Hello Folks,
I wonder if there is a
reason a "Signed Password Authentication" option would not be a good
idea in jetty...The basic concept is to allow users to authenticate with
their password along with a signature using a locally stored private
key, authentication on the server would involve verifying the signature
against a stored public key.
Adding this to Jetty is a trivial matter. Basically add a few columns to the "users" table:
_publicKey (user's public key)
_enableSignedPasswordAuth (true/false per user)
_signatureTimestampDelay (max delay between client submission and server auth...this can be set globally as well)
Of course add the signature verification logic, maybe to JDBCLoginService.java
Add configuration option for enabling the feature globally, allow for algorithm specification.
One
major issue to be addressed is how to migrate private keys to other
devices when user needs to authenticate from various devices. However
this is an application level concern and should have no bearing on
adding this option to Jetty.
I penned a blog post on this:
http://blog.crudzilla.com/2015/07/why-not-signed-password-authentication.htmlI think this is an easy approach that can significantly improve password security.
-Edmond
