[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism
Andreas Förthner
andreas.foerthner at netlogix.de
Sat Jan 3 18:54:36 CET 2009
Hi,
>> - Somewhere else ;-) : The private key of a user. The so called
>> WalletService is responsible for managing the private key data and all
>> RSA cryptography on the server.
> I'm not sure about what this does to the end user.
> He has to install an software on his computer communication with TYPO3?
I'm not sure how complex the WalletService will be, I have some variants
in mind. Perhaps we'll have more than one version. I'll have to look at
the C libaries and their needs, after figuring out the definitive
features of the service.
> If so, i think it's much to complicated and will lead to user loss in
> the community i think. Would be a start of a client sided backend software.
True. We'll need some kind of
its-not-that-secure-but-you-are-a-poor-person-that-cannot-use-the-great-binary-WalletService.
> Not allowing logins without ssl would be more helping.
SSL is never a bad idea, but that is only channel security,
authentication is more than that. But you can wrap SSL around the whole
RSA system, than it might be even better ;-)
> For FE it is to much overload in any case... Imagine most installations
> work with plain text right now (what I think is very stupid).
Yep, that's very stupid. We'll have to find a good solution for it.
Perhaps RSA won't be the default way for the FE.
> Using JavaScript in FE i do also think is no problem.
Ok, good to hear ;-)
> Some brainstorming about the login topic:
>
> In the backend we may provide a Login solution using Flash (Displaying
> the form, calculating hash values, doing Ajax interaction) which might
> fasten calculation and would not present calculating code opened up on
> every page but only in SVN for lookup.
Hm, that's a bit security by obscurity. The bad boy will also look into
the svn sources, if he needs to. So I think there is no real security gain.
> Inhouse we have a database which IP is allowed on which MAC-Address.
> And to which user it is registrated. So I authenticate (FE&BE) Users by
> an valid IP/MAC combination (own auth service). Over internet this would
> be difficult because of changing the ip, but admins might have the
> possibility to restrict editors mac addresses (yes i know that someone
> might change the mac of his nic)
Besides that this is not really possible for the internet, is it really
secure? Spoofing MAC adresses shouldn't be a problem, right?! But maybe
I don't get the whole system, there are great things possible on this
level. -> IPSec
> Most browsers are able to change their user agent string...
> So session hijacking could be prevented by including the useragents
> string into the session comparism. AND it would be even more secure if
> typo3 BE would provide (f.e. every month) an .reg on for win or script
> on other oses, changing an random flag in the user agent string...
Hm but that's a really easy one to spoof, right? And quite complicated
to administrate. But nice idea, I'll have it in my mind...
> so long
> keep on rocking 5.0
Thanks a lot!
Greets Andi
More information about the TYPO3-project-5_0-general
mailing list