THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
Wisec@23rd.CCC Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

HMAuth

Html form authentication using HMAC

Download HMAuth

Introduction:

HMAC is a good way to authenticate user without exchanging passwords.
Nothing new, ok, but i think that the more this solutions are out the better is.



- Description:

When there is the need to authenticate users from a web page, passwords
often are sent on insecure channels, this could lead to have our own
passwords sniffed (read CMS & Co.).

This is a way to avoid the passage of passwords from a user login html form
on an insecure channel.

 

- How system works:

To authenticate a user without sending the password, the server
sends a random string.
When the user types and sends the password by the browser cipher it
by using hmac (sha1 - yes is broken, but it is an example) and a javascript
function and sends to the server the HMAC digest.

The server checks if the digest generated by the client is the same as
the one generated in the same way by the server and authenticate the user.

 

Example Given:

-------------index.php-----------------------------------------------------
<?
require_once("hmauth.inc.php");
$password="123";
if(!isset($_POST['auth'])) 
{
    echo "<html>
    <body>";
    echo  '<h2>Autenticazione</h2>
    <form name="c" action="" method=post >';

    echo print_hmauth_input("c");
    echo "</form>
    </body>
    </html>";
}
else if( test_hmauth($_POST['auth'],$password,$_SESSION['message']))
    echo "ok";
else
    header("Location: ".$_SERVER['PHP_SELF']);
?>
------------------------------------------------------------------


- Final Note #1:


Sometimes it could be a good choice tell web users that their passwords
won't go anywhere around the Internet...
If you like (that's a personal choice) you can put a little banner which
informs you are adopting HMAuth on your site.
Just insert the following html code:

<div><a href="http://www.wisec.it/hmauth.php" title="Shhh...this Site Doesn't Send Any Password On The Internet!">
<img src="/images/hmauth.jpg"  alt="HMAuth by Wisec.it - The Wise Security"
longdesc="This Site Uses HMAuth, a User Authentication  System
That Doesn't Send Any Password On The Internet!" />
</a></div>

you can chooose one of these three banners :
1. images/hmauth.jpg     : static jpg 
2. images/hmauth_shh.jpg : static
3. images/hmauth.gif     : animated gif (two frames)
HMAuth by Wisec.it - The Wise Security HMAuth by Wisec.it - The Wise Security HMAuth by Wisec.it - The Wise Security 



- Final Note #2 - A False Sense Of Security.

Warning!!!!
This solution is useful only if you don't have the chance to use a https secure
channel, or use it  as an additional feature to your https web solution.
You must intend this solution as an additional value to your code...
Don't think HMAuth is the latest solution to password sniffing problems!



- Final Note #3 - License and use:

This program is GPL 2.0 Licensed (http://www.gnu.org/copyleft/gpl.html), 
even because it's not all mine...
Good authentication!
Stefano Di Paola
stefano.dipaola@wisec.it

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.