Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Here's a simple idea, based on some reading.
Server stores a hashed version of (plaintext + salt). This avoids passwords being seen, as long as the hash is hard to reverse.
When client attempts login, server sends it (salt,random), ie a constant salt and a newly generated random string.
Client sends back hash(hash(plaintext + salt) + random), ie client appends the salt, hashes, then appends the random, then hashes again.
Server checks that the hashed value is the same as it's own H(H(pwd+salt)+rnd).
I don't have much experience with this, so can I ask what the potential issues are? Also, what does one normally do with the salt? Can you really get away with using the same salt?
The scheme you are suggesting doesn't add any security to checking a password and simply adds complexity that using SSL for login doesn't. With SSL you can safely just transfer the plaintext password from the browser to the server, hash it with the salt, and then check against the stored hash. This eliminates the need for complex schemes. At this time, only nationstates can actually feasibly break SSL connections in a systemic way, although some really enterprising hackers have found some interesting vulnerabilities.
The scheme you are describing sounds very much like a Diffie-Hellman zero knowledge key exchange, which is much more secure than ssl as it never actually transfers the password after it is initially set up with the server. The problem with this kind of key exchange today, is that it must be written in Javascript on the client side and, as such, exposes the actual workings to every attacker that cares to look. The attacker could then just replace your Javascript with something else, or just tap into it to collect the initial passwords if you don't use SSL, so you are again just down to the security of the SSL connection from client to server with only a bunch of added complexity and failure points. There are ways to use ActiveX, Java, or other items to create browser plugins to handle all the key exchange stuff, but this again, adds a failure point for users that will be non-obvious, adds an extra step for the user that other sites don't require (installing the add-on or bookmarklet), and keeps you in development a lot longer for no real benefit.
Firefox has been working on implementing a Diffie-Hellman key exchange for passwords at the browser level, and this, if it ever takes off, will allow a lot of added security and make this kind of password scheme feasible.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
How can I protect my REST API to identify fake request generated by some user / script and flooding my server with millions of requests?
If some one wrote any script or program and generate millions of calls to my REST API how can I protect my service from these request so that my API wont goes down. One way is I can use captcha but captcha is useful when caller is human. If caller is an application I can not use captcha. Is there any frameworks available for the same to handle such scenarios?
What your service is experiencing is called a DoS / DDoS attack. This is currently one of the most common attacks on web services.
There are many ways to mitigate such attack all
boiling down to separating the legit requests made by your API consumers from the malicious ones performed by the attacker/attackers. Such attacks are usually automatized and therefore the requests resemble one another in some way (IP range, HTTP headers, etc.). For example a very simple approach would be to identify the IP range that the attack comes from and block it out on your service's firewall.
There are a few posts here that discuss prevention of (D)DoS, e.g. How do major sites prevent DDoS? or What techniques do advanced firewalls use to protect againt DoS/DDoS?.
Third party services/products might help you protect your API. I don't want to mention any here as I don't want to advertise any of them. You'll need to do some searching.
Good luck.
You can pass a token for each request.
This token should be use any encryption algorithm and use a secret key to encrypt and decrypt token in both client and REST service.
Ex :
Client request : What is the weather of Chennai ? Token : chennai + 123 (Key)
Server Response : chennai123 : its valid : response 40 !!
Here key is 123 it should not available in public
In the last weeks I started building REST-Producing/Consuming web applications and therefore started to worry about the security of my communication.
I made up the following procedure:
One REST-Consumer and one REST-Producer secretly negotiate a common secret and initialize a One-Time-Password(OTP)-Component with this secret.
With every Request and Response the Clients send an OTP.
This OTP is generated by the OTP-Component based on the negotiated secret.
The other partner generates the same order of OTPs and checks whether the sent OTP is correct and accepts or blocks the communication.
After the OTP chain runs empty, the two communicators exchange a new secret and reinitialize (1.).
This structure is generally effective for multi-client environments and communication with many REST-Communicators. I have several questions regarding this procedure:
Is the calculation of OTPs fast enough to handle ms-transactions on the clients?
Is the overhead of the OTPs comparatively small in contrast to other security-features?
Is a OTP-procedure more secure than TLS-communication?
Could OTP-security be a method to use over HTTP-channels? (Assuming, it's ok that the data is plain readable!)
Which security-implementations are as secure as the explained procedure, but are cheaper, faster or less error-prone?
Thanks in advance. Please correct me, if the question has any mistakes or is out-of-scope!
Ok, I've read your question more thoroughly and understood it now. :-)
If you are pre-generating a list of OTPs on both sides there should
be no problem regarding performance. However you need to secure the
storage of the OTPs, which could be tricky regarding who has access
to the systems.
The overhead is IMHO insignificant when you are pregenerating the
list.
TLS is transportlayer security, OTP applicationlayer so there is no
direct comparability. TLS < 1.2 may be unsecure, but so are OTPs if
the way to generate them is weak. Which brings me to the next point:
If you send the OTPs unencrypted it may be possible to do a
man-in-the-middle and reengineer the algorithm and predict the next
OTPs.
Less error prone as in means of already used in production would be
for example Jax-RS secured with CXF. Cheaper? Could be, depends
on the implementation of the OTPs (buy, make, etc.) Faster? No. As
stated in answers to 1 and 2: If you have pre-generated OTPs there's not much overhead.
Regardless of the answers above: You should always think twice before implementing a custom solution in this area, as mistakes can be crucial. Think about the threats to your communication, do a trade-off-analysis and look at the result. Perhaps you will be satisfied using TLS > 1.2?
Some (especially bank) password systems require you to enter three (specified) letters out of your password to log in.
This is supposed to defeat keyloggers, and possibly wire-sniffing replay attacks (for unencrypted sessions).
Clearly, there's no way such a scheme can work using ordinary password hashing, since you'd need to know the whole password to compute the hash.
What do such systems commonly store server-side to make this work?
Do they store the password in plaintext, or maybe a separate hash of each letter, or what?
As you correctly note, standard password hashing schemes won't work if authentication is done using only a substring of the password. There are a number of ways that such a system could be implemented:
Store the password in plain:
Simple and easy to implement.
Insecure if the database is compromised.
May not comply with regulations requiring hashed or encrypted password storage (but using low-level database encryption might get around that).
Store the password encrypted, decrypt to check:
No more secure than storing it in plain if the encryption key is also compromised.
May satisfy regulations forbidding password storage in plain.
Could be made more secure by using a dedicated hardware security module or a separate authentication server, which would store the key and provide a black-box interface for encryption and substring verification.
Store hashes of all (or sufficiently many) possible substrings:
Needs much more storage space than other solutions.
Password can still be recovered fairly easily by brute force if the database is compromised, since each substring can be attacked separately.
Use k-out-of-n threshold secret sharing:
Needs less space than storing multiple hashes, but more than storing the password in plain or using reversible encryption.
No need to decrypt the password for substring verification.
Still susceptible to brute force attack if database is compromised: anyone who can guess k letters of the password can recover the rest. (In fact, with some implementations, k-1 letters might be enough.)
Ultimately, all of these schemes suffer from weakness against brute force attacks if the database is compromised. The fundamental reason for this is that there just isn't very much entropy in a three-letter substring of a typical password (or, indeed, of even a particularly strong one), so it won't take many guesses to crack.
Which of these is best? That's hard to say. If I had to choose one of these schemes, I'd probably go for encrypted storage using strong symmetric encryption (such as AES), with a separate server or HSM to handle encryption and verification. That way, at least, an attacker compromising a front-end server wouldn't be able to just copy the database and attack it offline (although they could still mount a brute force attack on the HSM if it didn't implement effective rate limiting).
However, I'd say that the whole idea of using only part of the password for authentication is deeply flawed: it doesn't really deliver the security benefits it's supposed to, except in a few particularly constrained attack scenarios (such as an eavesdropper that can only observe one authentication event, and cannot just keep trying until they get the same challenge), yet it fundamentally weakens security by reducing the amount of information needed for successful authentication. There are much better solutions, such as TANs, to the security concerns that partial password authentication is supposed to address.
I'm building a client/server iPhone game, where I would like to keep third-party clients from accessing the server. This is for two reasons: first, my revenue model is to sell the client and give away the service, and second I want to avoid the proliferation of clients that facilitate cheating.
I'm writing the first version of the server in rails, but I'm considering moving to erlang at some point.
I'm considering two approaches:
Generate a "username" (say, a GUID) and hash it (SHA256 or MD5) with a secret shipped with the app, and use the result as the "password". When the client connects with the server, both are sent via HTTP Basic Auth over https. The server hashes the username with the same secret and makes sure that they match.
Ship a client certificate with the iPhone app. The server is configured to require the client certificate to be present.
The first approach has the advantage of being simple, low overhead, and it may be easier to obfuscate the secret in the app.
The second approach is well tested and proven, but might be higher overhead. However, my knowledge of client certificates is at the "read about it in the Delta Airlines in-flight magazine" level. How much bandwidth and processing overhead would this incur? The actual data transferred per request is on the order of a kilobyte.
No way is perfect--but a challenge/response is better than a key.
A certificate SHOULD use challenge/response. You send a random string, it encrypts it using the certificate's private key, then you get it back and decrypt it with the public key.
Depending on how well supported the stuff is on the iPhone, implementing the thing will be between trivial and challenging.
A nice middle-road I use is xor. It's slightly more secure than a password, trivial to implement and takes at least an hour or two of dedication to hack.
Your app ships with a number built in (key).
When an app connects to you, you generate a random number (with the same number of bits as the key) and send it to the phone
The app gets the number, xor's it with the key and sends the result back.
On the server you xor the returned result with the key which should result in your original random number.
This is only slightly hacker resistant, but you can employ other techniques to make it better like changing the key each time you update your software, hiding the random number with some other random number, etc. There are a lot of tricks to hiding this, but eventually hackers will find it. Changing the methodology with each update might help.
Anyway, xor is a hack but it works for cases where sending a password is just a little to hackable.
The difference between xor and public key is that xor is EASILY reversible by just monitoring a successful conversation, public key is (theoretically) not reversible without significant resources and time.
Who is your adversary here? Both methods fail to prevent cracked copies of the application from connecting to the server. I think that's the most common problem with iPhone game (or general) development for paid apps.
However, this may protect the server from other non-iPhone clients, as it deters programmers from reverse engineering the network packet interfaces between the iPhone and the server.
Have your game users authenticate with their account through OAuth, to authorize them to make game state changes on your server.
If you can't manage to authenticate users, you'd need to authenticate your game application instance somehow. Having authentication credentials embedded in the binary would be a bad idea as application piracy is prevalent and would render your method highly insecure. My SO question on how to limit Apple iPhone application piracy might be of use to you in other ways.
I'm developing a program with a client/server model where the client logs on to the server, and the server assigns a session id/handshake which the client will use to identify/authorize its subsequent messages to the server.
I'm wondering what length should the handshake be for it to be reasonably secure but also short enough to minimize data overhead, since I'd like to have it be low latency.
I'm thinking of using MD5 or murmurhash2 with the username and a random number salt with a collision detection, but I'm wondering if there's a more efficient solution (i.e. a better algorithm) and whether 32bits is too much/too little for this kind of thing.
Any input is highly appreciated.
I would use a HTTPS connection for your client/server communications.
It's easy to use (almost all the major SDKs implement it) and it provides good encription.
Regards.
PD: In reference of encryption method I would use Whirlpool because Mr. Rivest said in 2005 it was broken.
This may not be as simple as it looks. Note that if you send anything in clear over the network (e.g. session id/handshake), anyone can eavesdrop the communication and reuse this value to act as the client.
If you cannot use https, as the first answer suggested, you probably need to look at key agreement protocols. Once both parties agree on a shared secret key (which cannot be reconstructed based on observed communications), you can use it to authenticate all the remaining transmissions with a MAC (e.g. HMAC).
Whatever you do, don't use MD5, it's so totally broken. Whirlpool may also not be the good option, it's slower and there is a recent (theoretical) attack on the main part of it, see
ASIACRYPT 2009 Program.
I would stick with SHA-256 for now.