- Regal eagle / American cloud - 13 Updates
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 03:34PM -0800 On 2/28/2020 8:50 AM, Mr Flibble wrote: > storing user's passwords whether they are encrypted or not on your > servers: you should be HASHING the user password on the user's machine > and sending that over an encrypted link. Indeed. Even a nice DH exchange might be in order... https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange |
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 03:37PM -0800 >> their password in the clear? > I plan to use Wireguard for encryption so it > could be done after we have that set up. How are you storing those user passwords on your end? I hope your not storing them in the clear... You can store the HMAC'ed result, keyed with a salt or some random element. Then instead of comparing passwords in the clear, you can compare hash digests. |
| woodbrian77@gmail.com: Feb 28 04:24PM -0800 On Friday, February 28, 2020 at 5:37:35 PM UTC-6, Chris M. Thomasson wrote: > storing them in the clear... You can store the HMAC'ed result, keyed > with a salt or some random element. Then instead of comparing passwords > in the clear, you can compare hash digests. OK. I'm also thinking about this: https://www.reddit.com/r/WireGuard/comments/ewzxk4/no_password_protection_at_all/ Perhaps I don't need passwords beyond what Wireguard provides. Brian Ebenezer Enterprises - In G-d we trust. http://webEbenezer.net |
| Melzzzzz <Melzzzzz@zzzzz.com>: Feb 29 03:48AM >> >> their password in the clear? >> > I plan to use Wireguard for encryption so it >> > could be done after we have that set up. sending passwords over mail is highly unsecure. No one does it any more. > OK. I'm also thinking about this: > https://www.reddit.com/r/WireGuard/comments/ewzxk4/no_password_protection_at_all/ > Perhaps I don't need passwords beyond what Wireguard provides. Hm, no password is something like sending public keys? -- press any key to continue or any other to quit... U ničemu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi bili naoruzani. -- Mladen Gogala |
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 09:33PM -0800 On 2/28/2020 7:48 PM, Melzzzzz wrote: >> https://www.reddit.com/r/WireGuard/comments/ewzxk4/no_password_protection_at_all/ >> Perhaps I don't need passwords beyond what Wireguard provides. > Hm, no password is something like sending public keys? Very Simple scheme... Password Setup: Use DH to setup temporary secure channel between server and a client. The client encrypts the password using this session and sends the ciphertext to the server. The server decrypts and hashes the password with a random salt. The secure channel is destroyed. The server stores the digest and the salt. Password Validation: Use DH to setup temporary secure channel between server and a client. The client encrypts the password using this session and sends the ciphertext to the server. The server decrypts, looks up your account, hashes the password with the stored random salt. The secure channel is destroyed. The server compares the stored digest vs the computed digest. This way, the users passwords do not have to be stored. This is just a simple way to do it. |
| Mr Flibble <flibbleREMOVETHISBIT@i42.co.uk>: Feb 29 06:28AM On 29/02/2020 05:33, Chris M. Thomasson wrote: > Use DH to setup temporary secure channel between server and a client. > The client encrypts the password using this session and sends the ciphertext to the server. > The server decrypts, looks up your account, hashes the password with the stored random salt. NO! Do not send the password to the fucking server, hash on the fucking CLIENT and send the fucking HASH to the fucking server. /Flibble -- "Snakes didn't evolve, instead talking snakes with legs changed into snakes." - Rick C. Hodgin "You won't burn in hell. But be nice anyway." – Ricky Gervais "I see Atheists are fighting and killing each other again, over who doesn't believe in any God the most. Oh, no..wait.. that never happens." – Ricky Gervais "Suppose it's all true, and you walk up to the pearly gates, and are confronted by God," Byrne asked on his show The Meaning of Life. "What will Stephen Fry say to him, her, or it?" "I'd say, bone cancer in children? What's that about?" Fry replied. "How dare you? How dare you create a world to which there is such misery that is not our fault. It's not right, it's utterly, utterly evil." "Why should I respect a capricious, mean-minded, stupid God who creates a world that is so full of injustice and pain. That's what I would say." |
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 10:34PM -0800 On 2/28/2020 10:28 PM, Mr Flibble wrote: >> the stored random salt. > NO! Do not send the password to the fucking server, hash on the fucking > CLIENT and send the fucking HASH to the fucking server.' Okay. I was thinking of sending an encrypted password using a DH secure channel. We can most certainly hash on the client, then send the digest to the server using a secure DH? |
| Melzzzzz <Melzzzzz@zzzzz.com>: Feb 29 06:50AM >> The client encrypts the password using this session and sends the ciphertext to the server. >> The server decrypts, looks up your account, hashes the password with the stored random salt. > NO! Do not send the password to the fucking server, hash on the fucking CLIENT and send the fucking HASH to the fucking server. Hash or ciphertext? Hash is same as sending it in plain text. -- press any key to continue or any other to quit... U ničemu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi bili naoruzani. -- Mladen Gogala |
| Melzzzzz <Melzzzzz@zzzzz.com>: Feb 29 06:51AM > Okay. I was thinking of sending an encrypted password using a DH secure > channel. We can most certainly hash on the client, then send the digest > to the server using a secure DH? When using encrypted protocol it is same. When attacker has hash it is same as plain text. -- press any key to continue or any other to quit... U ničemu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi bili naoruzani. -- Mladen Gogala |
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 11:32PM -0800 On 2/28/2020 10:50 PM, Melzzzzz wrote: >>> The server decrypts, looks up your account, hashes the password with the stored random salt. >> NO! Do not send the password to the fucking server, hash on the fucking CLIENT and send the fucking HASH to the fucking server. > Hash or ciphertext? Hash is same as sending it in plain text. We want a ciphertext to be sent across the wire. We can use async crypto to get a shared key, then encrypt using a symmetric cipher. |
| Mr Flibble <flibbleREMOVETHISBIT@i42.co.uk>: Feb 29 07:34AM On 29/02/2020 06:51, Melzzzzz wrote: >> to the server using a secure DH? > When using encrypted protocol it is same. When attacker has hash it is > same as plain text. You are missing the point: people use the same password for different things: if the hash is compromised it only compromises access to this particular server; also you cannot gaurantee that lemons working on the server code don't log it by mistake. NEVER send password in the clear from the CLIENT computer even over encrpypted links. Clue: you can hash a hash. /Flibble -- "Snakes didn't evolve, instead talking snakes with legs changed into snakes." - Rick C. Hodgin "You won't burn in hell. But be nice anyway." – Ricky Gervais "I see Atheists are fighting and killing each other again, over who doesn't believe in any God the most. Oh, no..wait.. that never happens." – Ricky Gervais "Suppose it's all true, and you walk up to the pearly gates, and are confronted by God," Byrne asked on his show The Meaning of Life. "What will Stephen Fry say to him, her, or it?" "I'd say, bone cancer in children? What's that about?" Fry replied. "How dare you? How dare you create a world to which there is such misery that is not our fault. It's not right, it's utterly, utterly evil." "Why should I respect a capricious, mean-minded, stupid God who creates a world that is so full of injustice and pain. That's what I would say." |
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 11:38PM -0800 On 2/28/2020 10:51 PM, Melzzzzz wrote: >> to the server using a secure DH? > When using encrypted protocol it is same. When attacker has hash it is > same as plain text. Exactly. This is why its good to try to setup a temporary secure channel, just to send ciphertext to the server. |
| "Chris M. Thomasson" <chris.m.thomasson.1@gmail.com>: Feb 28 11:40PM -0800 On 2/28/2020 11:34 PM, Mr Flibble wrote: > you cannot gaurantee that lemons working on the server code don't log it > by mistake. NEVER send password in the clear from the CLIENT computer > even over encrpypted links. It must use encrpypted links regardless. |
| You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to comp.lang.c+++unsubscribe@googlegroups.com. |
No comments:
Post a Comment