Maybe It's Snake Oil All the Way Down

Ng Pheng Siong ngps at netmemetic.com
Tue Jun 3 19:34:52 PDT 2003


On Tue, Jun 03, 2003 at 03:04:54PM -0700, James A. Donald wrote:
> I never figured out how to use a certificate to authenticate a
> client to a web server, how to make a web form available to one
> client and not another.  Where do I start?

Start by looking up the OpenSSL wrappers for your favourite high-level
"scripting" language. There exists wrappers for Perl, Python, tcl, Ruby,
etc. Some popular languages have several.

Many of these programming language environments come with HTTP server
implementations, and many of the OpenSSL wrappers hook into said HTTP
server code to add HTTPS, and a number demonstrate how to do client-side
certificates.

My M2Crypto adds HTTPS to the popular web application server Zope
(www.zope.org) and has some code to hook client-side certificates into
Zope's own user authentication machinery. (By faking HTTP basic
authentication, just like Apache's SSL do.) Once you have that, you can
choose to serve whatever content you want.


> What I and everyone else does is use a shared secret, a
> password stored on the server, whereby the otherwise anonymous
> client gets authenticated, then gets an ephemeral cookie
> identifying him.. 

It seems HMAC'ing cookies are getting popular for this purpose.
OpenACS, another popular web application server uses this:

   http://openacs.org/doc/openacs-4/security-design.html

My Python crypto kit has an implementation of the scheme described here:

    http://www.pdos.lcs.mit.edu/cookies/pubs/webauth.html

I'll be interested to hear this list's view on such schemes. From my
app-plumber's perspective, such a technique for is good enough provided it
is 'secure' enough.

People understand passwords. Private keys, certificates, smart cards, etc.,
are more difficult. (I recall a paper on PGP UI useability testing called
"Why Johnny cannot encrypt" or something like that.)


> As a result we each have a large number of shared secret
> passwords, whereby we each log into a large number of
> webservers.  Was this what the people who created this protocol
> intended?

Actually, this is the crypto-wielding-open-source-hacker-wannabe's wet
dream: So what you need now to track (or generate strong) passwords is a
GUI "password safe"! (Like the one offered on (the old?) Counterpane site.)

Again, Perl, Python, Ruby, yada yada, you name it, people are going to
implement them for free. ;-)

Especially since there are usually 3-5 GUI toolkits and 2-4 database toolkits
for these language environments. Enough combinations to suit everyone.


-- 
Ng Pheng Siong <ngps at netmemetic.com> 

http://firewall.rulemaker.net  -+- Manage Your Firewall Rulebase Changes
http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL





More information about the cypherpunks-legacy mailing list