[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism
Andreas Förthner
Andreas.Foerthner at netlogix.de
Wed Jan 7 14:52:19 CET 2009
Hi,
> One weakness is the private key. You intend to create different keys for
> users one single time and reuse an existing one.
> Why would we want to do this? We cannot use a certification storage (in
> the browser) to verify the website origin.
> Therefore we could create a new key pair for each authentication request
> and don't care about a super secret private key server storage.
Yes I thought about that, too. Perhaps we really should go this way. But
I would still combine it with the possiblity of an external
WalletService, as we have to store the private key somewhere (at least
for a few seconds), and it's even more secure to not have it in the DB
oder session.
> It's possible to find a tradeoff of security (key length) and complexity
> (computing time). Using openssl binary to compute a key pair on a BSD
> box I was able process 40 req/s (http) meaning creation of 40 key pairs
> - more to that later.
Ok, that sounds promising. I'll check that.
> We keep track of authentication request - then every
> successful/unsuccessful authentication will destroy the used key pair.
> Don't focus on the salting, password hashing, etc. Have a look at
> extension t3sec_saltedpw which uses an existing library and only has
> small adjustments to fit in the TYPO3 world.
Hm, I fear it won't fit that easy for 5.0, but I'll have a look at it,
thanks.
> I mentioned a test earlier; there's already a PoC for RSA authentication
> created by Michael Stucki. Have a look at
> http://forge.typo3.org/issues/show/1570
Yes, I have the implementation.
Thanks for your support.
Greets Andi
More information about the TYPO3-project-5_0-general
mailing list