PyLucid CMS Logo

detail JS-SHA1-Login procedure

↑ 1. Create a new User  #

  1. Client get's new, random user salt from server: 's_123'
  2. Password input on the client: 'client_password'
  3. sha1(password + salt): '4f18cfffc975c298efe473377a84261a02f54858'
  4. Client send sha1 hash to the server.

↑ 2. Save user data  #

  1. Server split sha1 values: sha1_a: '4f18cfffc975c298' sha1_b: 'efe473377a84261a02f54858'
  2. encrypt(sha1_a, key=sha1_b): 'encrypted 4f18cfffc975c298 with efe473377a84261a02f54858'
  3. Save only encrypted checksum + user salt

↑ 3. Login  #

  1. Client request login and get's a random challenge from server: 'c_123'
  2. User enters username and password: 'client_password'
  3. Client send username and get's user salt from server via AJAX: 's_123'
  4. on the client: sha1(password + salt): '4f18cfffc975c298efe473377a84261a02f54858'
  5. on the client: split sha1 in: sha1_a: '4f18cfffc975c298' sha1_b: 'efe473377a84261a02f54858'
  6. on the client: sha1_a2 = sha1(sha1_a + challenge): 'b98f38bbd1c5fc3e8b5e6cf1388b42dfe194a4e0'
  7. Client send username, sha1_a2 and sha1_b to the server.

↑ 4. validation on the server  #

  1. get encrypted checksum for user: 'encrypted 4f18cfffc975c298 with efe473377a84261a02f54858'
  2. decrypt(sha1checksum, key=sha1_b): '4f18cfffc975c298'
  3. sha1(sha1checksum + challenge): 'b98f38bbd1c5fc3e8b5e6cf1388b42dfe194a4e0'
  4. compare: b98f38bbd1c5fc3e8b5e6cf1388b42dfe194a4e0 == b98f38bbd1c5fc3e8b5e6cf1388b42dfe194a4e0

↑ pseudo python script  #

The js_sha_login_pseudocode.py script generates the output from above:

Python
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
# coding: utf-8

"""
    Pseudo code of the JS-SHA-Login.
    (output is in creole markup)
    more info:
    http://www.pylucid.org/permalink/42/secure-login-without-https
"""

try:
    from hashlib import sha1 as sha_constructor
except ImportError:
    from sha import new as sha_constructor

def sha1(txt):
    return sha_constructor(txt).hexdigest()

def encrypt(txt, key): # Pseudo encrypt
    return "encrypted %s with %s" % (txt, key)

def decrypt(txt, key): # Pseudo decrypt
    txt, _, key2 = txt.split(" ", 3)[1:]
    assert key == key2
    return txt



print "\n\n=== 1. Create a new User ===\n"
print "# Client get's new, random **user salt** from server:",
salt = "s_123"
print "'//%s//'" % salt

print "# Password input on the client:",
password = "client_password"
print "'//%s//'" % password

print "# sha1(password + salt):",
sha1sum = sha1(password + salt)
print "'//%s//'" % sha1sum

print "# Client send **sha1** hash to the server."



print "\n\n==== 2. Save user data ====\n"

print "# Server split sha1 values:",
sha1_a = sha1sum[:16]
sha1_b = sha1sum[16:]
print "**sha1_a**: '//%s//' **sha1_b**: '//%s//'" % (sha1_a, sha1_b)

print "# encrypt(sha1_a, key=sha1_b):",
sha1checksum = encrypt(sha1_a, key=sha1_b)
print "'//%s//'" % sha1checksum

print "# Save only encrypted **checksum** + **user salt**\n"



print "----"



print "\n\n=== 3. Login ===\n"

print "# Client request login and get's a random **challenge** from server:",
challenge = "c_123"
print "'//%s//'" % challenge

print "# User enters username and password: '//%s//'" % password

print "# Client send username and get's **user salt** from server via AJAX: '//%s//'" % salt

print "# on the client: sha1(password + salt):",
sha1sum = sha1(password + salt)
print "'//%s//'" % sha1sum

print "# on the client: split sha1 in:",
sha1_a = sha1sum[:16]
sha1_b = sha1sum[16:]
print "**sha1_a**: '//%s//' **sha1_b**: '//%s//'" % (sha1_a, sha1_b)

print "# on the client: **sha1_a2** = sha1(sha1_a + challenge):",
sha1_a2 = sha1(sha1_a + challenge)
print "'//%s//'" % sha1_a2

print "# Client send username, **sha1_a2** and **sha1_b** to the server."



print "\n\n==== 4. validation on the server ====\n"

print "# get encrypted **checksum** for user: '//%s//'" % sha1checksum

print "# decrypt(sha1checksum, key=sha1_b):",
sha1checksum = decrypt(sha1checksum, key=sha1_b)
print "'//%s//'" % sha1checksum

print "# sha1(sha1checksum + challenge):",
sha1check = sha1(sha1checksum + challenge)
print "'//%s//'" % sha1check

print "# compare: //%s// == //%s//" % (sha1check, sha1_a2)
0 comments for 'detail procedure':
    there exist no comment for 'detail procedure'
Leave a comment
tag navi auth | login | plugin | pylucid
PyLucid v0.11.4.0424 | Log in | render time: 388.8 ms - overall: 2.1 weeks | last modified: June 28, 2011, 2:17 p.m.

django-processinfo: 5.5 ms of 390.4 ms (1.4%)