Comments on: Secure PHP/JavaScript login without SSL http://www.lightcubesolutions.com/blog/?p=47 Hints, experiences and insights from LightCube Solutions Sun, 15 Aug 2010 22:11:55 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: JH http://www.lightcubesolutions.com/blog/?p=47&cpage=1#comment-79 JH Sun, 12 Jul 2009 17:53:07 +0000 http://www.lightcubesolutions.com/blog/?p=47#comment-79 (Replying to Alexander): You're right, there are still potential weaknesses with this method. However, the threat you pointed out could still exist when using SSL encrypted connections, depending on how the passwords are stored, as the admins could still sell passwords or password equivalents. As you say, defining the model becomes important. In this particular scenario, we assume that the admins can be trusted not to sell password equivalents, but the actual password remains a personal and privately known string. For the stated purpose of sending private password strings over an unencrypted connection, this method does fill the need. Even so, thanks for the pointer to SRP, it will be something I will look into more as I have time. (Replying to Alexander): You’re right, there are still potential weaknesses with this method. However, the threat you pointed out could still exist when using SSL encrypted connections, depending on how the passwords are stored, as the admins could still sell passwords or password equivalents. As you say, defining the model becomes important. In this particular scenario, we assume that the admins can be trusted not to sell password equivalents, but the actual password remains a personal and privately known string. For the stated purpose of sending private password strings over an unencrypted connection, this method does fill the need.

Even so, thanks for the pointer to SRP, it will be something I will look into more as I have time.

]]> By: Alexander E. Patrakov http://www.lightcubesolutions.com/blog/?p=47&cpage=1#comment-55 Alexander E. Patrakov Wed, 24 Dec 2008 06:24:45 +0000 http://www.lightcubesolutions.com/blog/?p=47#comment-55 The solution above has a "plaintext password equivalent" stored on the server. So, let's assume the following threat: someone steals the file with SHA1 sums of the passwords. The information in this file is sufficient to authenticate against the PHP script, using a modified JavaScript (it should be easy to rewrite using GreaseMonkey). So, if we assume this threat model, the first hash in "both server and client append the password’s hash to the random string and perform a hash sum on the combined string" is useless. Of course it does prevent the admins from looking at the passwords, but they can still sell SHA1 sums together with a GreaseMonkey thing. Thus, when discussing such security solutions, it is necessary to specify the threat model explicitly. OTOH, there is an authentication protocol that neither has a plaintext password equivalent stored on the server, nor sends the unencrypted password over the wire: SRP (<a href="http://www.ietf.org/rfc/rfc2945.txt" rel="nofollow">RFC 2945</a>). And it can be <a href="http://srp.stanford.edu/demo/demo.html" rel="nofollow">implemented with JavaScript and Java</a>. The solution above has a “plaintext password equivalent” stored on the server. So, let’s assume the following threat: someone steals the file with SHA1 sums of the passwords. The information in this file is sufficient to authenticate against the PHP script, using a modified JavaScript (it should be easy to rewrite using GreaseMonkey). So, if we assume this threat model, the first hash in “both server and client append the password’s hash to the random string and perform a hash sum on the combined string” is useless. Of course it does prevent the admins from looking at the passwords, but they can still sell SHA1 sums together with a GreaseMonkey thing. Thus, when discussing such security solutions, it is necessary to specify the threat model explicitly.

OTOH, there is an authentication protocol that neither has a plaintext password equivalent stored on the server, nor sends the unencrypted password over the wire: SRP (RFC 2945). And it can be implemented with JavaScript and Java.

]]>