[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism

[Andreas Förthner]

Hi,

> One weakness is the private key. You intend to create different keys for 
> users one single time and reuse an existing one.
> Why would we want to do this? We cannot use a certification storage (in 
> the browser) to verify the website origin.
> Therefore we could create a new key pair for each authentication request 
> and don't care about a super secret private key server storage. 

Yes I thought about that, too. Perhaps we really should go this way. But 
I would still combine it with the possiblity of an external 
WalletService, as we have to store the private key somewhere (at least 
for a few seconds), and it's even more secure to not have it in the DB 
oder session.

> It's possible to find a tradeoff of security (key length) and complexity 
> (computing time). Using openssl binary to compute a key pair on a BSD 
> box I was able process 40 req/s (http) meaning creation of 40 key pairs 
> - more to that later.

Ok, that sounds promising. I'll check that.

> We keep track of authentication request - then every 
> successful/unsuccessful authentication will destroy the used key pair.
> Don't focus on the salting, password hashing, etc. Have a look at 
> extension t3sec_saltedpw which uses an existing library and only has 
> small adjustments to fit in the TYPO3 world.

Hm, I fear it won't fit that easy for 5.0, but I'll have a look at it, 
thanks.

> I mentioned a test earlier; there's already a PoC for RSA authentication 
> created by Michael Stucki. Have a look at 
> http://forge.typo3.org/issues/show/1570

Yes, I have the implementation.

Thanks for your support.

Greets Andi