I haven't posted for ages - nothing really meaningful, anyway. I don't feel too badly about this. But i feel a sudden urge to want to make a little update
( Read more... )
Um, just thought I'd point out you've just posted a description of your possible authentication in a public journal entry, which could be really useful in the future for anyone trying to crack it
( ... )
Not that I've actually done any of this sort of stuff, just an intellectual exercise, but given enough sniffed attempts you could also crack it using statistical methods without the key string, but that's a bit more advanced and I hate statistics :)
Oh, well the order string would change with each authentication request. That was just an example. Yeah i like your idea of encrypting it against something first.
I suffered for a while from the deluded belief that HTTP Basic Authentication was secure ... oh dear, was i wrong! Plus i don't think Yahoo! Widgets or Google gadgets even support Basic Authentication, which upsets my plans somewhat! ;)
Don't try and invent your own security protocol. You will get it wrong: everyone does. It will be weak, somewhere. Use a published method. Whats wrong with basic auth over an encrypted channel? Also with your method, what's to stop me pretending to be mychores.co.uk (suprisingly easy), and asking anyone who connects to authenticate against 1,2,3,4,5,6,7,8,9,... ? Security needs to go both ways. Sorry if this sounds harsh, but EVERYONE thinks they can do security protocols, and actually NOONE can.
Covey. p.s. sorry to hear you aren't coming to our wedding. xx
Hmm, is that easy, to set up an encrypted channel? I'm actually clutching at straws here because i know so little about security and authentication algorithms. I'm grateful for your input.
I'm really sorry not to be able to come to your wedding. We were hoping to be able to hire a car and stay overnight with my uncle, but that didn't work out. I wish you both the very best.
It can be a pain in the ass to set up an SSL webserver, and potentially expensive to buy the fully qualified certificate. You can make your own equally secure snake-oil certificate easily enough though.
As for a decent algorithm, CRAM-MD5 looks to be something you would want to look at - in short, you send the client a random string, they MD5 the password in Javascript in the browser, then MD5 it again with the string. Meantime, you get the pre-MD5'd password from your DB, perform the same MD5 with the same random string and compare them - if they are the same, they have the right password.
I guess that CRAM-MD5 won't work for me because all the passwords are SHA'd in the database. Aha, i like the idea of hashing with a random salt each time, and storing the hash result plus the salt that was used. That's an avenue worth exploring. Many thanks! :)
Comments 10
Reply
Reply
I suffered for a while from the deluded belief that HTTP Basic Authentication was secure ... oh dear, was i wrong! Plus i don't think Yahoo! Widgets or Google gadgets even support Basic Authentication, which upsets my plans somewhat! ;)
Reply
http://en.wikipedia.org/wiki/Portal:Cryptography and the Crypto FAQ, http://www.mindspring.com/~schlafly/crypto/faq.htm
Reply
Also with your method, what's to stop me pretending to be mychores.co.uk (suprisingly easy), and asking anyone who connects to authenticate against
1,2,3,4,5,6,7,8,9,... ?
Security needs to go both ways.
Sorry if this sounds harsh, but EVERYONE thinks they can do security protocols, and actually NOONE can.
Covey.
p.s. sorry to hear you aren't coming to our wedding.
xx
Reply
I'm really sorry not to be able to come to your wedding. We were hoping to be able to hire a car and stay overnight with my uncle, but that didn't work out. I wish you both the very best.
Reply
As for a decent algorithm, CRAM-MD5 looks to be something you would want to look at - in short, you send the client a random string, they MD5 the password in Javascript in the browser, then MD5 it again with the string. Meantime, you get the pre-MD5'd password from your DB, perform the same MD5 with the same random string and compare them - if they are the same, they have the right password.
Some sources to get you started:
http://en.wikipedia.org/wiki/CRAM-MD5
http://pajhome.org.uk/crypt/md5/auth.html and
http://del.icio.us/search/?fr=del_icio_us&p=javascript+md5+&type=all
Reply
I guess that CRAM-MD5 won't work for me because all the passwords are SHA'd in the database. Aha, i like the idea of hashing with a random salt each time, and storing the hash result plus the salt that was used. That's an avenue worth exploring. Many thanks! :)
Reply
Leave a comment