Re: Hashing algorithm needed

2010-09-15 Thread Ben Laurie
On 15/09/2010 00:26, Nicolas Williams wrote: On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote: How do you deliver Javascript to the browser securely in the first place? HTTP? I'll note that Ben's proposal is in the same category as mine (which was, to remind you, implement SCRAM in

Re: Hashing algorithm needed

2010-09-15 Thread Ben Laurie
On 14/09/2010 21:16, Marsh Ray wrote: On 09/14/2010 09:13 AM, Ben Laurie wrote: Demo here: https://webid.digitalbazaar.com/manage/ This Connection is Untrusted So? It's a demo. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or

Re: Hashing algorithm needed

2010-09-14 Thread Ian G
On 14/09/10 2:26 PM, Marsh Ray wrote: On 09/13/2010 07:24 PM, Ian G wrote: 1. In your initial account creation / login, trigger a creation of a client certificate in the browser. There may be a way to get a browser to generate a cert or CSR, but I don't know it. But you can simply generate

Re: Hashing algorithm needed

2010-09-14 Thread Marsh Ray
On 09/13/2010 07:24 PM, Ian G wrote: On 11/09/10 6:45 PM, f...@mail.dnttm.ro wrote: Essentially, the highest risk we have to tackle is the database. Somebody having access to the database, and by this to the authentication hashes against which login requests are verified, should not be able to

Re: Hashing algorithm needed

2010-09-14 Thread Ben Laurie
On 14/09/2010 12:29, Ian G wrote: On 14/09/10 2:26 PM, Marsh Ray wrote: On 09/13/2010 07:24 PM, Ian G wrote: 1. In your initial account creation / login, trigger a creation of a client certificate in the browser. There may be a way to get a browser to generate a cert or CSR, but I don't

Re: Hashing algorithm needed

2010-09-14 Thread Erwan Legrand
On Tue, Sep 14, 2010 at 13:29, Ian G i...@systemics.com wrote: On 14/09/10 2:26 PM, Marsh Ray wrote: On 09/13/2010 07:24 PM, Ian G wrote: 1. In your initial account creation / login, trigger a creation of a client certificate in the browser. There may be a way to get a browser to generate

Re: Hashing algorithm needed

2010-09-14 Thread Marsh Ray
On 09/14/2010 09:13 AM, Ben Laurie wrote: On 14/09/2010 12:29, Ian G wrote: On 14/09/10 2:26 PM, Marsh Ray wrote: On 09/13/2010 07:24 PM, Ian G wrote: 1. In your initial account creation / login, trigger a creation of a client certificate in the browser. There may be a way to get a

Re: Hashing algorithm needed

2010-09-14 Thread Nicolas Williams
On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote: On 09/14/2010 09:13 AM, Ben Laurie wrote: Of some interest to me is the approach I saw recently (confusingly named WebID) of a pure Javascript implementation (yes, TLS in JS, apparently), allowing UI to be completely controlled by the

Re: Hashing algorithm needed

2010-09-09 Thread James A. Donald
On 2010-09-09 6:35 AM, Ben Laurie wrote: What I do in Nigori for this is use DSA. Your private key, x, is the hash of the login info. The server has g^x, from which it cannot recover x, Except, of course, by dictionary attack, hence g^x, being low entropy, is treated as a shared secret. and

Re: Hashing algorithm needed

2010-09-09 Thread Ben Laurie
On 9 September 2010 10:08, James A. Donald jam...@echeque.com wrote: On 2010-09-09 6:35 AM, Ben Laurie wrote: What I do in Nigori for this is use DSA. Your private key, x, is the hash of the login info. The server has g^x, from which it cannot recover x, Except, of course, by dictionary

Re: Hashing algorithm needed

2010-09-08 Thread Ben Laurie
On 8 September 2010 16:45, f...@mail.dnttm.ro wrote: Hi. Just subscribed to this list for posting a specific question. I hope the question I'll ask is in place here. We do a web app with an Ajax-based client. Anybody can download the client and open the app, only, the first thing the app

Re: Hashing algorithm needed

2010-09-08 Thread Chris Palmer
f...@mail.dnttm.ro writes: The idea is the following: we don't want to secure the connection, Why not? Using HTTPS is easier than making up some half-baked scheme that won't work anyway. -- http://noncombatant.org/ - The