Hi folks,

I am planning on implementing Tom Wu's Secure Remote Password protocol for
logging in to a new web application that is being developed. The nice thing
about SRP is that it can be used to protect the password from the web site
operators as well - the password is never passed in a recoverable format, so
there is no temptation for the admins etc.

Tom has already assisted me in getting a JavaScript implementation of it
working under both Netscape (using direct JavaScript calls to the underlying
Java BigInteger classes) and Internet Explorer (using a tiny Java wrapper
around the BigInteger classes). (See http://srp.stanford.edu/demo.html)

However, I understand that IE6.0 as shipped with Windows XP does not have a
Java Virtual Machine, and so this method will not work on the new XP clients
out there. That is, without requiring the client to download a 5MB JRE
first!

I am now trying to find alternative mechanisms of implementing the
BigInteger functionality in these browsers.

My thoughts are along the lines of an OCX, or other native Microsoft applet
(.NET?) that does not depend on Java. This would still be scripted by
JavaScript if necessary, as this would allow for updates without having to
recompile the OCX.

Does this sound like a reasonable approach? If so, does anyone have any
pointers to existing solutions in this space?

I am in charge of specifying the security, not coding the application, and
as such, am not really a web developer at all.

Thanks for any sugestions.

Rogan

--
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythealum.mit.edu>
--
Deloitte & Touche Information Security Services
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE:  This e-mail message and its attachments is subject to the 
       disclaimers as published at: 
       http://www.deloitte.co.za/disc.htm#emaildisc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]