Authentication for socket communication ...

Gandalf gandalf at geochemsource.com
Tue Jun 1 12:38:41 EDT 2004 

>Im using a derived HTTP socket server, the base class in python.
>I've got a modified version of the implementation, right now I
>want to introduce authentication of users in my server. What is
>the best way to implement this? The server is on the machine running
>the user database. 
>
>So how do I validate a user and a password with the system?
>Are there any modules for this? How should passwords be sent?
>Using clear-text isnt good enough!
>  
>
Well, I would suggest HTTPS because it is transparent so you can send 
the password safely.
However, you said you are using a derived version of the HTTP socket 
server. Probably
it cannot handle HTTPS. In that case, it is a very good idea to use OTP 
(One Time Password)
authentication. The basic idea is that you do not send the passwords in 
clear text. Instead of
that, you send a hash of the password. The hash function must be 
different for each connection.
There are standards (RFCs) for OTP authentication. But of course you can 
implement yours.

For standard OTP, please read the RFCs. You will need OpenSSL to follow 
the standards.

To create your own OTP algorithm, please follow this scheme:

1. Client connects to the server
2. Client sends the user name to the server
3. The server generates a random string and sends it to the client
4. The client generates a random string and sends it to the client
5. At this point, both the server and the client know both random 
strings and the password.
    Both the server and the client should setup a session key using 
these values.
    A listener person or in-the-middle attacker cannot calculate the 
same session key because it does not know
    anything about the password. Important: the generation of the 
session key should be FULLY dependent
    on  both of the random strings and the password and should be 
non-invertable (e.g. use cryptographically
    secure hash functions).
6. Optional: After this point you have a session key on both sides, you 
can setup a cipher on both sides to have an encrypted connection
7. Both the server and the client shoud setup a new hash function H() 
that is dependent on the session key
8. The server sends another random string
9. The client calculates its hash value using H()
10. The client sends back the calculated hash value
11. The server checks if the hash value maches the one calculated 
locally. If not, terminate the connection. If there is a match  then the 
authentication was successful.

The advantage of your own protocol is...

a.) You only need a hash function. No encryption, no openssl etc. The 
built-in sha module is more than enough. As a result, your software will 
be more portable.
b.) In theory, in specific scenarios, this system can be more secure 
than a standard authentication algorithm. E.g. if your clients and your 
servers are totally trustful then using a private protocol can be very 
hard to crack. (Of course this is not the case when you want to create a 
widely used, popular program.)

Hope this helps.

Best,

   Laci 2.0

More information about the Python-list mailing list