tags:

views:

181

answers:

3
+2  Q: 

Modern client/server authentication techniques

I'm building a non-browser client-server (XULRunner-CherryPy) application using HTTP for communication. The area I'm pondering now is user authentication. Since I don't have substantial knowledge in security I would much prefer using tried-and-tested approaches and ready-made libraries over trying to invent and/or build something myself.

I've been reading a lot of articles lately and I can say all I have been left with is a lot of frustration, most of which contributed by this and this blog posts.

What I think I need is:

  • Secure storage of passwords in the database (adaptive hashing?)
  • Secure wire transmission of user credentials (digest authentication? SSL?)
  • Secure token authentication for subsequent requests (not sure about this)

So the question is: what are the modern (headache-free preferrably) techniques and/or libraries that implement this? (No sensitive information, like credit card numbers, will be stored).

I've been looking at OAuth and they have a new revision which they strongly recommend to use. The problem is the docs are still in development and there are no libraries implementing the new revision (?).

+1  A: 

This may not be a complete answer, but I would like to offer some reassuring news about rainbow tables and the web. I wouldn't worry too much about Rainbow Tables with regards to the web for the following reasons:

(1) Rainbow table cracks work by examining the hashed password. On the web, the hashed password is stored on your database so to even consider using rainbow tables one would first need to hack your entire database.

(2) If you use a salt as most password storage systems do, then rainbow tables rapidly become unfeasible. Basically a salt adds a series of extra bits to the end of a given password. In order to use a rainbow table, it would need to accommodate the extra bits in each plaintext password. For example the first link you showed us had a rainbow table implementation that could crack up to 14 characters in a password. Therefore if you had more than 14 bytes of a salt that system would be useless.

Clueless  2010-01-03 09:14:55
Thanks for you suggestions. Looks like multi-iteration hashing with sufficiently long salts will be secure enough (even when salt values are stored with hashed passwords).
vit  2010-01-04 11:39:18
That sounds fine as a storage system for all but the most stringent requirements. Remember to be careful with how passwords are sent across the wire, to expire people's session identifiers whenever they log in, and all of the other equally important security considerations that plague web authentication.
Clueless  2010-01-04 14:03:16
+1  A: 

Amazon Web Services, OpenID, and OAuth have examples of request signing. Amazon Web Services is an easy example to follow because there isn't a more complex protocol around the interactions. They basically involve having the client or server sign a request by hashing all of its fields with a previously set up key (or keypair), and having the other end verify the signature by doing the same. Replaying the hash is prevented by including a nonce or timestamp in the fields.

Setting up keys or other credentials to allow this can be done over SSL, and it should be noted that one of the motivation of OAuth WRAP is to replace some or all of this request signing with SSL, for ease of implementation.

Karl Anderson  2010-01-06 23:11:34
Thanks, I am looking at AWS docs now.
vit  2010-01-07 23:57:09
A: 

After a lot of poking around and trying to write my own prototype based on Amazon S3 design which (I thought) was pretty secure, I found this excellent website which has answers to all my questions, an Enterprise Security API Toolkit, and much, much more: OWASP.

vit  2010-03-01 16:58:34

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python