[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism
Marcus Krause
marcus#exp2009 at t3sec.info
Sun Jan 4 15:53:25 CET 2009
Andreas Förthner schrieb am 03.01.2009 15:28 Uhr:
> Hi all,
>
> finally I’ve set up a protocol draft for the new RSA authentication
> mechanism. As it is always a good idea that many eyes look at security
> related topics I'll give you a detailed overview of my ideas:
>
> Data stored on the server:
>
> - In the user record (DB for TYPO3 4.x): username, public key, random
> number (salt), md5 hash of password+salt (No rainbow tables should exist
> for that hash?! ...hopefully)
> - Somewhere else ;-) : The private key of a user. The so called
> WalletService is responsible for managing the private key data and all
> RSA cryptography on the server.
One weakness is the private key. You intend to create different keys for
users one single time and reuse an existing one.
Why would we want to do this? We cannot use a certification storage (in
the browser) to verify the website origin.
Therefore we could create a new key pair for each authentication request
and don't care about a super secret private key server storage. It's
possible to find a tradeoff of security (key length) and complexity
(computing time). Using openssl binary to compute a key pair on a BSD
box I was able process 40 req/s (http) meaning creation of 40 key pairs
- more to that later.
We keep track of authentication request - then every
successful/unsuccessful authentication will destroy the used key pair.
Don't focus on the salting, password hashing, etc. Have a look at
extension t3sec_saltedpw which uses an existing library and only has
small adjustments to fit in the TYPO3 world.
I mentioned a test earlier; there's already a PoC for RSA authentication
created by Michael Stucki. Have a look at
http://forge.typo3.org/issues/show/1570
Marcus.
More information about the TYPO3-project-5_0-general
mailing list