On Fri, Oct 24, 2008 at 6:45 AM, Andrius Chamentauskas <[EMAIL PROTECTED]> wrote: > > What about asymmetric encryption algorithms? You could use javascript > to encrypt password using public key, and then this information could > only be decrypted only by using private key, which could be stored > safely in server and used in model for authentication or registration. > I think example of this is RSA.
I'm not a JS expert by any means, but I don't think it is powerful enough to work with the VERY large numbers necessary for RSA. Frankly, using RSA (or any security algorithm) properly is very difficult and it's easy to use it in a way which negates it's effectiveness. There are a number of attacks against RSA if you use it incorrectly. Also, RSA is very CPU intensive- even compared to other encryption/hash algorithms. If security really is a concern, then you should absolutely use HTTPS which has a lot of peer review and handles all sorts of security challenges that are not solvable via JS. Man in the middle (MITM) attacks are especially difficult to stop via JS since you have no realistic way of authenticating the server you're talking to. Btw, using the monotonically increasing nonce like I suggested in the last email is very open to MITM attacks because it's easy for someone to pretend to be the server and choose a nonce in the future, capture your reply and keep connecting to the server until it sends the matching nonce value and then use the response it cached from you. Hence you may want to include a timestamp in the nonce, but of course that's open to timing attacks. :) Or you could go with a truly random nonce, but that tends to be difficult to implement in real life (again, you can not EVER repeat this value!). Here's a cool little tool a buddy of mine wrote show casing how easy it is to do MITM attacks over wireless at a security conference: http://airpwn.sourceforge.net/Airpwn.html My point is that security is hard. Don't try to do it yourself. Stand on the shoulders of giants. Use SSL/TLS. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
