[TYPO3-project-4-3] Making RSA Auth default login method?

Ingmar Schlecht ingmar at typo3.org
Mon May 4 21:06:53 CEST 2009 

Hi Francois,

Francois Suter schrieb:
> Hi,
> 
>> as you might have noticed, Dmitry today committed the RSA Auth
>> extension, so a fully encrypted login procedure will be possible even
>> without HTTPS with TYPO3 4.3.
> 
> I must say I didn't dig into Dmitry's patch and I have no idea how this
> new authentication service works. I saw a mention of private key/public
> key, so does it mean that keys must be at some point generated and
> exchanged? If this is the case how can TYPO3 work with RSA auth out of
> the box?
> 
> Could you detail how this works?

A new private/public key pair is generated for each login, so there's no
need for manual key generation.

It works like this:

- client goes to the login page
- server generates new private/public key pair, saves the private key to
a temporary storage and prints out the login page with the public key to
the client
- user enters her password, the clear text password then gets encrypted
with the public key by JavaScript and submitted to the server
- the server fetches the private key again from the temporary storage
and decrypts the password, so it has the clear text password
- the server can then do things like applying md5() or adding a salt and
than apply md5() (or any other hashing mechanism) and compare the result
of that to what's in the database

The big new thing here compared to good old superchallenged login is
that the server know always gets submitted the clear text password, so
the md5()-hashing (+ salting etc.) doesn't take place on the client side
but on the server side.

That way it's not longer possible to login with what is stored in the
database. So if there's a blind SQL injection vulnerability in one of
your extensions, and someone manages to read out the MD5 value of the
backend user's passwords, that still can't be used to log into the
system because you need the clear text password. This advantage gets
even bigger when salting is used.

So it solves two essential problems:
 - an attacker can't login with the hash that's stored in the database
 - you can't find out the password by sniffing the network traffic
   between the client and the server

cheers
Ingmar

More information about the TYPO3-project-4-3 mailing list