Password Security

Okay, so I was asked to think about user logon and information and here are some of my conclusions for security.

CHAP Login System

For the actual login page we would use a chap login system. The Server at the start of every session will create a new random challenge string which it will send in a session varaible to the user (or a hidden field on the page, it matters not at all to me). What is sent back to the server is:

hash( hash(password) + challenge_string). Then the user can check the information in its database to double check by doing the same thing at its end:
hash ( hash(db password) + challenge_string). Given this information as correct then the user is sucessfully logged in. This should theoretically clear us from repeat attacks as the server will expect a new challenge_string hashed response.

This leaves us a little vulnerable on the database side as the hashes are stored directly as is in the database…

Password Creation/Update

Moving on we come to the problem of updating a password or creating a new user. We would not want this information known so we come to the way of encrypting the data going to the server while still beine able to decrypt it at the other end.

I am working off a modified version of the Diffie-Hellman concept for key exchange along with a bit of the CHAP concept.

Diffie-Hellman Key Exchange

(I will briefly go back over concepts as I’ve been away from it for awhile and it helps to refresh. Just skip if you want)

Diffie Helman works where the Server and Client are both using a public p and g

p is a prime number (bigger is better)

and

g is the generator number which is less then p and holds the property that any number n from 1–>p-1 there is a power k such that n=g^k mod p

Then the client and server each choose a random number for themselves.
a=Client
b=Server

Client sends Server g^a mod p
Server sends client g^b mod p.

Now the common key number we can find is g^(a*b) mod p which can easily be discovered as it is the same as
(g^a mod p)^b mod p which is also the same as (g^b mod p)^a mod p

Now, without a and b you have some nice number crunching to do to figure out the key which can then be used in an encryption algorithm (not private/public key type, for example AES ie: symetrical) to allow encryption and decryption of information

Diffie-Helmann + Chap Authentication… Kindof

Now the biggest problem there is for this type of system is a man in the middle attack as no user authentication is done to verify the user sending this information is who they say they are. Now short of necessitating private/public keys we can just do a simple authentication using HMAC

HMAC or message digesting takes a message and a secret key known to both parties (the hashed current password of the logged in user) and then returns a message digest of this original messgae. So the update and new user pages would have another challenge string that just needs to be HMAC’d by the user logged in to verify that it is a real user. Now the man in the middle would be unable to spoof as he does not have the hashed password value.

Links

• Diffie-Hellman
• CHAP login
• AES
• HMAC
• HMAC (more friendly then the tech paper )

---

And we have all the javascript information neccessary to do the whole algorithm

tell me what you guys think… Or we could say we don’t care about security and store everything plain text

Explore posts in the same categories: Technology, Team, GUI, Programming, Java

This entry was posted on Thursday, November 24th, 2005 at 10:08 am and is filed under Technology, Team, GUI, Programming, Java. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site. Your comments will appear immediately, but I reserve the right to delete innapropriate comments.