On Sunday November 23 2008 11:48:15 pm Jeremy Huntwork wrote: > Hello all, > > I'm trying to work out a solution to a problem, and I thought I'd ask > here in case anyone has any ideas. > > First a bit of background. I just wrote a post in my blog about a secure > login with PHP and JavaScript without SSL. The basic idea is that the > server sends the client a random key, then both the server and client > append the hash value of the client's password to the random key and > produce another hash from the new string. Then the server compares the > string to see if it and the client got the same result. You can see the > full post here: http://www.lightcubesolutions.com/blog/?p=47
This is similar to HMAC. > This appears to do just what it was intended to do. My problem now is, > how do I securely register the user in a similar fashion? In other > words, how would I get the hash of the password securely to the server > in the first place, or in the event that a user wishes to change her > password? I have an idea brewing already, but it's the sort of thing > that I think would be easy enough for a third party to break. > > Any thoughts? > > -- > JH I think hmac(-like) implementations only work after the initial key is exchanged in advance (with ssl), not before. I think you need to look into how ssl key pairs work. Somehow ssl allows two complete strangers to exchange secret keys when they shake hands, in clear text. There is a chicken and egg problem here. How is it possible for me to mail my friend a letter, telling him that my future letters will be digested with an algorithm so tampering can be detected, when we have not exchanged a secret key in advance and in private? Historically, as far as I know, this can not be done, yet ssl does it. I love brain teasers like this, give me more time. You can also try the hlfs-dev mailing list. robert
pgp3X1Ph55xkc.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-chat FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
