The arrow of time

Ivan Voras' blog

Secure logins without SSL?

SSL is good, SSL is great, SSL does a lot of things for a lot of people, but sometimes you just need a secure login method without the overhead of using SSL. As a first step, I've created a simple library, rsalogin, which uses a JavaScript RSA implementation and allows the client and the server to exchange data in a relatively secure manner.  It borrows the approach of verifying server keys from SSH: the first time a server is accessed, its key is stored locally in the browser using HTML5 and verified on later access.

Firstly, I'm definitely not advocating replacing SSL/TLS with something like this. SSL offers complete end-to-end data encryption and also a model for authenticating the communicating parties to each other (the PKI infrastructure with Certificate Authorities). Though this CA model is the weakest link as it currently doesn't really guarantee much, it's better than nothing.

Alternatives are possible, though. SSH is used by millions of system administrators all over the world and it relies on a different model: the first time a server is contacted, its public key fingerprint is saved locally as a part of the user's private data, and verified every other time the server is contacted again. If a mismatch is detected, it usually means that something is wrong. The worst thing which can happen is that someone is impersonating the destination server and offers its own key instead of the one from the genuine server, which means it can intercept and collect all data sent from the user.

This approach has a big theoretical weakness compared to the PKI/CA model: there is no additional data associated with the server key, and no way to verify if the contacted server actually belongs to someone or some company it is supposed to belong. Since each server generates its key independantly, there is no mechanism which verifies that a key which supposedly comes from e.g. "bank.example.com" is actually from the presumed bank.

On the other hand, this is also an advantage: there is no attempt to centralize this architecture and introduce artificial arbiters. Each system maintains its keys independantly.

My rsalogin project follows the SSH model of key verification. From a high-level point of view, this is how it works:

  1. The server loads an OpenSSL-compatible keypair (the code in the project can either create a new keypair or loaded an existing one).
  2. The server sends the public key of the pair to the client.
  3. The client checks if the key is already registered in the browser (using HTML 5 storage), and if it is, does it match what the server sent the second time. Per the HTML 5 specification, this storage is per-domain.
  4. The client encrypts sensitive information (such as the user's login and password information) and sends the encrypted value back to the server.
  5. The server decrypts and processes this information.

Of course, it is also trivially simple to send any kind of data encrypted back and forth to and from the server (though this functionality is not yet directly supported by existing code).

Would I use this method for logging into Facebook, my blog or some similar system? Yes, absolutely - every day. Would I use it to login to a bank? ... erhm, probably not, but this is more because I value the "end-to-end encryption" part of SSL than the CA "verification" process.

I think the most important security threat for this model is from cross-site-scripting attacks (XSS) which may tamper with the HTML 5 storage, tricking users into believing that they are sending data to the same server they've sent it to the last time.

At this time, rsalogin is a somewhat thin wrapper around the RSA JavaScript code by Tom Wu, but this will probably change in the future. I'm calling this "version 0.1" :) Currently, the server side is in PHP, and I'll adapt it to other languages if needed (i.e. if someone asks for it). Of course, I also accept patches. :)

#1 Re: Secure logins without SSL?

Added on 2012-07-23T12:25 by Wesley Moore
Curious, did you have a particular use case in mind when you made this or did you just want to implement the idea?

#2 Re: Secure logins without SSL?

Added on 2012-07-23T13:23 by Ivan Voras

Yes, a login for my blog and the occasional other PHP project I got involved in.

Post your comment here!

Your name:
Comment title:
Text:
Type "xxx" here:

Comments are subject to moderation and will be deleted if deemed inappropriate. All content is © Ivan Voras. Comments are owned by their authors... who agree to basically surrender all rights by publishing them here :)