django-secure-js-login

JavaScript Challenge-handshake authentication django app

These details have not been verified by PyPI

Project links

Homepage

Project description

JavaScript Challenge-handshake authentication django app.

	travis-ci.org/jedie/django-secure-js-login
	coveralls.io/r/jedie/django-secure-js-login

First: The Secure-JS-Login is not a simple “send username + PBKDF2-SHA(password)” It is more a Challenge-handshake authentication protocol!

TODO:

fix “next_url” and all links in example project

The procedure:

Save a new user password:

client browser / JavaScript part:

#. user input a password

init_pbkdf2_salt = SHA1(random data)
pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)
Client send init_pbkdf2_salt and pbkdf2_hash to the server

Server part:

Server split pbkdf2_hash into: first_pbkdf2_part and second_pbkdf2_part
encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)
Save only encrypted_part and given init_pbkdf2_salt from client

Login - client browser / JavaScript part:

Use request login
server send html login form with a random server_challenge value
User enters his username and password
Ajax Request the init_pbkdf2_salt from server with the given username
generate the auth data:
1. pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)
2. split pbkdf2_temp_hash into first_pbkdf2_part and second_pbkdf2_part
3. cnonce = SHA1(random data)
4. pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)
send pbkdf2_hash, second_pbkdf2_part and cnonce to the server

validation on the server

client POST data: pbkdf2_hash, second_pbkdf2_part and cnonce
get transmitted server_challenge value from session
get encrypted_part and salt from database via given username
first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)
test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)
compare test_hash with transmitted pbkdf2_hash

secure?

Secure-JS-Login is not really secure in comparison to https! e.g. the client can’t validate if he really communicate with the server or with a Man-in-the-middle attack.

However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.

If you have https, you can combine it with Secure-JS-Login, similar to combine a digest auth with https.

More information: Warum Secure-JS-Login Sinn macht… (german only, sorry)

why?

Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in plaintext over the Internet. A reliable solution offers only https.

The Problem: No Provider offers secured HTTP connection for little money :(

alternative solutions

Digest access authentication (implementation in django exist: django-digest):
- pro
  - Browser implemented it, so no additional JavaScript needed
- cons
  - Password hash must be saved on the server, without any salt! The hash can be used for login, because: hash = MD5(username:realm:password)
  - used old MD5 hash

tryout

e.g.:

~ $ virtualenv secure-js-login-env
~ $ cd secure-js-login-env
~/secure-js-login-env $ source bin/activate

# install secure-js-login as "editable" to have access to example project server and unittests:

(secure-js-login-env)~/secure-js-login-env $ pip install -e git+git://github.com/jedie/django-secure-js-login.git#egg=django-secure-js-login

run example project server:
{{{
(secure-js-login-env)~/secure-js-login-env $ cd src/django-secure-js-login/
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./run_example_server.sh

run inittests:

(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py

to run the Live-Server-Tests, install selenium e.g.:

(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ pip install selenium
(secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py

Version compatibility

secure-js-login	Django	Python
>=v0.1.0	v1.7, v1.8	v2.7, v3.4

(These are the unittests variants. Maybe other versions are compatible, too.)

changelog

v0.2.0 - 10.05.2015:
- increase default PBKDF2 iteration after test on a Raspberry Pi 1
- more unitests
- Honypot login raise “normal” form errors
- code cleanup
- Docu update
v0.1.0 - 06.05.2015:
- initial release as reuseable app
- Use PBKDF2
03.05.2015:
- Split from PyLucid CMS ‘auth’ plugin
03.2010:
- Use ajax request via jQuery (de)
11.07.2007:
- New SHA challenge response procedure (de)
01.06.2005:
- first implementation of a MD5 login in PyLucid (de)

info links

Python-Forum Threads (de):
- Digest auth als Alternative? (03.2010)
- Sinn oder Unsinn des PyLucids Secure-JS-Login… (12.2006)
- Wie Session-Hijacking verhindern? (12.2006)
Diskussion auf de.comp.lang.python (08.2006)

project links

Github	http://github.com/jedie/django-secure-js-login
Python Packages	http://pypi.python.org/pypi/django-secure-js-login/
Travis CI	https://travis-ci.org/jedie/django-secure-js-login/

Used JavaScript Implementations

SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1
- http://pajhome.org.uk/crypt/md5/sha1.html
- Implemented by Paul Johnston
- Distributed under the BSD License
- Stored under: secure_js_login/static/secure_js_login/sha.js
PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898
- http://anandam.name/pbkdf2/
- Implemented by Parvez Anandam
- Distributed under the BSD license
- Stored under: secure_js_login/static/secure_js_login/pbkdf2.js

contact

Come into the conversation, besides the github communication features:

IRC	#pylucid on freenode.net (Yes, the PyLucid channel…)
webchat	https://webchat.freenode.net/?channels=pylucid

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

0.3a0 pre-release

Jul 26, 2015

This version

0.2.0

May 9, 2015

0.1.0

May 6, 2015

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-secure-js-login-0.2.0.tar.gz (43.2 kB view details)

Uploaded May 9, 2015 Source

Built Distribution

django_secure_js_login-0.2.0-py2.py3-none-any.whl (72.6 kB view details)

Uploaded May 9, 2015 Python 2 Python 3

File details

Details for the file django-secure-js-login-0.2.0.tar.gz.

File metadata

Download URL: django-secure-js-login-0.2.0.tar.gz
Upload date: May 9, 2015
Size: 43.2 kB
Tags: Source
Uploaded using Trusted Publishing? No

File hashes

Hashes for django-secure-js-login-0.2.0.tar.gz
Algorithm	Hash digest
SHA256	`689cf5343b824f63c1e78b61283c578cbcedce6e0b7e3e4477146ff719878634`
MD5	`00d441c179d68f41616c1491ce812adc`
BLAKE2b-256	`d6c61289f2cd02645c70155152b86126d36cff05b1311e54579d9c97354e623d`

See more details on using hashes here.

Provenance

File details

Details for the file django_secure_js_login-0.2.0-py2.py3-none-any.whl.

File metadata

Download URL: django_secure_js_login-0.2.0-py2.py3-none-any.whl
Upload date: May 9, 2015
Size: 72.6 kB
Tags: Python 2, Python 3
Uploaded using Trusted Publishing? No

File hashes

Hashes for django_secure_js_login-0.2.0-py2.py3-none-any.whl
Algorithm	Hash digest
SHA256	`09c44c80bc01edbd73346b7bee8b9780a20a0c9f80fa708f46903c785394f9cc`
MD5	`04d0d7cbb0c115ea10ca6168eab97e9d`
BLAKE2b-256	`7134e0ec3ec53c83a148cb71cf48da19dd711841b53e09d9139a99ee33542261`