Hi Matthias, On Jan 31, 12:37 am, Matthias Julius <li...@julius-net.net> wrote: > > > But, it doesn't help you anything. Someone who could get a hold of a > plain text password sent over the internet could get a hashed password > just as easily. And the server has no way of telling whether the sent > password hash came from a browser showing your website or from > something else. To protect a password you need an encrypted > connection. >
I don't intend to send the hashed password, I agree with you that doesn't help. The idea is to use some common reliable signature scheme, such as HMAC, to sign a a long nonce salt which is generated uniquely of each login form display. If someone snatch the signature, he must relay them to the server faster than the original packets in order to login (the nonce salt is earsed from the session the moment someone tries to authenticate against it). The intercepted signature is of little use to the snatcher, has the all idea of cryptographic signature algorithms is to make extracting the secret key (in this case it's the password) used to sign as hard as possible, which is impossible for anyone who isn't some top cryptoanalyser and has access to some huge computing power. On the other hand, if someone intercepts the clear-text password sent, he can login with it anytime they want, and moreover he will probably get access to other services the user has, as people usually re-use passwords for their accounts in different places. So the scheme is not to send the hashed password, but a cryptographic signature of a randomly generated (big) salt which a copy of is saved in the session. Someone without the password could not sign the request and if he intercepts the request he couldn't extract the password from it. This idea is also used in many production environments and is implemented in the OAuth protocol (HMAC-SHA1 version), where it is used to authenticate requests by using a consumer key (username) and consumer secret (password) without ever sending the password in plain- text. http://oauth.net/core/1.0/ Thanks, Guy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
