JavaScript Challenge-handshake authentication django app
Project description
JavaScript Challenge-handshake authentication django app.
First: The JS-SHA1-Login is not a simple “send username + SHA(password)” It is more a Challenge-handshake authentication protocol!
TODO:
code cleanup
cleanup templates
fix “next_url” and all links in example project
add unittests for using old challange value again
add unittests for using old cnonce value again
The procedure:
Save a new user password:
client browser / JavaScript part:
#. user input a password
init_pbkdf2_salt = SHA1(random data)
pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)
Client send init_pbkdf2_salt and pbkdf2_hash to the server
Server part:
Server split pbkdf2_hash into: first_pbkdf2_part and second_pbkdf2_part
encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)
Save only encrypted_part and given init_pbkdf2_salt from client
Login - client browser / JavaScript part:
Use request login
server send html login form with a random server_challenge value
User enters his username and password
Ajax Request the init_pbkdf2_salt from server with the given username
generate the auth data:
pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)
split pbkdf2_temp_hash into first_pbkdf2_part and second_pbkdf2_part
cnonce = SHA1(random data)
pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)
send pbkdf2_hash, second_pbkdf2_part and cnonce to the server
validation on the server
client POST data: pbkdf2_hash, second_pbkdf2_part and cnonce
get transmitted server_challenge value from session
get encrypted_part and salt from database via given username
first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)
test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)
compare test_hash with transmitted pbkdf2_hash
secure?
JS-SHA1 Login is not really secure in comparison to https! e.g. the client can’t validate if he really communicate with the server or with a Man-in-the-middle. JS-SHA1-Login does not protect you against an Session Hijacking
However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.
If you have https, you can combine it with JS-SHA1 login, similar to combine a digest auth with https.
More information: Warum JS-SHA-Login Sinn macht… (german only, sorry)
why?
Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.
The Problem: No Provider offers secured HTTP connection for little money :( We have been thinking, how can we still accomplish a secure authentication.
alternative solutions
Digest access authentication (implementation in django exist: django-digest):
pro
Browser implemented it, so no additional JavaScript needed
cons
Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)
used old MD5 hash
Used JavaScript Implementations
SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1
Implemented by Paul Johnston
Distributed under the BSD License
Stored under: secure_js_login/static/secure_js_login/sha.js
PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898
Implemented by Parvez Anandam
Distributed under the BSD license
Stored under: secure_js_login/static/secure_js_login/pbkdf2.js
Links
SHA1 JavaScript implementation by Paul Johnston (BSD License)
Python-Forum Threads (de):
Digest auth als Alternative? (03.2010)
Wie Session-Hijacking verhindern? (12.2006)
html-LogIn: Passwort mit SHA1 (06.2005)
Diskussion auf de.comp.lang.python (08.2006)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-secure-js-login-0.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 426cc49d29b9f070c59b99cd587bc3ec15325972efc98eb8b1ac625cf37bd3db |
|
MD5 | 030fb7152ab70a33e3690fac423fad22 |
|
BLAKE2b-256 | 51d9f9d73ce87e88d6aca5bfdc5a12ab20ddddb91439a97849f9dbc9db2de5e8 |
Hashes for django_secure_js_login-0.1.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 99ddcb8644aeb95485e90637a2e8e416cd858bd63bbb8596ddd83c705f3c8e7d |
|
MD5 | cb727b8af834fed65c8c3f0a1d2c7789 |
|
BLAKE2b-256 | cfce85a4a33f6d404f74dabae76fce04e334bdc61b3c953d823db47607520be2 |