JavaScript Challenge-handshake authentication django app
Project description
JavaScript Challenge-handshake authentication django app.
First: The JS-SHA1-Login is not a simple “send username + SHA(password)” It is more a Challenge-handshake authentication protocol!
TODO:
code cleanup
cleanup templates
fix “next_url” and all links in example project
add unittests for using old challange value again
add unittests for using old cnonce value again
The procedure:
Save a new user password:
client browser / JavaScript part:
#. user input a password
init_pbkdf2_salt = SHA1(random data)
pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)
Client send init_pbkdf2_salt and pbkdf2_hash to the server
Server part:
Server split pbkdf2_hash into: first_pbkdf2_part and second_pbkdf2_part
encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)
Save only encrypted_part and given init_pbkdf2_salt from client
Login - client browser / JavaScript part:
Use request login
server send html login form with a random server_challenge value
User enters his username and password
Ajax Request the init_pbkdf2_salt from server with the given username
generate the auth data:
pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)
split pbkdf2_temp_hash into first_pbkdf2_part and second_pbkdf2_part
cnonce = SHA1(random data)
pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)
send pbkdf2_hash, second_pbkdf2_part and cnonce to the server
validation on the server
client POST data: pbkdf2_hash, second_pbkdf2_part and cnonce
get transmitted server_challenge value from session
get encrypted_part and salt from database via given username
first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)
test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)
compare test_hash with transmitted pbkdf2_hash
secure?
JS-SHA1 Login is not really secure in comparison to https! e.g. the client can’t validate if he really communicate with the server or with a Man-in-the-middle. JS-SHA1-Login does not protect you against an Session Hijacking
However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.
If you have https, you can combine it with JS-SHA1 login, similar to combine a digest auth with https.
More information: Warum JS-SHA-Login Sinn macht… (german only, sorry)
why?
Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.
The Problem: No Provider offers secured HTTP connection for little money :( We have been thinking, how can we still accomplish a secure authentication.
alternative solutions
Digest access authentication (implementation in django exist: django-digest):
pro
Browser implemented it, so no additional JavaScript needed
cons
Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)
used old MD5 hash
Used JavaScript Implementations
SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1
Implemented by Paul Johnston
Distributed under the BSD License
Stored under: secure_js_login/static/secure_js_login/sha.js
PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898
Implemented by Parvez Anandam
Distributed under the BSD license
Stored under: secure_js_login/static/secure_js_login/pbkdf2.js
Links
SHA1 JavaScript implementation by Paul Johnston (BSD License)
Python-Forum Threads (de):
Digest auth als Alternative? (03.2010)
Wie Session-Hijacking verhindern? (12.2006)
html-LogIn: Passwort mit SHA1 (06.2005)
Diskussion auf de.comp.lang.python (08.2006)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django-secure-js-login-0.1.0.tar.gz
.
File metadata
- Download URL: django-secure-js-login-0.1.0.tar.gz
- Upload date:
- Size: 211.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 426cc49d29b9f070c59b99cd587bc3ec15325972efc98eb8b1ac625cf37bd3db |
|
MD5 | 030fb7152ab70a33e3690fac423fad22 |
|
BLAKE2b-256 | 51d9f9d73ce87e88d6aca5bfdc5a12ab20ddddb91439a97849f9dbc9db2de5e8 |
File details
Details for the file django_secure_js_login-0.1.0-py2.py3-none-any.whl
.
File metadata
- Download URL: django_secure_js_login-0.1.0-py2.py3-none-any.whl
- Upload date:
- Size: 67.8 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 99ddcb8644aeb95485e90637a2e8e416cd858bd63bbb8596ddd83c705f3c8e7d |
|
MD5 | cb727b8af834fed65c8c3f0a1d2c7789 |
|
BLAKE2b-256 | cfce85a4a33f6d404f74dabae76fce04e334bdc61b3c953d823db47607520be2 |