blob: d35bd855892fd50e036967b2e26f6b0998f0e0f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
<section id="info">
<div class="row-fluid">
<div class="span8">
<h2>Features</h2>
<ul class="with-icons">
<li><i class="icon-refresh"></i>Mutual handshake - validates server on login</li>
<li><i class="icon-lock"></i>Using strong cryptography</li>
<li><i class="icon-eye-close"></i>No eavesdropping on the network</li>
<li><i class="icon-random"></i>Challange response prevents replay attacs</li>
<li><i class="icon-hdd"></i>Seeding prevents dictionary attacs on the server</li>
</ul>
</div>
<div class="span4">
<h2>Resources</h2>
<p>
<a href="http://srp.stanford.edu/">Official website at Stanford</a>
</p>
<p>
<a href="https://en.wikipedia.org/wiki/Secure_remote_password_protocol">Wikipedia Article on SRP</a>
</p>
<p>Libraries and Implementations:</p>
<ul>
<li>
<a href="http://srp.stanford.edu/download.html">C library</a>
with telnet and ftp <i>(scroll down)</i>
</li>
<li>
<a href="http://srp.stanford.edu/download.html">Open SSL patches</a>
</li>
<li>
<a href="http://www.bouncycastle.org">Java and C# implementations</a>
</li>
</ul>
</div>
</div>
</section>
<section id="demo">
<h1 class="page-header">Try it ... <small>It works just like a normal password - but it's more save.</small></h1>
<div class="row-fluid">
<div class="span4">
<h2>1. Signup</h2>
<p>
Your browser transfers an encrypted verifier based your password. But it does not send the password itself.
</p>
<% if @user %>
<h4> You are signed up as <%= @user.login %>. </h4>
<% end %>
<%= button_link(:signup, :primary => !@user) %>
</div>
<div class="span4">
<h2>2. Login</h2>
<p>
You enter your password - your browser exchanges encrypted data with the site to check if it was the right one.
</p>
<% if @user && @user.active %>
<h4> You are logged in.</h4>
<% end %>
<%= button_link(:login, :primary => @user && !@user.active) %>
</div>
<div class="span4">
<h2>3. Verify</h2>
<p>
You can see from the logs that your password was not send. The login process is different each time so it can't be replayed.
</p>
<%= button_link(:verify, :primary => @user && @user.active) %>
</div>
</div>
<div class="row-fluid">
<div class="span4">
</div>
<div class="span4">
</div>
<div class="span4">
</div>
</div>
<div class="row-fluid">
<div class="span4">
</div>
</section>
|