB72-27D0-4708-B315-5860B8D72FD1 () solarsail ! hcs ! harvard ! edu
[Download RAW message or body]
On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote:
> Recently, on both the jQuery(.com) and PHP mailinglists, a question
> has arisen on how to properly secure a login form for a non-ssl web-
> application.
What's the threat model?
> users[user_id].user_login_hash = onewayHash(user_login_name +
> preferences.pref_system_hash);
That you're hashing the username suggests you're worried about
eavesdroppers identifying the user at login time. But without SSL,
it'll almost certainly be trivial for an eavesdropper to identify the
user _after_ they login. What's the threat model?
> //checks since when [browser IP] has last received a new challenge,
> if < threshold : make a new challenge. else return old challenge.
It is incorrect to rely on a bijection between IPs and users.
> "preferences.pref_system_hash">
What you're calling a system hash is usually referred to as salt.
> // walk through all the records in users table, for each, calculate:
This is a completely broken approach, and prohibitive for applications
with more than a handful of users.
I suggest you start by trying to write down a clear, brief and
coherent threat model. Once that's done, you can solicit feedback
until you're satisfied with the definition of what you're trying to
build. Once you can focus on implementation, I suggest looking at
things like bcrypt, PBKDF2, and SRP as background reading.
Cheers,
--
Ivan Krstić <krstic@solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic