On Fri, Oct 24, 2008 at 6:45 AM, Andrius C.
[email protected] wrote:
What about asymmetric encryption algorithms? You could use javascript
to encrypt password using public key, and then this information could
only be decrypted only by using private key, which could be stored
safely in server and used in model for authentication or registration.
I think example of this is RSA.
I’m not a JS expert by any means, but I don’t think it is powerful
enough to work with the VERY large numbers necessary for RSA.
Frankly, using RSA (or any security algorithm) properly is very
difficult and it’s easy to use it in a way which negates it’s
effectiveness. There are a number of attacks against RSA if you use
it incorrectly.
Also, RSA is very CPU intensive- even compared to other
encryption/hash algorithms.
If security really is a concern, then you should absolutely use HTTPS
which has a lot of peer review and handles all sorts of security
challenges that are not solvable via JS. Man in the middle (MITM)
attacks are especially difficult to stop via JS since you have no
realistic way of authenticating the server you’re talking to.
Btw, using the monotonically increasing nonce like I suggested in the
last email is very open to MITM attacks because it’s easy for someone
to pretend to be the server and choose a nonce in the future, capture
your reply and keep connecting to the server until it sends the
matching nonce value and then use the response it cached from you.
Hence you may want to include a timestamp in the nonce, but of course
that’s open to timing attacks. Or you could go with a truly random
nonce, but that tends to be difficult to implement in real life
(again, you can not EVER repeat this value!).
Here’s a cool little tool a buddy of mine wrote show casing how easy
it is to do MITM attacks over wireless at a security conference:
http://airpwn.sourceforge.net/Airpwn.html
My point is that security is hard. Don’t try to do it yourself.
Stand on the shoulders of giants. Use SSL/TLS.
–
Aaron T.
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. – Benjamin Franklin