0

I am working with several other people in writing software which requires authentication before it accesses resources. In order to authenticate, we devised the following strategy.

  • Client sends a SHA1 of a username to the server
  • Server responds with a user's unique ID, which is a public key in an RSA key-pair
  • Client creates a SHA256 hash of a user's login details, and encrypts it using the unique ID.
  • If the hash matches the hash of a user's login details, the server responds with a specific value, and records the timestamp of the moment the response was sent.
  • The client responds by encrypting the timestamp at the time it receives confirmation, and sends it to the server.
  • If the timestamp sent by the client is within x seconds of the server's recorded timestamp, the server considers the client authenticated.

Currently, the client-server communication will take place using SSL/TLS over TCP.

My question is as follows: Is this method secure enough and, if not, what can be done to improve it?

LMS
  • 171
  • 1
  • 7
  • 1
    [Please don't be a Dave.](http://security.stackexchange.com/questions/25585/is-my-developers-home-brew-password-security-right-or-wrong-and-why) – Adi Mar 13 '13 at 18:49
  • 4
    Is there a reason you're rolling your own rather than using a standard authentication protocol (Oauth, openid, SAML, etc.). And what does "Secure enough" mean? If you're securing nuclear weapons, then the answer is "NO". If you're securing your kid's kindergarten homework, then "yes". What is the consequence of the authentication going wrong? – MCW Mar 13 '13 at 18:52
  • The decision not to use a standard auth protocol was, to my understanding, taken because we're not using HTTPS as our method of transferring information. The consequence of authentication going wrong is the loss of a number of potentially sensitive files on a potentially large number of machines. – LMS Mar 13 '13 at 18:57
  • 1
    SSL/TLS over TCP... even if you're not using HTTPS, you can still implement the same kinds of auth you normally see. – Jeff Ferland Mar 13 '13 at 19:06
  • Is the user's unique ID (RSA public key) different every time the user logs in? Or more importantly, is the public key invalidated as soon as it is used? If not, the protocol inside the SSL/TLS tunnel is vulnerable to a replay attack. – Ladadadada Mar 13 '13 at 19:09
  • At the moment, the public key remains constant between authentications. I'll communicate this flaw, and have it rectified. – LMS Mar 13 '13 at 19:27

1 Answers1

9

What are you trying to achieve ? In particular, why would you create a new RSA key pair ?

You use SSL; that's good. With SSL, the client has some strong guarantee that it talks to the right server, and that what the client will send will be readable only by that server. At that point, just send the user login and password through the tunnel. There is no need to fiddle with timestamps and additional public keys and hashing and whatsnot. SSL is enough.

On the server side, just store a password hash, as a second line of defence (you do not want someone who got a quick peek at the server's database to obtain a full list of valid passwords immediately). But this is on the server and irrelevant for the actual protocol. The protocol is: client connects to server with SSL, client sends login+password in the SSL tunnel, server verifies the password and is happy (or not).

If the SSL protection is not enough for you, then either the client or the server (or both) is under hostile control, and you have bigger worries, and there is nothing more you may do to fix that. Your games with extra keys and hashes and timestamp bring a lot of extra complexity and overhead, for no security benefit.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • Thank you for the insight. The decision was made to use extra encryption and such because this software is intended to be used in the event that the client is under hostile control, and so any data communicated by this program would not be immediately readable by any attacker, should they be monitoring inbound and outbound traffic. – LMS Mar 13 '13 at 19:23
  • 4
    If the hostile entity has control of the machine, then he is monitoring keyboard, display, hard disk activity, and can see the very RAM of each process (and yes, attackers do that routinely). If you believe that your encryption antics would bring you some actual extra protection, then you are up for some disappointment. – Tom Leek Mar 13 '13 at 19:29
  • The software is intended to provide a little bit of extra security in the event that a device is stolen or lost. Rather than attempt to thwart the most knowledgeable of attackers, it attempts to mitigate the consequences of your everyday thief, or maybe a reasonably tech-literate thief, obtaining a laptop or similar which may contain sensitive information. – LMS Mar 13 '13 at 19:31
  • @LiamMcSherry Unless I'm missing something, are you using your application to some-how encrypt files on the client's machine? – Adi Mar 13 '13 at 19:45
  • Files are encrypted, and the client polls the server for the status of the machine, which is set via a web control panel. If the machine is "lost/stolen," the program deletes the encrypted files, as well as any files marked "sensitive" on the machine. Paraphrased slightly from the spec I have infront of me. – LMS Mar 13 '13 at 20:27
  • @LiamMcSherry Wouldn't it be better to encourage your users to install a well-vetted solution like TrueCrypt full-disk encryption instead of rolling you own? Let's be honest here, whatever you do you will _not_ come up with anything better, so why take risk? – Adi Mar 14 '13 at 08:32