JavaScript Challenge-handshake authentication django app
Project description
JavaScript Challenge-handshake authentication django app.
First: The Secure-JS-Login is not a simple “send username + PBKDF2-SHA(password)” It is more a Challenge-handshake authentication protocol!
TODO:
fix “next_url” and all links in example project
The procedure:
Save a new user password:
client browser / JavaScript part:
#. user input a password
init_pbkdf2_salt = SHA1(random data)
pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)
Client send init_pbkdf2_salt and pbkdf2_hash to the server
Server part:
Server split pbkdf2_hash into: first_pbkdf2_part and second_pbkdf2_part
encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)
Save only encrypted_part and given init_pbkdf2_salt from client
Login - client browser / JavaScript part:
Use request login
server send html login form with a random server_challenge value
User enters his username and password
Ajax Request the init_pbkdf2_salt from server with the given username
generate the auth data:
pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)
split pbkdf2_temp_hash into first_pbkdf2_part and second_pbkdf2_part
cnonce = SHA1(random data)
pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)
send pbkdf2_hash, second_pbkdf2_part and cnonce to the server
validation on the server
client POST data: pbkdf2_hash, second_pbkdf2_part and cnonce
get transmitted server_challenge value from session
get encrypted_part and salt from database via given username
first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)
test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)
compare test_hash with transmitted pbkdf2_hash
secure?
Secure-JS-Login is not really secure in comparison to https! e.g. the client can’t validate if he really communicate with the server or with a Man-in-the-middle attack.
However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.
If you have https, you can combine it with Secure-JS-Login, similar to combine a digest auth with https.
More information: Warum Secure-JS-Login Sinn macht… (german only, sorry)
why?
Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.
The Problem: No Provider offers secured HTTP connection for little money :(
alternative solutions
Digest access authentication (implementation in django exist: django-digest):
pro
Browser implemented it, so no additional JavaScript needed
cons
Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)
used old MD5 hash
tryout
e.g.:
~ $ virtualenv secure-js-login-env
~ $ cd secure-js-login-env
~/secure-js-login-env $ source bin/activate
# install secure-js-login as "editable" to have access to example project server and unittests:
(secure-js-login-env)~/secure-js-login-env $ pip install -e git+git://github.com/jedie/django-secure-js-login.git#egg=django-secure-js-login
run example project server:
{{{
(secure-js-login-env)~/secure-js-login-env $ cd src/django-secure-js-login/
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./run_example_server.sh
run inittests:
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py
to run the Live-Server-Tests, install selenium e.g.:
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ pip install selenium (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py
Version compatibility
secure-js-login |
Django |
Python |
|---|---|---|
>=v0.1.0 |
v1.7, v1.8 |
v2.7, v3.4 |
(These are the unittests variants. Maybe other versions are compatible, too.)
changelog
v0.2.0 - 10.05.2015:
increase default PBKDF2 iteration after test on a Raspberry Pi 1
more unitests
Honypot login raise “normal” form errors
code cleanup
Docu update
v0.1.0 - 06.05.2015:
initial release as reuseable app
Use PBKDF2
03.05.2015:
Split from PyLucid CMS ‘auth’ plugin
03.2010:
11.07.2007:
01.06.2005:
info links
Python-Forum Threads (de):
Digest auth als Alternative? (03.2010)
Wie Session-Hijacking verhindern? (12.2006)
Diskussion auf de.comp.lang.python (08.2006)
project links
Github |
|
Python Packages |
|
Travis CI |
Used JavaScript Implementations
SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1
Implemented by Paul Johnston
Distributed under the BSD License
Stored under: secure_js_login/static/secure_js_login/sha.js
PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898
Implemented by Parvez Anandam
Distributed under the BSD license
Stored under: secure_js_login/static/secure_js_login/pbkdf2.js
contact
Come into the conversation, besides the github communication features:
IRC |
#pylucid on freenode.net (Yes, the PyLucid channel…) |
webchat |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-secure-js-login-0.2.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 689cf5343b824f63c1e78b61283c578cbcedce6e0b7e3e4477146ff719878634 |
|
| MD5 | 00d441c179d68f41616c1491ce812adc |
|
| BLAKE2b-256 | d6c61289f2cd02645c70155152b86126d36cff05b1311e54579d9c97354e623d |
Hashes for django_secure_js_login-0.2.0-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 09c44c80bc01edbd73346b7bee8b9780a20a0c9f80fa708f46903c785394f9cc |
|
| MD5 | 04d0d7cbb0c115ea10ca6168eab97e9d |
|
| BLAKE2b-256 | 7134e0ec3ec53c83a148cb71cf48da19dd711841b53e09d9139a99ee33542261 |
