|
Posted by Yong Kwang on February 10, 2008, 9:22 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Thanks for sharing your insight on this issue. I believe my own design
is full of loopholes anyway. :)
Just to add some comments to your reply.
>
> > I've been researching on whether it is possible to have a secure web
> > application authentication system without the availability of SSL but
>
> Authentication has nothing to do with SSL. You can use SSL to
> authenticate. But that's it.
>
Yes. I do agree. I guess in my posting, I wasn't clear on what my
system can do specifically and I lumped together user account
registration, user log-in and user password change together in 1
system. Technically, SSL provides an encrypted channel to facillitate
authentication and transmission of sensitive data over insecure
network (i.e. Internet).
> > The reason for my efforts is that I'm currently using a free PHP
> > hosting package and thus, there is no SSL option provided. This is
> > understandable due to cost of providing SSL certificates.
>
> SSL certificates cost nothing. You can easily set up your own CA with
> openssl or use a free CA. SSL certificates signed by a CA which has
> its CA certificates preinstalled in standard browsers cost money. But
> if you give out certificates to people to use your own services there
> is no problem using your own CA.
>
For free web hosting accounts, so far I have not heard of the hosting
company allowing their users to install their own certificates
(whether signed by CA or self-generated) or offering HTTPS in the
first place. That was my point when I mentioned that I do not have
access to SSL HTTPS to create a secure channel for handling log-in
authentication and password change, even when I feel it is required.
> > Given the above limitations, I wonder if a secure web authentication
> > mechanism is still possible and if there is any concepts from
> > established authentication protocols based on symmetric encryption and
> > MD5/SHA-1 digest that I can recycle and leverage on.
>
> Why do you want symmetric encryption? Even SSL does not use symmetric
> encryption for authentication or authorization. Certificates are based
> on asymmetric encryption. Really secure authentication only based on
> symmetric encryption requires off-band exchange of the symmetric key.
>
Yes. I'm back to puzzling over the old problem in the 1960s and 1970s
of key exchange and distribution when only symmetric encryption was
available and asymmetric encryption wasn't invented. When I do not
have access to RSA or Diffie-Hellman key exchange, the closest to
scramble my password to prevent transmission in the clear is only
symmetric encryption. But how to share the secret key to decrypt the
password on the other end, this I've no answer.
> I would highly recommend not to develop your own security functions.
> It is futile. Even the best make mistakes at times and create security
> algorithms which are flawed as various examples in the past have
> shown. It is best to use existing functions like for SSL or PGP or
> similar. I guess there should be some implementations for that in PGP
> as well. However, I guess it won't really work in PHP as asymmetric
> encryption requires some number crunching which is slow when scripted
> in PHP. It depends on your ISP which libraries are available in PHP.
>
Agree totally. Just trying to work around some constraints in
resources that I have based on what the hosting company is willing to
provide for free. I haven't checked if the PHP mcrypt library is
installed and available instead of spinning my own cryptographic
implementation. (*gasp* no time plus no expertise)
> Thus I would either suggest you find an ISP which allows you to use
> the functions you require (e.g. SSL) or you just do a simple standard
> password setup and don't worry about the rest. For any normal average
> person it is futile to create its own secure algorithm. A correct,
> systematic approach to develop that requires a lot of experience and
> knowledge. Without the knowledge it won't be secure and thus it is not
> really worth it waisting your time to come up with something which you
> believe is secure. But that's maybe only my opinion....
>
> Gerald
Agree as well. Experts like Bruce Schnier has spent decades working on
encryption algorithms, and there're experts working on other areas
like key exchange problems for many years. A novice should never
attempt to develop new security protocol and system on his own and
think it is secure. Taking a 6 months or 1 year computer security
module does not make a person an expert. However, I guess it does boil
down to the confidentiality and value of the information I'm trying to
protect too. Since I'm not trying to protect ultra-secret or top-
secret national secret, a simple system may just suffice for its
purpose.
| 
XML site map