[Owasp-ireland] client-side ssl certs?

Romans Malinovskis romans.malinovskis at agiletech.ie
Thu Aug 11 12:53:54 EDT 2011


Hi John.

For server-size strong encryption, you can use JavaScript strong encryption / RSA.  http://www.jcryption.org/. 

You can authenticate computers users are logging in by issuing a unique pubkey key and storing it in the cookies or web cache. If user is logging from new computer, you can ask for more details. On the server, then, you can maintain list of issued keys, expire them, monitor who’s using which machine and so on. (http://www.jstorage.info/)

Apart from password, use second authentication screen.

Ask username and password first, then send user to second screen. On that screen show “unique picture” and ask to enter additional data. Either certain digits from the secret number or answer to security question. Don’t let them re-shuffle with refresh. 

Use tokens on the form, so that same form couldn’t be submitted multiple times. 
 
bruteforce delays. If password is typed incorrectly, double delay value for user. When checking again, if time < previous_attempt_time * cooldown_value, then ask user to wait. You would need to store delays even for incorrect usernames.

That’s all what comes to mind. With all this implemented, it should be darn good and usable.


Hope this was helpful.

Romans

> jHi Folks,
> How is everyone? It’s been a bit quiet!
> 
> Anyway, might anyone have thoughts or experience on client-side ssl certs?
> 
> I am making a web app. I need some form of user authentication. I’m
> thinking I need to go a bit better than just having username/password
> for access control. What options are out there? It's for a
> public-sector thing. My hesitation with username/password access
> control is that the credentials might just get passed around.
> 
> I guess that client-side certs are the answer. But, there will be
> about 2000 users. These are low-tech users, distributed  around
> Ireland. On their personal (ie not standardized) browsers/operating
> systems. So I can’t call around to them all doing the certificate
> installs. I’m not optimistic about asking this user population to do
> it themselves.
> 
> Any opinions ?
> Maybe it boils down to saying that I either have to
> use username/password
> or, accept the large effort of generating, installing and managing the certs?
> Is there a good way to generate, install and manage certs?
> 
> Thanks!
> JM
> 
> 
> -- 
> John Marmelstein
> 087 136 0045
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland

Romans Malinovskis
r at agiletech.ie

I am now in London and looking for opportunities as a developer 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20110811/ee42358e/attachment.html 


More information about the Owasp-ireland mailing list