Im using a derived HTTP socket server, the base class in python.
I've got a modified version of the implementation, right now I
want to introduce authentication of users in my server. What is
the best way to implement this? The server is on the machine running
the user database.
So how do I validate a user and a password with the system?
Are there any modules for this? How should passwords be sent?
Using clear-text isnt good enough!
Well, I would suggest HTTPS because it is transparent so you can send
the password safely.
However, you said you are using a derived version of the HTTP socket
server. Probably
it cannot handle HTTPS. In that case, it is a very good idea to use OTP
(One Time Password)
authentication. The basic idea is that you do not send the passwords in
clear text. Instead of
that, you send a hash of the password. The hash function must be
different for each connection.
There are standards (RFCs) for OTP authentication. But of course you can
implement yours.
For standard OTP, please read the RFCs. You will need OpenSSL to follow
the standards.
To create your own OTP algorithm, please follow this scheme:
1. Client connects to the server
2. Client sends the user name to the server
3. The server generates a random string and sends it to the client
4. The client generates a random string and sends it to the client
5. At this point, both the server and the client know both random
strings and the password.
Both the server and the client should setup a session key using
these values.
A listener person or in-the-middle attacker cannot calculate the
same session key because it does not know
anything about the password. Important: the generation of the
session key should be FULLY dependent
on both of the random strings and the password and should be
non-invertable (e.g. use cryptographically
secure hash functions).
6. Optional: After this point you have a session key on both sides, you
can setup a cipher on both sides to have an encrypted connection
7. Both the server and the client shoud setup a new hash function H()
that is dependent on the session key
8. The server sends another random string
9. The client calculates its hash value using H()
10. The client sends back the calculated hash value
11. The server checks if the hash value maches the one calculated
locally. If not, terminate the connection. If there is a match then the
authentication was successful.
The advantage of your own protocol is...
a.) You only need a hash function. No encryption, no openssl etc. The
built-in sha module is more than enough. As a result, your software will
be more portable.
b.) In theory, in specific scenarios, this system can be more secure
than a standard authentication algorithm. E.g. if your clients and your
servers are totally trustful then using a private protocol can be very
hard to crack. (Of course this is not the case when you want to create a
widely used, popular program.)
Hope this helps.
Best,
Laci 2.0
