SRP: Never store - or even know - your user’s passwords! (Markus Schlichting)
HTML-код
- Опубликовано: 4 окт 2024
- All those information leaks revealing critical user data including passwords have risen the sensibility how important it is to keep your users account information safe. The safest way to be secure from those security incidents is, of course, not to store any passwords at all. And if you do not transmit any password over the wire, your system becomes even safe from sniffing attempts!
A proven way to archive this it is defined with SRP, the Secure Remote Password protocol. This session shows you how to implement it and shares some experience from production systems using it.
The flow-chart of authentication is not completely shown up :( Great video and explanation! Thank you.
I was really hoping that there would be a pdf of the slides in the description because of that. Unfortunately there is not and I couldn't find them online at all. That said, the Wikipedia article on the subject does have an overview of the maths.
I put this comment here less for you, and more for the future readers of these comments.
What is meant by "Avoid identity management"? Not storing user profiles in your system? or use avoid user authentication on your side? where should be access management handled?
Great Video and explanation, Thank you.
I don't understand why this can't be broken by a man in the middle attack. If a third party gets the transactions sent to him, can't they then just create their own keys on behalf of the client using the same username but different password and do the calls to the actual server? And then reply to the client after a successful reply from the server? How does the server know that user is who it says it is without any prior communication? I guess the server has to store the computed hash on registration then? But what if the attack happens during registration?
9:08 he explains why man in the middle won't work.
During registration you have to rely on some other method of authentication like server PKI certificate.
what are the disadvantages or cons of srp
None really
13:38 uff - woran merkt man mal wieder, dass wieder ein deutscher war der kein englisch konnte: "create user in db, SAFE username, salt and verifier" - NEIN! *zonk-sound
hier wäre korrekt gewesen: SAVE - von sichern/(ab)speichern - nicht safe wie in "panzer-/geldschrank"
alter - DAS ist einfach nur peinlich - wenn man sich nicht sicher ist ob save oder safe - warum nicht einfach: store! *noch mal zonk-sound
Möglicherweise hat sich die Person auch einfach nur verschrieben, passiert mir auch öfter, vor allem wenn ich müde bin :)
@@Luxalpa guck dir bitte mal das layout einer deutschen tastatur an:
zwischen B und P und A und ER liegen entsprechende abstände, dass man sich selbst im hoch lkant aufm handy nich mal eben "vertippt" - das war klassisch "ich schreibe wie ich spreche weil ichvdie richtige schreibweise und aussprache nicht kenne"