Jump to content

  • Log In with Google      Sign In   
  • Create Account


#ActualKnolanCross

Posted 04 January 2013 - 07:44 AM

1) Generate a random number.
2) Decrypt the password received by the client
3) Calculate a hash using the password and the random number
4) Save on the DB the random number (step 1) and the hash (step 3).
 
To authenticate:
1) Decrypt the password received by the client
2) Calculate the hash using the random number saved on database.
3) Check if saved hash match with the one I just calculated.

 

Uh, I hope you are using SSL/TLS or something similar to transmit password information securely, otherwise this is vulnerable to a replay attack.

 

Since he said he is using a safe conection, I didn't clarify this part. But yes, I am, RSA (2048 bits key) with PKCS#1 v1.5 to be more exactly.

 

On hashes, depends on the algorithm you are using. For instance, MD5 has been broken, but SHA2 and SHA3 haven't (link: http://en.wikipedia.org/wiki/Sha512)

 

EDIT:

In case anyone in the future is interessed using the python lib, here is the link to its documentation:

http://packages.python.org/pycrypto/

 

And the package, current versions as of the date of this post:

http://pypi.python.org/pypi/pycrypto/2.6


#2KnolanCross

Posted 04 January 2013 - 07:38 AM

1) Generate a random number.
2) Decrypt the password received by the client
3) Calculate a hash using the password and the random number
4) Save on the DB the random number (step 1) and the hash (step 3).
 
To authenticate:
1) Decrypt the password received by the client
2) Calculate the hash using the random number saved on database.
3) Check if saved hash match with the one I just calculated.

 

Uh, I hope you are using SSL/TLS or something similar to transmit password information securely, otherwise this is vulnerable to a replay attack.

 

Since he said he is using a safe conection, I didn't clarify this part. But yes, I am, RSA (2048 bits key) with PKCS#1 v1.5 to be more exactly.

 

EDIT:

In case anyone in the future is interessed using the python lib, here is the link to its documentation:

http://packages.python.org/pycrypto/

 

And the package, current versions as of the date of this post:

http://pypi.python.org/pypi/pycrypto/2.6


#1KnolanCross

Posted 04 January 2013 - 07:36 AM

1) Generate a random number.
2) Decrypt the password received by the client
3) Calculate a hash using the password and the random number
4) Save on the DB the random number (step 1) and the hash (step 3).
 
To authenticate:
1) Decrypt the password received by the client
2) Calculate the hash using the random number saved on database.
3) Check if saved hash match with the one I just calculated.

 

Uh, I hope you are using SSL/TLS or something similar to transmit password information securely, otherwise this is vulnerable to a replay attack.

 

Since he said he is using a safe conection, I didn't clarify this part. But yes, I am, RSA (2048 bits key) with PKCS#1 v1.5 to be more exactly.


PARTNERS