Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » Community » Coffee corner » Safe web authentication (Looking for help and ideas from the great U++ community...)
Safe web authentication [message #44313] Sat, 21 February 2015 22:44 Go to previous message
dolik.rce is currently offline  dolik.rce
Messages: 1789
Registered: August 2008
Location: Czech Republic
Ultimate Contributor
Hi everyone!

TL;DR version: Looking for a method of secure authentication on insecure network to be implemented in U++ Skylark.

After writing a couple projects in Skylark, I found myself again and again thinking about the same thing: How to handle authentication?

There is currently no support for user registration and login in Skylark, even though it is a very common task. I had to implement it couple times, every time slightly different, but I never 100% liked it. So that is problem number one... The solution to this is actually quite simple, I could easily take one of my implementations, turn it into simple package, let's say Skylark/Login, and let everyone reuse it instead of reinventing the wheel all the time.

The real problem - let's call it problem number two - is what exactly should this package do. As I already said, I implemented various solutions and many more authentication algorithms exist, some of which I probably never heard of. I guess that to have something universal, it should be actually simple. The first thing that comes to mind is probably the most common scheme: client sends password, server combines it with some salt and computes a hash, which is then compared to the value stored in database.

This is simple to implement, but it doesn't seem secure enough to me. First of all, the password is send to the server. This is usually solved by using HTTPS, but that does not always guarantee safety (especially after the recent Lenovo Superfish scandal). So I'd be much happier to use some more advanced challenge-response algorithm, possibly encryption based one, which doesn't require to send any sensitive information over the network. There is many such protocols, but even after hours of googling and reading cryptography articles I haven't found anything that could be easily used in web environment. Most of the algorithms rely on preshared secret keys and do not address the problem of user registration.

It really bugs me that I can't figure this out. So I'm finally getting to the point of this post: I'd like to ask for your opinions and/or tips on how to implement the "Ultimate authentication"? (pun intended Wink ).

To sum it up, I'm looking to implement user registration and login procedure that:
  • Can be used in regular web browser (that is only html and javascript on the client side)
  • Doesn't send password (or its equivalent) with the request, so it can be used on unsafe networks
  • Is not vulnerable to MITM, replay and similar attacks
  • Doesn't require user to use other services or devices (that rules out oauth, OTP tokens etc.)
Your ideas are more than welcomed Wink

Best regards,
Honza

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Free IT related books - Packt Publishing
Next Topic: upp-x11-src-9360.tar.gz typo on domake
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Fri Apr 19 10:30:02 CEST 2024

Total time taken to generate the page: 0.02105 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.5.
Copyright ©2001-2013 FUDforum Bulletin Board Software