Re: Encryption Question

egg...@xxxxxxxxx wrote:

[...]
Correct, right now, I'm saving the password as plain text on the
server.

You shouldn't do that in a robust authentication model.

When the user signs in their password is sha1 hashed by
javascript then sent to the server where the server password is then
sha1 hashed and compared to what the client sent.

SHA-1 is safe, so the transmission should be protected by this measure
(which is probably why you did it). HTTPS wouldn't add much security
here, though it adds a (perceived!) feeling of safety for the user,
which you might also take into account as a valid argument. Your real
weak point is that the password resides in plaintext on the server.

So what your proposing is when the user signs up, hash the password as
usual, but save it in that state to the server.

Exactly - it adds one level of security. And your server program
doesn't need to be bothered with SHA-1 encryptions all the time, which
might become quite CPU-consuming depending on the circumstances.

Then when the user signs in, hash their password, send to the server
and then compare? Wouldn't that be sending the same hash to the server
each time, how's the better then just sending plain text? that is
plain text in essence...

Normal authentication:

- let user type his password, encrypt it
- do something like: login.asp?EncPW=gH4tGhKLNx
- compare gH4tGhKLNx to stored string to find out if authentication
has succeeded

Changing password:

- let user type the current password and his new requested password,
encrypt both
- do something like: getnewpass.asp?
oldEncPW=gH4tGhKLNx&newEncPW=yHjke4c5Wu
- compare oldEncPW to stored string; if it matches, then delete old
string and store the new one

No server encryption or HTTPS is needed in this scenario; it would not
add any additional security. You could use your favourite (one-way!)
encryption technology from javascript only.

Alternatively, you could send plaintext too. Most authentication
models do this, and it's okay, but only as long as the transmission
takes place over HTTPS. In your case, HTTPS has no real effect because
the password is already SHA-1 encrypted.

Hope this helps,

--
Bart

.

Relevant Pages

  • RE: [fw-wiz] RDP and security
    ... administrators can choose to encrypt the data using a 56- ... a non-Windows authentication ... > Windows 2003 Server may fixed the issue. ... > design flaw that supposedly hasn't been fixed (ie. server ...
    (Firewall-Wizards)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... SYSTEM account. ... In IIS I took the virtual server that I was testing, ... Authentication premise. ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • Need help configuring Wireless Connection profile
    ... I have an SBS 2003 server and a Server 2003 member server set up using RADIUS ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP ... Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Remote Web Workplace Issues-Please help!
    ... Open the Server Management Console, ... client after Authentication" right. ... permissions, and Microsoft Windows user rights according to the KB 812614. ... Download the IIS Resource Kit tools from the following page: ...
    (microsoft.public.windows.server.sbs)