views:

338

answers:

8

Here's the situation - its a bit different from the other database/password questions on StackOverflow.com

I've got two sets of users. One are the "primary" users. The others are the "secondary" users. Every one has a login/password to my site (say mysite.com - that isn't important).

Background: Primary users have access to a third site (say www.something.com/PrimaryUser1). Every secondary user "belongs" to a primary user and wants access to a subpart of that other site (say www.something.com/PrimaryUser1/SecondaryUser1).

At mysite.com, the primary users have to provide their credentials to me which they use to access www.something.com/PrimaryUser1, and they specify which "subparts" the secondary users of their choice get get access to.

Mysite.com helps manage the sub-access of the secondary users to the primary user's site. The secondary users can't "see" their primary user's password, but through my site, they can access the "subparts" of the other site - but ONLY to their restricted subpart.

In a crude way, I'm implementing OAuth (or something like that).

The question here is - how should I be storing the primary user's credentials to the other site? The key point here is that mysite.com uses these credentials to provide access to the secondary users, so it MUST be able to read it. However, I want to store it in such a way, that the primary users are reassured that I (as the site owner) cannot read their credentials.

I suppose this is more of a theoretical approach question. Is there anything in the world of cryptography that can help me with this?


Text added:

Since most ppl are completely missing the question, here's attempt #2 at explaining it.

PrimaryUser1 has a username/password to www.something.com/PrimaryUser1Site

He wishes to give sub-access to two people- SecondaryUser1 and SecondaryUser2 to the folders- www.something.com/PrimaryUser1Site/SecondaryUser1 and www.something.com/PrimaryUser1Site/SecondaryUser2

Mysite.com takes care of this sub-user management, so PrimaryUser1 goes there and provides his credentials to Mysite.com. MySite.com internally uses the credentials provided by PrimaryUser1 to give subusers limited access. Now, SecondaryUser1 and SecondaryUser2 can access their respective folders on www.something.com/PrimaryUser1Site through the MySite.com

NOW, the question arises, how should I store the credentials that PrimaryUser1 has provided?

A: 

Have you thought about accepting OpenID like Stack Overflow does? That way you are not responsible for storing passwords at all.

Colin Mackay
I do need the primaryuser to provide the password for the third party site.
Steve
A: 

there has got be a better way to explain this :(

but if you just want to know how to store the passwords safely do this:

username:john, password:pass

key = '!!@ijs09789*&';

md5(username.password.key);

when they login just check to see if md5(username.password.key) = is equal to the one in the db - you can also use sha1 and or any other encryption method.

http://us.php.net/md5 & http://us.php.net/sha1

John
MD5 is broken - Don't use it. Also you should be salting the hash so that if two people have the same password you can't tell by looking at the hash values.
Colin Mackay
Use uppercase username, though, else the username becomes case-sensitive.
Workshop Alex
Hi. This answer does not address the problem that I have. As I understand it, I HAVE to store the PrimaryUser's password in a format readable by ME, so that I can grant the SecondaryUser access when he logs in.
Steve
Then what your trying to do, overall, is impossible.
John
A: 

There is only one way to do this, and it is probably too burdomesome for the users.

You could encrypt the users password with a public/private key, the user keeps their key so the password can be unencrypted only when the key is submitted back to your server. The only way to make this simple would to be to have some web browser plugins that auto submit the information.

And either way, you could always packet sniff the communication to/from the server so its still mostly pointless.

Jacob
A: 

If you want to store the password yourself the best apporach is to use a one-way hashing algorithm such as MD5 or SHA-1. The advantage of this approach is that you cannot derive the password from the hashed value.

Precisely which algorithm you choose depends the precise products you are using. Some front-end tools offer these functions, as do some database products. Otherwise you'll need a third-party library.

Edit

Secondary users ought to have their own passowrds. Why wouldn't they?

APC
A: 

Never store passwords in a database but store a salted and hashed version of every password.

Check this article if this is chinese for you.

Pascal Thivent
+4  A: 

First rule: Never, ever store passwords! Second rule: Calculate a hash over password, with additional salt, and store this in your database. Third rule: A username (uppercased) could be used as salt, but preferably add a little more as salt! (Some additional text, preferably something long.) Fourth rule: It doesn't matter how secure a hashing algorithm is, they will all be hacked sooner or later. All it takes is time! Fifth rule: The security of your site depends on the value of what's behind it. The more value the content has, the more likely that you'll be attacked! Sixth rule: You will discover, sooner or later, that your site is hacked but not through a hacked password, but through a loophole somewhere else in your code. The biggest risk is expecting your site is secure now you've implemented some strong security. Seventh rule: All security can be broken, all sites can get hacked, all your secrets can be discovered, if only people are willing to invest enough time to do so.

Security is an illusion but as long as no one breaks it, you can continue to dream on! Always be prepared for rough awakenings that will require you to rebuild your illusion again. (In other words, make regular backups! (Preferably daily.) Don't overwrite the backups of the last week and make sure you keep at least one backup of every week, just in case you discover your site was hacked months ago and all your backups ever since are infected!

Now, if you really need to store passwords, use a hash over username plus password. Then hash again with hash plus salt! Better yet, create a list of salts (just list of words) and whenever a new user account is created, pick a random salt word to use to hash his username plus password. Store the index of the salt with the user account so you know which one to use whenever he logs on again.

And: Eight rule: Always use HTTPS! It's not as secure as most people thing but it does give a feeling of security to your users!


Since you've added text, I'll add more answer.

Since you want user1 to grant temporary access to user 2, you'll need a secondary user table. (Or expand the user table with a parent user ID. Also add a timestamp to keep track of the account age. User 1 can create the credentials and this is done in the normal way. Just store a hash with combined username and salt. In this case, use the username of user 1 as additional salt! Just make sure you'll disable the user 2 account when user 1 logs off or when a certain amount of time has gone by. And allow user 1 to enable all accounts again that he created, so they can re-use an account instead of having to create new ones all the time.

Security isn't a matter that depend on primary or secondary users. In general, treat them the same way! Secondary users have an added bonus that you can use the primary account as additional salt. The rest of it has nothing to do with authentication any more. It's authorization that you're dealing with. And while authentication and authorization have a strong relationship, be aware that you should treat them as two different, stand-alone techniques.

When user 1 logs on, he's granted access to the primary site. When he grants access to user 2, user 2 gets a reduced set of roles. But this has nothing to do with storing user names or passwords. You just have an user-ID which happens to be member of certain roles, or groups. Or not, but those would be inaccessible.

They're both just users, one with more rights than the other.

Workshop Alex
+1  A: 

It depends on the kind of authentication your primary site and the secondary site agree on. Is it forms authentication, HTTP Basic or HTTP Digest? If is forms or basic then you have no choice, you must store the password, so your only choice is to encrypt it. You cannot store a password hash as you must present the clear text during authentication for both forms and HTTP Basic. The problems that arise from storing the encrypted password are due to either incorrect use of cryptography (ie. you don't use an IV or salt or you don't use correctly a stream cipher), but more importantly you'll have key management problems (where to store the key used to encrypt the passwords and how to access it from a non-interactive service/demon).

If the 3rd party site accepts HTTP Digest then you're in better luck, you can store the HA1 hash part of the Digest hash (ie. MD5 of username:realm:password) because you can construct the Digest response starting straight from HA1.

I did not address how the user provision the secondary credentials (ie. how you get the secondary site username and password n the first place), I assume you have secured a protected channel (ie. HTTPS from client to your primary site).

BTW this assumes that the authentication occurs between your primary and secondary site and the secondary site content is tunneled through an HTTP request made to the primary site. If that's not the case and the secondary site is actually accessed straight from the browser, then the secondary site must support some sort of pre-authenticated token based authorization of third parties like OAuth. Relying on credential authentication and storing the credentials on the primary site when the credentials are actually needed by the browser has so many problems is not even worth talking about.

Remus Rusanu
A: 

You're making it too complex. You need to stop trying to mix authentication and authorization.

What you want to do is establish credentials for everyone, not worrying at this point if they are "primary" or "secondary" users. Then on the main site, where you manage the users and the primary/secondary relationships, you can do the logic of which users are primary or secondary and store all that stuff in a table. You grant or deny whatever rights and sub-rights you wish to each secondary user whenever the primary users update their relationships with them. When they're done, you finally need to replicate the appropriate user credentials from the main site out to the secondary site(s).

Then when a secondary user wants to head to any site in your farm, they authenticate themselves only as themselves - they never impersonate the primary user! And they have only the rights you granted them when the primary users gave them "secondary" status.

--

OK, since you shot that solution down in the comment, consider this:

First, I doubt anything will be truly secure. You can always recover the secret if you monitor the users' activity.

Now, this is completely off the cuff, and I haven't cryptanalyzed it, but check into what is called a secret sharing scheme. Store the "effective" or "real" main-site primary user password as the shared secret. Use the salted hash of the password given by the primary user as one secret. Use the salted hash of the password given by the first secondary user as another secret, and so on for each additional secondary user. Don't store the salted hashes! Just store the salt and the protected shared secret.

When a user enters their password, you retrieve the protected shared secret, use the salt and hash of their password to produce the salted hash, decrypt the protected shared secret, and now you've got the original primary user password.

John Deters
Hi jadeters - you missed the main point... The secondary users HAVE TO "impersonate" the primary users in order to gain access to that resource. There is NO other way. What I am trying to find out, is that is there any framework in cryptography that can help me store the primary users' passwords in a manner that is NOT readable by me. Remember: I HAVE to provide it to the other site when the secondary user wants access to it... Can something be devised so that the stored password can only be "accessed" by me when the secondary user logs in and never by me directly? ... seems impossible, no? :D
Steve