[TYPO3-dev] Password handling (Regarding youngest security issues)

[Niels Fröhling]

Martin Kutschker wrote:
>
>
> But that means you have to store subsets for all possible mechanisms.
> HTTP auth uses only Digest-MD5 but for protocols like IMAP there are
> many variants of the general idea. If you want to support them all
> easily, you are back to the old plain password storing :(
>   

 Yes. An no. It just need to be a bi-directional encryption instead of 
uni-directional scrambling. Ideally it's asymetric. If you are able to 
tunnel IMAP through your authenticated channel, you can also 
super-impose your desired security-strength on IMAP. If not, you're 
stuck. Or you quit IMAP support.

 Just a very simple example: imagine you would not store the scrambled 
password, but you use the scrambled password to encrypt the token which 
identifies and authorizes you. The security-issue of the channel stays 
the same, but the storage has no issue anymore, it can't be reversed 
generically.

>   
>> A possiblity would be:
>>
>> HA1 = MD5(username:realm:password)
>>
>> in which case "realm" represents your salt, but also the reable
>> access-point.
>> So just don't develop any wild algorithms that will break existing
>> communication-channel authentications.
>> I for example had implementation-problems for http-auth for BE-users,
>> because md5(pass) is completely useless for calculating the digest.
>>     
>
> As I have said, you will end up with pre-calculate data for every
> authentication scheme you want to support.
>   

 If for a web-based system you want to support web-based standardized 
authentication schemes, and you have no ability to tunnel the 
communication-channel, or hook into the applications 
authentication-scheme: Yes!
 Or use SSL+public/private key everywhere. Almost all web-based systems 
support authentication and channel-encryption via SSL-key.
> Masi

Ciao
    Niels