Wednesday, January 14, 2009

Web-based...

Poor man's SSL:
Get yourself a JavaScript hash library and a JavaScript RSA library. Both exist.

For the logon page, use a hash-based challenge-response. Server generates the unique challenge, the page accepts the password in a form, on submission clears the password field, instead populates a hidden field with a hash of challenge and password (you can throw in a username and some client-based randomness, if you feel like it). The server calculates a hash with the same algorithm using the true password, matches the two hashes.

All fine and dandy, but the password has to get to the server somehow in the first place, right? That's where RSA comes in. For your user registration page, let the server generate a RSA key, cache the private key on the server, send the public key to the client. On submission, the page script would use the public key to encrypt the password, place the cyphertext into a hidden and clear the password field. The server code would retrieve the private key and decrypt.