Skip to main content

JavaScript Challenge-handshake authentication django app

Project description

JavaScript Challenge-handshake authentication django app.

First: The JS-SHA1-Login is not a simple “send username + SHA(password)” It is more a Challenge-handshake authentication protocol!

TODO:

  • code cleanup

  • cleanup templates

  • fix “next_url” and all links in example project

  • add unittests for using old challange value again

  • add unittests for using old cnonce value again

The procedure:

Save a new user password:

client browser / JavaScript part:

#. user input a password
  1. init_pbkdf2_salt = SHA1(random data)

  2. pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)

  3. Client send init_pbkdf2_salt and pbkdf2_hash to the server

Server part:

  1. Server split pbkdf2_hash into: first_pbkdf2_part and second_pbkdf2_part

  2. encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)

  3. Save only encrypted_part and given init_pbkdf2_salt from client

Login - client browser / JavaScript part:

  1. Use request login

  2. server send html login form with a random server_challenge value

  3. User enters his username and password

  4. Ajax Request the init_pbkdf2_salt from server with the given username

  5. generate the auth data:

    1. pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)

    2. split pbkdf2_temp_hash into first_pbkdf2_part and second_pbkdf2_part

    3. cnonce = SHA1(random data)

    4. pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)

  6. send pbkdf2_hash, second_pbkdf2_part and cnonce to the server

validation on the server

  1. client POST data: pbkdf2_hash, second_pbkdf2_part and cnonce

  2. get transmitted server_challenge value from session

  3. get encrypted_part and salt from database via given username

  4. first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)

  5. test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)

  6. compare test_hash with transmitted pbkdf2_hash

secure?

JS-SHA1 Login is not really secure in comparison to https! e.g. the client can’t validate if he really communicate with the server or with a Man-in-the-middle. JS-SHA1-Login does not protect you against an Session Hijacking

However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.

If you have https, you can combine it with JS-SHA1 login, similar to combine a digest auth with https.

More information: Warum JS-SHA-Login Sinn macht… (german only, sorry)

why?

Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.

The Problem: No Provider offers secured HTTP connection for little money :( We have been thinking, how can we still accomplish a secure authentication.

alternative solutions

  • Digest access authentication (implementation in django exist: django-digest):

    • pro

      • Browser implemented it, so no additional JavaScript needed

    • cons

      • Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)

      • used old MD5 hash

Used JavaScript Implementations

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-secure-js-login-0.1.0.tar.gz (211.2 kB view details)

Uploaded Source

Built Distribution

django_secure_js_login-0.1.0-py2.py3-none-any.whl (67.8 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file django-secure-js-login-0.1.0.tar.gz.

File metadata

File hashes

Hashes for django-secure-js-login-0.1.0.tar.gz
Algorithm Hash digest
SHA256 426cc49d29b9f070c59b99cd587bc3ec15325972efc98eb8b1ac625cf37bd3db
MD5 030fb7152ab70a33e3690fac423fad22
BLAKE2b-256 51d9f9d73ce87e88d6aca5bfdc5a12ab20ddddb91439a97849f9dbc9db2de5e8

See more details on using hashes here.

File details

Details for the file django_secure_js_login-0.1.0-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for django_secure_js_login-0.1.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 99ddcb8644aeb95485e90637a2e8e416cd858bd63bbb8596ddd83c705f3c8e7d
MD5 cb727b8af834fed65c8c3f0a1d2c7789
BLAKE2b-256 cfce85a4a33f6d404f74dabae76fce04e334bdc61b3c953d823db47607520be2

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page