Re: Secure web authentication system w/o SSL and PKI

On Feb 10, 8:33 pm, Yong Kwang <gohyongkw...@xxxxxxxxxxx> wrote:
I've been researching on whether it is possible to have a secure web
application authentication system without the availability of SSL but

Authentication has nothing to do with SSL. You can use SSL to
authenticate. But that's it.

The reason for my efforts is that I'm currently using a free PHP
hosting package and thus, there is no SSL option provided. This is
understandable due to cost of providing SSL certificates.

SSL certificates cost nothing. You can easily set up your own CA with
openssl or use a free CA. SSL certificates signed by a CA which has
its CA certificates preinstalled in standard browsers cost money. But
if you give out certificates to people to use your own services there
is no problem using your own CA.

Given the above limitations, I wonder if a secure web authentication
mechanism is still possible and if there is any concepts from
established authentication protocols based on symmetric encryption and
MD5/SHA-1 digest that I can recycle and leverage on.

Why do you want symmetric encryption? Even SSL does not use symmetric
encryption for authentication or authorization. Certificates are based
on asymmetric encryption. Really secure authentication only based on
symmetric encryption requires off-band exchange of the symmetric key.

I would highly recommend not to develop your own security functions.
It is futile. Even the best make mistakes at times and create security
algorithms which are flawed as various examples in the past have
shown. It is best to use existing functions like for SSL or PGP or
similar. I guess there should be some implementations for that in PGP
as well. However, I guess it won't really work in PHP as asymmetric
encryption requires some number crunching which is slow when scripted
in PHP. It depends on your ISP which libraries are available in PHP.

Thus I would either suggest you find an ISP which allows you to use
the functions you require (e.g. SSL) or you just do a simple standard
password setup and don't worry about the rest. For any normal average
person it is futile to create its own secure algorithm. A correct,
systematic approach to develop that requires a lot of experience and
knowledge. Without the knowledge it won't be secure and thus it is not
really worth it waisting your time to come up with something which you
believe is secure. But that's maybe only my opinion....

Gerald
.

Relevant Pages

  • Re: Secure web authentication system w/o SSL and PKI
    ... Authentication has nothing to do with SSL. ... Why do you want symmetric encryption? ...
    (comp.security.misc)
  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Search not working
    ... Management>Authentication Providers>Edit Authentication, does not provide the ... ability to indicate whether the web application is using SSL or not. ... I changed IIS Authentication for the web site back to Integrated ... I have installed an SSL certificate and required SSL ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Can SSL sessions be compromised?
    ... the proxy machine -- if I enable local cookies for authentication this ... your "SSL server" machine may be trying to catch some simple types of ... information carried by the digital certificates was ... clicking on any RFC number, brings up that RFC in the lower RFC summary ...
    (comp.security.misc)
  • Re: Postfix + Auth + SSL + pop3s/imaps
    ... >> to use for authentication. ... Or I would still need SASL for smtp? ... >> if it's Plain or Login because I'm going to use SSL and that would ... >> encrypt both Login and the data channel. ...
    (freebsd-questions)