[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism

Andreas Förthner andreas.foerthner at netlogix.de
Sat Jan 3 18:54:36 CET 2009


Hi,

>> - Somewhere else ;-) : The private key of a user. The so called 
>> WalletService is responsible for managing the private key data and all 
>> RSA cryptography on the server.
> I'm not sure about what this does to the end user.
> He has to install an software on his computer communication with TYPO3?

I'm not sure how complex the WalletService will be, I have some variants 
in mind. Perhaps we'll have more than one version. I'll have to look at 
the C libaries and their needs, after figuring out the definitive 
features of the service.

> If so, i think it's much to complicated and will lead to user loss in 
> the community i think. Would be a start of a client sided backend software.

True. We'll need some kind of 
its-not-that-secure-but-you-are-a-poor-person-that-cannot-use-the-great-binary-WalletService.

> Not allowing logins without ssl would be more helping.

SSL is never a bad idea, but that is only channel security, 
authentication is more than that. But you can wrap SSL around the whole 
RSA system, than it might be even better ;-)

> For FE it is to much overload in any case... Imagine most installations 
> work with plain text right now (what I think is very stupid).

Yep, that's very stupid. We'll have to find a good solution for it. 
Perhaps RSA won't be the default way for the FE.

> Using JavaScript in FE i do also think is no problem.

Ok, good to hear ;-)

> Some brainstorming about the login topic:
> 
> In the backend we may provide a Login solution using Flash (Displaying 
> the form, calculating hash values, doing Ajax interaction) which might 
> fasten calculation and would not present calculating code opened up on 
> every page but only in SVN for lookup.

Hm, that's a bit security by obscurity. The bad boy will also look into 
the svn sources, if he needs to. So I think there is no real security gain.

> Inhouse we have a database which IP is allowed on which MAC-Address.
> And to which user it is registrated. So I authenticate (FE&BE) Users by 
> an valid IP/MAC combination (own auth service). Over internet this would 
> be difficult because of changing the ip, but admins might have the 
> possibility to restrict editors mac addresses (yes i know that someone 
> might change the mac of his nic)

Besides that this is not really possible for the internet, is it really 
secure? Spoofing MAC adresses shouldn't be a problem, right?! But maybe 
I don't get the whole system, there are great things possible on this 
level. -> IPSec

> Most browsers are able to change their user agent string...
> So session hijacking could be prevented by including the useragents 
> string into the session comparism. AND it would be even more secure if 
> typo3 BE would provide (f.e. every month) an .reg on for win or script 
> on other oses, changing an random flag in the user agent string...

Hm but that's a really easy one to spoof, right? And quite complicated 
to administrate. But nice idea, I'll have it in my mind...

> so long
> keep on rocking 5.0

Thanks a lot!

Greets Andi


More information about the TYPO3-project-5_0-general mailing list