[TYPO3-dev] Password handling (Regarding youngest security issues)
Niels Fröhling
niels.froehling at adsignum.com
Fri Nov 14 23:07:18 CET 2008
Martin Kutschker wrote:
>
>
> But that means you have to store subsets for all possible mechanisms.
> HTTP auth uses only Digest-MD5 but for protocols like IMAP there are
> many variants of the general idea. If you want to support them all
> easily, you are back to the old plain password storing :(
>
Yes. An no. It just need to be a bi-directional encryption instead of
uni-directional scrambling. Ideally it's asymetric. If you are able to
tunnel IMAP through your authenticated channel, you can also
super-impose your desired security-strength on IMAP. If not, you're
stuck. Or you quit IMAP support.
Just a very simple example: imagine you would not store the scrambled
password, but you use the scrambled password to encrypt the token which
identifies and authorizes you. The security-issue of the channel stays
the same, but the storage has no issue anymore, it can't be reversed
generically.
>
>> A possiblity would be:
>>
>> HA1 = MD5(username:realm:password)
>>
>> in which case "realm" represents your salt, but also the reable
>> access-point.
>> So just don't develop any wild algorithms that will break existing
>> communication-channel authentications.
>> I for example had implementation-problems for http-auth for BE-users,
>> because md5(pass) is completely useless for calculating the digest.
>>
>
> As I have said, you will end up with pre-calculate data for every
> authentication scheme you want to support.
>
If for a web-based system you want to support web-based standardized
authentication schemes, and you have no ability to tunnel the
communication-channel, or hook into the applications
authentication-scheme: Yes!
Or use SSL+public/private key everywhere. Almost all web-based systems
support authentication and channel-encryption via SSL-key.
> Masi
Ciao
Niels
More information about the TYPO3-dev
mailing list