[JDEV] server computation is inevitable
Corbett J. Klempay
cklempay at chimera.acm.jhu.edu
Fri Apr 23 02:04:27 CDT 1999
I've been laying some initial code in mod_digsig...and it's becoming
increasingly clear that some crypto computation will be needed on the
server side in order to authenticate clients trying to log on securely.
Basically:
in the equation y = g^x mod p
the server has: y, g, and p
the client has: y, g, p, and x (x is the secret key)
In order to verify that the client is who he says he is, all the server
needs is x...he can plug it into the equation and if it checks out, then
all is kosher. However, you don't want to be sending the client's
_secret_ key in plaintext; that defeats the whole point of having a secure
login in the first place...the system would be no more secure than ICQ
(sending the secret x in plaintext is not functionally different than ICQ
sending the login password in plaintext).
So, some kind of public-key based challenge-response protocol will
probably be instituted to convey the secret x without sending x in
plaintext. This will require computation on the server side (so in other
words, logging a user into the server isn't going to just be a check to
see if (passwd == stored passwd)).
I'm looking longest and hardest at challenge response based on digital
signatures right now (totally avoiding straight up public key crypto
itself...export controls...damn they are lame)...if anyone has a copy of
the CRC Press _Handbook of Applied Cryptography_ (great book, btw), it's
pages 404 and 405.
In related news, it looks like GNU MP (GMP) is what I'm using for large
integer support (and the associated operations).
Also: if a protocol other than just "here's my name and password" (the
standard, insecure login) is going to be needed to support secure logins,
how does this fit (or not fit) into the current Jabber protocol?
I'll be visiting a friend at Carnegie Mellon this weekend (leaving
tomorrow), but should be checking my mail from there...feedback would be
useful. Thanks guys!
------------------------------------------------------------------------------
Corbett J. Klempay Quote of the Week:
http://www.acm.jhu.edu/~cklempay "A commune is where people join
together to share their lack of
wealth."
------------------------------------------------------------------------------
More information about the JDev
mailing list