security - Authentication with salted password -


i'm using scrypt generate strong hashes of password of user. want log user in, don't want send password in plaintext on wire, how check if password correct (without roundtrip), since salted?

i'm having client / server scenario. client application on desktop computer (not website, nor http server).

how can achieve this? came far: i'm generating the salt + hash on client, form mcf out of , send server. save mcf database. haven't send password, hash practically useless (since scrypt should quite strong, , require few million years reverse it). how can log user service, without sending plaintext password server compare it? can't rehash it, since result in different hash due different salt? need send salt client, hash password, send hash server, compare it, , send authentication token back.

how can achieve this? authentication token secure? can used impersonate anyone, guess?

don't want send password in plaintext on wire,

good idea, if connection not encrypted (something ssl/tls), whatever send is plaintext. if hash password client-side, , send on network, password. there no benefit here, prevent user exposing actual password, re-use on other sites. (read more here)

ideally use ssl/tls encrypt connection. guess if wasn't possible, using asymmetric encryption certificates on message sending ok way of re-inventing wheel, hesitant recommend without having security person on it. it's easy screw up, , rule never roll own crypto scheme.

if can't verify/invalidate/update public key, not scheme.

i need send salt client, hash password, send hash server, compare it, , send authentication token back

the salt isn't supposed super secret, it's not great give away that, unauthenticated users. authentication token, hash, salt, etc can intercepted if connection not encrypted. if couldn't, didn't solve problem of users creating accounts through method (maybe don't need to, worth mentioning).

you have use asymmetric encryption server can decrypt data.


Comments

Post a Comment

Popular posts from this blog

html - Outlook 2010 Anchor (url/address/link) -

i'm trying link specific pdf page msoutlook'10 or msword'10, #page=... anchor particularly useful , works fine elsewhere. unfortunately when click [ctr-k] in outlook or winword, links re-formatted assuming unc path. pdf file located on shared drive. using "file:" prefix links open pdf in adobe reader (outside of browser), , "http:" open inside browser. issue seem need open in browser "file:" prefix in order anchor work. know anchors work inside browser. outlook uses windows/explorer default program (based on file extension) seems open in adobe reader neglecting anchor. is aware of solution, link specific page or bookmark of shared-pdf ms outlook and/or winword link? common references: mailermailer.com/...anchor-tags-html-emails campaignmonitor.com/...anchor-links-in-email-newsletters/ stackoverflow.com/...anchor-in-pdf-document
Read more

javascript - Why does running this loop 9 times take 100x longer than running it 8 times? -

consider code: test = function() { } t = new test(); (var = 0; < 8; i++) { result = t instanceof test; } if change number of iterations 8 9 , loop take 100 times longer complete in latest version of firefox (41.0.1). tested on 2 different pcs , magic limit 8. here jsperf test used: http://jsperf.com/instanceof-8-times-vs-9-times does have idea why might happen? seems specific instanceof . not happen if else object, example check property. note: filed bugzilla bug this. jan de mooij mozilla team has posted details in bugzilla thread . here's simplistic interpretation of highly technical answers: in i < 8 case, firefox smart enough hoist result = t instanceof test; statement out of loop (according tests, doesn't seem omit altogether). in i < 9 case, apparently doesn't optimization . why? reason not clear, related fact 9 iterations threshold above function considered "hot" enough run through jit compiler. i < 8 cas...
Read more

Getting gateway time-out Rails app with Nginx + Puma running on Digital Ocean -

following this guide setup app on digital ocean droplet, not working. site not loading , it's throwing: "gateway time-out". the puma server works, since ps aux | grep puma prints: root 15878 0.0 0.4 376832 2168 ? sl 12:50 0:00 puma 2.13.4 (unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock) [20150930164940] root 15881 0.0 0.7 903676 3692 ? sl 12:50 0:06 puma: cluster worker 0: 15878 [20150930164940] root 24654 0.0 0.1 11748 916 pts/2 s+ 18:00 0:00 grep --color=auto puma my nginx config: user root; worker_processes 1; events { worker_connections 1024; } http { upstream puma { server unix:///var/www/myapp/shared/tmp/sockets/myapp-puma.sock; } server { listen 80; server_name myapp.com; root /var/www/myapp/current/public; access_log /var/www/myapp/current/log/access.log; error_log /...
Read more