Re: Secure web authentication system w/o SSL and PKI
- From: Yong Kwang <gohyongkwang@xxxxxxxxxxx>
- Date: Sun, 10 Feb 2008 18:22:12 -0800 (PST)
Hi Gerald,
Thanks for sharing your insight on this issue. I believe my own design
is full of loopholes anyway. :)
Just to add some comments to your reply.
On Feb 10, 8:09 pm, Gerald Vogt <v...@xxxxxxxxxxx> wrote:
On Feb 10, 8:33 pm, Yong Kwang <gohyongkw...@xxxxxxxxxxx> wrote:
I've been researching on whether it is possible to have a secure web
application authentication system without the availability of SSL but
Authentication has nothing to do with SSL. You can use SSL to
authenticate. But that's it.
Yes. I do agree. I guess in my posting, I wasn't clear on what my
system can do specifically and I lumped together user account
registration, user log-in and user password change together in 1
system. Technically, SSL provides an encrypted channel to facillitate
authentication and transmission of sensitive data over insecure
network (i.e. Internet).
The reason for my efforts is that I'm currently using a free PHP
hosting package and thus, there is no SSL option provided. This is
understandable due to cost of providing SSL certificates.
SSL certificates cost nothing. You can easily set up your own CA with
openssl or use a free CA. SSL certificates signed by a CA which has
its CA certificates preinstalled in standard browsers cost money. But
if you give out certificates to people to use your own services there
is no problem using your own CA.
For free web hosting accounts, so far I have not heard of the hosting
company allowing their users to install their own certificates
(whether signed by CA or self-generated) or offering HTTPS in the
first place. That was my point when I mentioned that I do not have
access to SSL HTTPS to create a secure channel for handling log-in
authentication and password change, even when I feel it is required.
Yes. I'm back to puzzling over the old problem in the 1960s and 1970sGiven the above limitations, I wonder if a secure web authentication
mechanism is still possible and if there is any concepts from
established authentication protocols based on symmetric encryption and
MD5/SHA-1 digest that I can recycle and leverage on.
Why do you want symmetric encryption? Even SSL does not use symmetric
encryption for authentication or authorization. Certificates are based
on asymmetric encryption. Really secure authentication only based on
symmetric encryption requires off-band exchange of the symmetric key.
of key exchange and distribution when only symmetric encryption was
available and asymmetric encryption wasn't invented. When I do not
have access to RSA or Diffie-Hellman key exchange, the closest to
scramble my password to prevent transmission in the clear is only
symmetric encryption. But how to share the secret key to decrypt the
password on the other end, this I've no answer.
I would highly recommend not to develop your own security functions.
It is futile. Even the best make mistakes at times and create security
algorithms which are flawed as various examples in the past have
shown. It is best to use existing functions like for SSL or PGP or
similar. I guess there should be some implementations for that in PGP
as well. However, I guess it won't really work in PHP as asymmetric
encryption requires some number crunching which is slow when scripted
in PHP. It depends on your ISP which libraries are available in PHP.
Agree totally. Just trying to work around some constraints in
resources that I have based on what the hosting company is willing to
provide for free. I haven't checked if the PHP mcrypt library is
installed and available instead of spinning my own cryptographic
implementation. (*gasp* no time plus no expertise)
Thus I would either suggest you find an ISP which allows you to use
the functions you require (e.g. SSL) or you just do a simple standard
password setup and don't worry about the rest. For any normal average
person it is futile to create its own secure algorithm. A correct,
systematic approach to develop that requires a lot of experience and
knowledge. Without the knowledge it won't be secure and thus it is not
really worth it waisting your time to come up with something which you
believe is secure. But that's maybe only my opinion....
Gerald
Agree as well. Experts like Bruce Schnier has spent decades working on
encryption algorithms, and there're experts working on other areas
like key exchange problems for many years. A novice should never
attempt to develop new security protocol and system on his own and
think it is secure. Taking a 6 months or 1 year computer security
module does not make a person an expert. However, I guess it does boil
down to the confidentiality and value of the information I'm trying to
protect too. Since I'm not trying to protect ultra-secret or top-
secret national secret, a simple system may just suffice for its
purpose.
.
- References:
- Secure web authentication system w/o SSL and PKI
- From: Yong Kwang
- Re: Secure web authentication system w/o SSL and PKI
- From: Gerald Vogt
- Secure web authentication system w/o SSL and PKI
- Prev by Date: SquiggleSR : fox Google and Yahoo!
- Next by Date: Mind Control "mailteam" works-- victims work trends
- Previous by thread: Re: Secure web authentication system w/o SSL and PKI
- Next by thread: Re: Secure web authentication system w/o SSL and PKI
- Index(es):
Relevant Pages
|
