On Mon, 24 Nov 2008 17:47, Jeremy Huntwork wrote:
> My problem now is,
> how do I securely register the user in a similar fashion? In other
> words, how would I get the hash of the password securely to the server
> in the first place, or in the event that a user wishes to change her
> password? I have an idea brewing already, but it's the sort of thing
> that I think would be easy enough for a third party to break.
>
> Any thoughts?
>
> --
> JH
User: wishes to create a new password (either 1st time or change existing
password)
Server: sends new/change password dialogue and includes server public key
Client: prompts user for new password
Client: transforms new password with selected hash algorithm
encrypts new password hash with server public key and sends to server
Server: decrypts new password hash cypher text
stores new password hash
This system is susceptible to Man-in-the-middle attacks as well as compromised
client (keyboard loggers etc.) attacks.
The main difficulty is doing the pki encryption in the client as you have no
control over the toolset available however it appears there are javascript
implementations. I found this link which seems to address what you are
trying to do: http://www.hanewin.net/encrypt/
Regards
Tony Sauri
--
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
