Re: [jetty-dev] Proposing "Signed Password Authentication" LoginService

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

Why not skip the signature and just use http client certificates instead?

SslContextFactory.setWantClientAuth(true);

http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html#setWantClientAuth-boolean-

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Jul 20, 2015 at 5:09 PM, Edmond Kemokai <ekemokai@xxxxxxxxxxxxx> wrote:

Hello Folks,

I wonder if there is a reason a "Signed Password Authentication" option would not be a good idea in jetty...The basic concept is to allow users to authenticate with their password along with a signature using a locally stored private key, authentication on the server would involve verifying the signature against a stored public key.

Adding this to Jetty is a trivial matter. Basically add a few columns to the "users" table:

_publicKey (user's public key)
_enableSignedPasswordAuth (true/false per user)
_signatureTimestampDelay (max delay between client submission and server auth...this can be set globally as well)

Of course add the signature verification logic, maybe to JDBCLoginService.java

Add configuration option for enabling the feature globally, allow for algorithm specification.

One major issue to be addressed is how to migrate private keys to other devices when user needs to authenticate from various devices. However this is an application level concern and should have no bearing on adding this option to Jetty.

I penned a blog post on this:

http://blog.crudzilla.com/2015/07/why-not-signed-password-authentication.html

I think this is an easy approach that can significantly improve password security.

-Edmond

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev