[144251] in cryptography@c2.net mail archive
Re: how to properly secure non-ssl logins (php + ajax)
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Ivan_Krsti=C4=87?=)
Fri Feb 20 12:31:56 2009
Cc: cryptography@metzdowd.com
From: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
To: Rene Veerman <rene7705@gmail.com>
In-Reply-To: <49980AE9.6050001@gmail.com>
Date: Tue, 17 Feb 2009 20:36:40 -0500
On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote:
> Recently, on both the jQuery(.com) and PHP mailinglists, a question =20=
> has arisen on how to properly secure a login form for a non-ssl web-=20=
> application.
What's the threat model?
> users[user_id].user_login_hash =3D onewayHash(user_login_name + =20
> preferences.pref_system_hash);
That you're hashing the username suggests you're worried about =20
eavesdroppers identifying the user at login time. But without SSL, =20
it'll almost certainly be trivial for an eavesdropper to identify the =20=
user _after_ they login. What's the threat model?
> //checks since when [browser IP] has last received a new challenge, =20=
> if < threshold : make a new challenge. else return old challenge.
It is incorrect to rely on a bijection between IPs and users.
> "preferences.pref_system_hash">
What you're calling a system hash is usually referred to as salt.
> // walk through all the records in users table, for each, calculate:
This is a completely broken approach, and prohibitive for applications =20=
with more than a handful of users.
I suggest you start by trying to write down a clear, brief and =20
coherent threat model. Once that's done, you can solicit feedback =20
until you're satisfied with the definition of what you're trying to =20
build. Once you can focus on implementation, I suggest looking at =20
things like bcrypt, PBKDF2, and SRP as background reading.
Cheers,
--
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
