CGI question: safe passwords possible?

Will Stuyvesant hwlgw at hotmail.com
Sat May 31 13:55:33 EDT 2003 

> > [Gerhard Häring]
> > That's why I recommended to use digest authentication.

> [Paul Rubin] 
> Javascript has better browser coverage than digest auth, ...
> 
> I really think the OP should say more about what he's doing.  If his
> security requirements are bad enough that he needs to worry about
> passwords being captured, he may have much worse problems that he
> doesn't know about yet.


What I am doing?  I am trying to make an existing
design RESTful, if you don't know what that is see [1].  
The existing design uses CORBA and is claimed to be 
*very* secure.  There is some money involved but not a
huge amount: it *is* having some influence on my career
and my promotion of Python on the job :-)

I am building a prototype for an application.  For this
I would very much like to do CGI programming with
Python.  I already have most of it figured out, with
Python and CGI, in a nice way, independent of host or
operating system etc.  But the customer insists on
"security".  They are not too tech-savvy about
security, even less than I am.  So I could just try to
sell them something that is not secure at all, like the
prototype I have now using HTML forms with "user" and
"password" fields.  And just hope there will not be any
people doing eavesdropping or MITM when they fill in
the HTML forms.  Cash the money and be off.  But that
is just not me.  I really would like to help them in an
honest way.  I am sorry I can not say much here about
what the application is supposed to do.  It is
comparable to a multiplayer game, with over 10,000
users playing for about 30 minutes every day.  The
users have paid money to play the game, so they would
be very pissed off if anybody else is doing things with
their username and password.  Distribution of usernames
and passwords will be very secure.  Um.  I realize now
have to talk to my customer again about that one :-)

So the question is: how to do secure logins with
password to CGI scripts written in Python?  The problem
is that a POST of a HTML form does look like
distinguisable field:value pairs and it could get
intercepted by a computer criminal.  This person could
then try to figure out what field the password is.

If I could force the HTML forms to use some encryption
scheme for concatenated field:value pairs then it would
be okay, as long as the criminal cannot guess the
encryption algorithm.

Only the first login to the CGI application is a
problem.  Once a user has logged in, in a secure way,
you can, in your CGI program, encrypt (username,
password, currentTime, userIPaddress) to something like
a "sessionID" that is valid only a short time period,
or can only be used once per page, and pass that along
to the next CGI page (with HTML type=hidden
parameters).  I have working code that does this and I
think I can rely on it.  So it is really only the first
login that bothers me.

I asked if anybody knows a solution for the login
problem on comp.lang.python and received some
interesting replies, thank you all!  One reply involved
using javascript to encrypt HTML form parameters.  But
this still does not solve it, because a criminal could
just use the encrypted values at a later time to get
in.  Unless you can encrypt it with a combination of
current time and maybe the IP address of the user.  But
I do not know how to do that with javascript.  Even if
I find it, would this be much harder for the criminal?

Of course I would prefer Python to javascript, but I
have to deal with a hosted environment, and later on
even unknown hosts, and unfortunately there is no such
thing as PythonScript in the usual browsers.  Let's
hope that Python will replace javascript in the future!
We need a lobby for this somehow, and I would be glad
to support it.

This all seems to lead to the conclusion that Python is
useless for secure CGI programming, at least for the
difficult first "authenticate and login" step, unless
you are a service provider yourself.  

But I want to try an idea: I could make a portable GUI
program in Python with Tkinter, called
secureCGIcall.py.  It asks the user for a name and a
password.  This all happens on the users' machine so
there is no risk of eavesdropping or MITM computer
criminals.  The password and username and time and user
IP address and whatever get mixed and encrypted in a
sessionstring for the user and secureCGIcall.py opens
the users' webbrowser calling the CGI program.  The CGI
program knows how to decrypt the sessionstring and can
decide if the user is allowed to enter.  New
sessionstrings are generated for every new page
requested, for instance using current.  Would this be a
safe architecture?  Did somebody do this already?

But then, how to get secureCGIall.py to the user in a
safe way?  The computer criminal mentioned earlier
would love to read the source code :-).  Oh well, that
is the same kind of problem as getting the password
safely to the user, I will let my customer solve that
one.

I read a bit about HTTP Digest Authentication today,
and I think that using the HTTP Digest Authentication
is not for me.  In the RFC2617 itself it is even stated
that there are better secure systems.  Setting up
things for Apache (which is what my current service
provider uses, where I do the tests now) means that I
can not reuse it if I switch to another provider who
uses something else.  Argh.

This whole "safe first login" problem seems deceptively
simple.  And I feel a lot of people will face this
problem now that REST architectures are getting the
respect they deserve.


[1] The REST architecture, as identified by R.  Fielding.
http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm


-- 
It is better to know some of the questions than all of the answers.
                -- James Thurber

More information about the Python-list mailing list