[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism

Andreas Förthner andreas.foerthner at netlogix.de
Sat Jan 3 15:28:08 CET 2009 

Hi all,

finally I’ve set up a protocol draft for the new RSA authentication 
mechanism. As it is always a good idea that many eyes look at security 
related topics I'll give you a detailed overview of my ideas:

Data stored on the server:

- In the user record (DB for TYPO3 4.x): username, public key, random 
number (salt), md5 hash of password+salt (No rainbow tables should exist 
for that hash?! ...hopefully)
- Somewhere else ;-) : The private key of a user. The so called 
WalletService is responsible for managing the private key data and all 
RSA cryptography on the server.


Login process:

1. Login screen is loaded and the client can input username and password.
2. The form first sends only the username to the server (probably an 
AJAX request).
3. The server responds with the corresponding public key for the given 
username and a random number (challenge).
4. The client encrypts password+challenge with the given public key 
(this is possible with JavaScript) and sends it to the server.
5. The Login Controller hands over the following data to the 
WalletService: username, current challenge, encrypted password+challenge 
string from the client, the hash from the user record, and the salt for 
this hash.
5.1. The WalletService knows the appropriate private key for the given 
user, decrypts the given password string, compares the challenge and if 
it's correct it generates md5(decryptedPassword+givenSalt) and compares 
it to the given value from the user record. If they're also equal, it 
sends back an OK to the login controller. -> Authentication succeeded.
5.2. In any other case, authentication failed.

Note:

- The challenge has to be valid for exactly one request.
- The idea behind the WalletService is to decouple the private data. I 
plan to provide an external binary, which handles the data out of the 
PHP/Webserver scope. Of course there has to be a fallback version for 
those not able to execute the binary on their server.


Possible attack vectors (All I could imagine, please tell me everything 
you see a problem with):

- We cannot secure the browser; I see no simple solution against key 
loggers and so on. (Graphical keyboards are not very usable, right?)
- Message 1-3 from above shouldn't make any problems if someone reads 
them, right?!
- Noone can decrypt message 4.
- Replaying message 4 won't authenticate the user, as the challenge is 
no longer valid.
- We have no chance to secure the communication between the 
Login-Controller and the WalletService from the PHP scope, so this is 
part of the OS.
- If someone can read the data from the user record, the salt should 
protect the password hash.
- The whole thing is about authentication, no protection of the session 
itself. So session hijacking is still a problem.
- If someone is able to block message 4, or read it and is faster than 
the original sender, he can authenticate himself once with that data 
(Man-in-the-middle attack). The only thing to avoid that, would be 
message authentication (HMAC) but that requires a shared secret between 
client and server or client certificates, which is probably not 
manageable for most people.
- The private key data (WalletService data) has to be protected with 
your life ;-), as soon as this data is stolen the security system is 
broken. However, it is not enough to have the private key and/or the 
data from the user record to authenticate. You need a valid 
authentication message (message 4) to decrypt the password string.
- DoS: As RSA implies very expensive calculations it is needed to set 
timeouts for each authentication request. Another idea would be client 
puzzles, but this is perhaps kind of overkill, as we don't decrypt too 
much data.


Advantages:

- The data in the user record is not directly usable for authentication 
(SQL-Injections)
- You need to break the WalletService (which is quite hard, if an 
external binary is used) AND need to sniff an authentication message.


Problems:

- We definitely need JavaScript, which might be a bit ugly for "FE" Logins.
- We need two messages from the client for authentication (message 2 and 
4) which leads to AJAX requests or a two-step authentication process.


So this was quite a lot. Please comment on it, ask every security expert 
you can reach, to make the login process more secure in the future. This 
is your chance ;-)

Thanks to all!

Greets Andi

More information about the TYPO3-project-5_0-general mailing list