Age | Commit message (Collapse) | Author |
|
must send the server the password. I wasn't happy about doing this
in plaintext, so I've incorporated slowAES on both the client and the server to encrypt the password before it is sent, using the key generated
in the first SRP transaction.
|
|
If a user exists in the auth table but not the srp table, the server sends back the algorithm and salt needed to hash the password. The hashed
password is used to authenticate the user.
After the server authenticates the user and the user verifies the identity of the server, the user sends the password in plaintext. The server
uses the plaintext password to calculate the verifier and stores. Finally, the client reinitiates the login process.
|
|
upgrade to SRP.
Currently, I've added functionality that will allow the importation of hash.min.js. This is made possible by some code that executes when the
script is loaded. This particular code doesn't pack properly, so currently I'm having the pack script append it to the end (unpacked).
This requires that clients use the packed version for two reasons. First, the unpacked code lacks the function that gets the source path. Second,
it loads hash.min.js. The first problem can be fixed if I can figure out how to get the code to pack properly. The second problem can be solved
by checking whether the current script is "srp.js" or "srp.min.js", and loading either (MD5.js & SHA1.js) or hash.min.js respectively.
Next we will need to write code where the server detects users who exist in the auth.models.User table, but not the srp.models.User table.
|