I think you are close, but are probably doing way too much work.
First let's define a function HMAC_MD. HMAC is defined in RFC2104
and represents the current best current practice for using a hash to
"sign" a data value. It takes:
result = hmac_md(key, value)
You can use hmac with MD5, SHA1, S
Rene Veerman writes:
>Recently, on both the jQuery(.com) and PHP mailinglists, a question has
>arisen on how to properly secure a login form for a non-ssl web-application.
>But the replies have been "get ssl".. :(
>
>I disagree, and think that with a proper layout of authentication
>architecture,
- Original Message -
From: "Rene Veerman"
Sent: Sunday, February 15, 2009 4:30 AM
Subject: how to properly secure non-ssl logins (php + ajax)
I'm going to edit this, since I assume most of the code is completely
irrelevant
proposal:
database stores Hash(password | salt) on server
ch
Stephan Neuhaus wrote:
>> Yes, there's a need for a "crypto practices FAQ" to which one can refer.
>
> I disagree because you cannot force developers to read (and understand)
> these FAQs. Instead, there is a need for APIs that are difficult to use
> in an insecure way. For example, Peter Gutma
On Sun, 15 Feb 2009, Rene Veerman wrote:
> Recently, on both the jQuery(.com) and PHP mailinglists, a question has
> arisen on how to properly secure a login form for a non-ssl web-application.
> But the replies have been "get ssl".. :(
Unfortunately, they are right: get SSL.
> If you have a comp
Stephan Neuhaus wrote:
> Many mistakes in crypto coding come from the fact that API developers
> have so far very successfully shifted the burden of secure usage to the
> application developer, the API user. But I believe this hasn't worked
> and needs to be changed.
I totally agree, and this is
On Feb 14, 2009, at 12:54 PM, David Molnar wrote:
Ben Laurie wrote:
[snip discussion of bad crypto implementation practices]
Because he is steeped in the craft
knowledge around crypto. But most developers aren't. Most developers
don't even have the right mindset for secure coding, let alone
Recently, there was a posting on this forum on the Key
Management Interoperability Protocol (KMIP) Technical
Committee charter, proposed by a group of storage vendors
(RSA, IBM, HP, et al) at OASIS. (Unfortunately, I deleted
the posting, so I cannot refer to it directly, but here's
a link to the
[Moderator's note: top posting is not considered good form. --Perry]
Hi Rene,
I suspect from reading this quickly that you may not be a cryptographer. I'd
highly suggest that you borrow one for a bit before you go ahead with this.
I'm having a bit of trouble reading exactly what you want to do, b
Begin forwarded message:
From: Sarad AV
Date: February 17, 2009 9:51:09 AM EST
To: cypherpu...@al-qaeda.net
Subject: Shamir secret sharing and information theoretic security
hi,
I was going through the wikipedia example of shamir secret sharing
which says it is information theoretically s
Hi,
> Recently, on both the jQuery(.com) and PHP mailinglists, a question has
> arisen on how to properly secure a login form for a non-ssl web-application.
> But the replies have been "get ssl".. :(
What makes you think these are ill-advised?
> I disagree, and think that with a proper layout of
On Feb 15, 2009, at 7:30 AM, Rene Veerman wrote:
Recently, on both the jQuery(.com) and PHP mailinglists, a question
has arisen on how to properly secure a login form for a non-ssl web-
application.
What's the threat model?
users[user_id].user_login_hash = onewayHash(user_login_name +
pref
apropos to the biometrics essay in the Jan 2009 crypto-gram:
Researchers Hack Biometric Faces
slashdot.org/palm/18/09/02/17/216216_1.shtml
from the face-off dept. posted by kdawson on 2009-02-18 01:35:00
yahoi sends in news from a week or so back: "Vietnamese researchers have
cracked the facia
There are a variety of password cost-estimation surveys floating around that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5. Barely anyone uses them.
Can anyone explain wh
http://www.theregister.co.uk/2009/02/19/ssl_busting_demo/ -- we've
talked about this attack for quite a while; someone has now implemented
it.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
-
The Cryptography
On Tue, 17 Feb 2009, R.A. Hettinga wrote:
hi,
I was going through the wikipedia example of shamir secret sharing which says
it is information theoretically secure.
http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
...
The scheme is defined over a finite field *not* over the integers.
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating
around that
put the cost of password resets at $100-200 per user per year,
depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as litt
On Fri, 20 Feb 2009 02:36:17 +1300
pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote:
> There are a variety of password cost-estimation surveys floating
> around that put the cost of password resets at $100-200 per user per
> year, depending on which survey you use (Gartner says so, it must be
> tru
On Feb 19, 2009, at 7:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating
around that
put the cost of password resets at $100-200 per user per year,
depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as litt
19 matches
Mail list logo
