Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Re: Login Encryption and CGI understanding

by tinman (Curate)
on Apr 18, 2001 at 22:29 UTC ( #73619=note: print w/replies, xml ) Need Help??

in reply to Login Encryption and CGI understanding

Yes, I think your conclusions are pretty much correct..

Some comments: firstly, (and lots of ppl might not agree), I'm not so sure that the username/password combination is the only one available for most authentication jobs.
To cite an example, assume that you and the authenticator decide on a mathematical formula (ie: take number x, subtract 10, multiply by 3 etc etc). When you attempt to login, you are prompted with a number, and it is upto you (as the person attempting to login) to remember the formula, apply it to the number and return to the server. The server authentication 'remembers' the number it sent you, and it knows the formula that you agreed, its another means of authentication (but not even close to foolproof, of course)..but the point is that part of the authentication is dynamic, so chances of a replay attack are reduced...
To take this one step further, this is an interesting link I found that does something similar..

One of the references mentioned in this node is probably the most widely used means of authentication so far.. session based authentication.. Essentially, the webserver needs to cooperate and send a session key for use by the client side encryption. In this way, anybody seeing the client side encryption code still won't know the session key used in the encryption, and thus, this provides better security..

  • Comment on Re: Login Encryption and CGI understanding

Replies are listed 'Best First'.
Re: Re: Login Encryption and CGI understanding
by jwest (Friar) on Apr 19, 2001 at 02:12 UTC
    In addition to the great info that tinman has provided, a semi-popular way of making doing this is called S/Key.

    With S/Key, the person makes a request to the server, the server makes a challenge to them based on the number of S/Key challenges and a secret that they have already securely put into the machine to begin with. Using this secure secret information and the sequence number, the S/Key challenge is calculated by the server. The client then enters the S/Key challenge and the shared secret into their S/Key calculator (several are available as open source), which generates the response to their challenge.

    If they respond correctly, the server authenticates them. If not, it doesn't.

    This is one of many shared-secret types of authentication. Pretty nifty, too. The downside is, there has to be a way of getting the secret securely to you, and storing it securely which may present unique challenges all of their own.

    If you're interested still, an implementation of S/Key called OPIE (Onetime Passwords In Everything) has Perl modules available on CPAN called Authen::OPIE. Give it a look. :)

    Hope this helps!

    -><- -><- -><- -><- -><-
    All things are Perfect
        To every last Flaw
        And bound in accord
             With Eris's Law
     - HBT; The Book of Advice, 1:7

    Update: Fixed link...

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://73619]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (4)
As of 2020-08-10 06:32 GMT
Find Nodes?
    Voting Booth?
    Which rocket would you take to Mars?

    Results (56 votes). Check out past polls.