Yes, I think your conclusions are pretty much correct..
Some comments: firstly, (and lots of ppl might not agree), I'm not so sure that the username/password combination is the only one available for most authentication jobs.
To cite an example, assume that you and the authenticator decide on a mathematical formula (ie: take number x, subtract 10, multiply by 3 etc etc). When you attempt to login, you are prompted with a number, and it is upto you (as the person attempting to login) to remember the formula, apply it to the number and return to the server. The server authentication 'remembers' the number it sent you, and it knows the formula that you agreed upon...so, its another means of authentication (but not even close to foolproof, of course)..but the point is that part of the authentication is dynamic, so chances of a replay attack are reduced...
To take this one step further, this is an interesting link I found that does something similar..
One of the references mentioned in this node is probably the most widely used means of authentication so far.. session based authentication.. Essentially, the webserver needs to cooperate and send a session key for use by the client side encryption. In this way, anybody seeing the client side encryption code still won't know the session key used in the encryption, and thus, this provides better security..
HTH
| [reply] |
In addition to the great info that tinman has provided, a
semi-popular way of making doing this is called S/Key.
With S/Key, the person makes a request to the server, the
server makes a challenge to them based on the number of
S/Key challenges and a secret that they have already
securely put into the machine to begin with. Using this
secure secret information and the sequence number, the S/Key
challenge is calculated by the server. The client then
enters the S/Key challenge and the shared secret into
their S/Key calculator (several are available as open source),
which generates the response to their challenge.
If they respond correctly, the server authenticates them.
If not, it doesn't.
This is one of many shared-secret types of authentication.
Pretty nifty, too. The downside is, there has to be
a way of getting the secret securely to you, and storing
it securely which may
present unique challenges all of their own.
If you're interested still, an implementation of S/Key called
OPIE (Onetime Passwords In Everything) has Perl modules
available on CPAN called Authen::OPIE. Give it a look. :)
Hope this helps!
--jwest
-><- -><- -><- -><- -><-
All things are Perfect
To every last Flaw
And bound in accord
With Eris's Law
- HBT; The Book of Advice, 1:7
Update: Fixed link... | [reply] |
I almost hate to suggest this, but this might (emphasis on might) be a case where client-side Java (not javascript) could be appropriate. By transmitting compiled java bytecode to the browser (instead of a plaintext script) you could have at least some small semblance of control, which could help to conceal your encryption algorithm from casual snoopers.
There are also numerous techniques for concealing or obfuscating bytecode, which may or may not be worth the amount of time and trouble you'd have to invest in this endeavor. (especially if you don't already have Java experience.)
Once the login/password is encrypted, you could have the applet submit it to a Perl CGI script for authentication, which would then free you from the constraints of Java.;-) You might at this point consider using HTTPS to further secure the session.
This is probably not going to be a very popular tactic around here, since it involves using Java, but at the moment, client-side Perl is not yet feasible for most applications. I'm curious what the other Monks will have to say about this.
Hushmail uses a technique very similar to this, I believe, which makes it somewhat more difficult to intercept logins using packet sniffers. At this point, though, the biggest security risk in my opinion come from social engineering and lower-tech approaches such as simple keystroke loggers. Good luck, I'm curious how your experience goes! | [reply] |