[thelist] Login Screen Security

Joshua Olson joshua at waetech.com
Wed Nov 12 14:55:56 CST 2003


----- Original Message ----- 
From: <John.Brooking at sappi.com>
Sent: Wednesday, November 12, 2003 3:16 PM


> But wait! That's no good!! Now all the cracker has to do is write his own
> form and send the same crypted string ("etqKJte.0e." or whatever) as he
sees
> in the stream. Doesn't matter what the original password was! Back to rule
> #1: Don't trust anything from the client.

I've been withholding, you're right... but now that you're thinking about
all the angles I'll give you a possible solution to the whole thing:

What if the salt value was allowed to change on every request.  More
specifically, what if the client had to request from the server a one-time
use salt value.  The server generates and activates a random salt value and
gives it back to the client.   Once an attempt to login (successful or not)
is made with that salt value it becomes invalid until a request for a new
salt value is generated.  Conceivable valid salt values could time out on
the server if they go unused.

On the client side you'd use the global salt value AND the one-time use salt
value to encrypt the password.  Back on the server encrypt the stored
encrypted password using the onetime salt value and compare the result with
the value from the client.  Even if the encrypted was intercepted on the
return trip to the server the salt value would no longer be valid and thusly
the encrypted password would no longer be valid.

Completely hackproof?... pretty much.  Completely hackERproof?... almost.  A
hacker could intercept the one-time salt value's trip TO the client and
expire it before the real client had a chance to use it.  This is not real
hole, but will be inconvenient since it would make the login fail even with
correct credentials.

All in all, this would work, but man is it a complex solution!  I'd suggest
you use SSL until something better comes out.  :-)

<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com
706.210.0168



More information about the thelist mailing list