I'm certainly not planning on excluding anyone. I already have a JavaScript
implementation, I'm certainly going to use it whereever possible.

However, due to MS's jockeying and positioning, I CAN'T use the same
solution for everyone.

I HAVE to make sure that I support as many platforms as possible, and
unfortunately, XP is going to be one of them. I can't just ignore it.

Having said that, I still have to find a solution. Any ideas?

Regarding Tom's SRP. It is crypto based, with a challenge response element,
avoiding replay attacks, man in the middle attacks, etc.

You could think of it as an improved NTLM auth, if you like. But the client
has to do some processing, so as not to simply send the password in (SSL
tunnelled, perhaps) clear text to the server. Ultimately, by performing the
maths, the browser demonstrates that the user must know the password,
without actually sending it to the server.

Very clever, I think!

Have a look at http://srp.stanford.edu/demo.html, you'll see what I mean.

Rogan

> -----Original Message-----
> From: Mark Curphey [mailto:markcurphey.com]
> Sent: 25 October 2001 04:57
> To: Dawes, Rogan (ZA - Johannesburg); webappsecsecurityfocus.com
> Subject: RE: Tom Wu's Secure Remote Password in IE6.0 XP?
>
>
> <rant>
>
> I don't want to spark an anti-MS debate over this thread but
> in my opinion
> MS has unduly used it market again in not shipping a JRE. As soon as
> technology is superior, they appear to find a good excuse why
> it can't go
> into popular desktop OS's and discourage its use, usually in
> favor of their
> own which magically is ready to be shipped with the latest product.
>
> Almost all good technology pundits will tell you Java and
> J2EE is superior
> technology. Its more widely adopted than proprietary
> technologies and will
> likely win though in the end. I for one am in the process of
> converting my
> life to a 100% Non-Microsoft one after the decision to drop Java (and
> originally Java from the Visual Studio for .NET support). I
> live in the US,
> where I am used to being able to make choices for myself and
> I intend to
> make the choice of technology I have on my desktop for
> myself. Other users
> like my mother may not be able to make those choices for themselves.
>
> </rant>
>
> Few points :
>
> Why would u choose to put an active-x control on a desktop
> with limited Unix
> support and a huge upsurge in Linux on peoples desktops ? You
> are cutting
> out a huge chunk of your customers....only 80& of the world
> run MS, in large
> user bases like Yahoo with 180 million users that's 23.6
> million users who
> wouldn't be able to use your system.
>
> Do it though a browser using open standards and you won't
> have this problem
> (MS may treat JavaScript like Java in view of its VBScript,
> history would
> say I am right !)
>
> Your customers will almost certainly need a JRE for other
> applications so I
> wouldn't be that concerned.
>
> I am not familiar with Tom Wu's scheme at all but implementing it in
> JavaScript doesn't sound right to me...client-side validation can't be
> trusted (at least not yet ;-))
>
> Mark
>
>
>
> -----Original Message-----
> From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawesdeloitte.co.za]
> Sent: Thursday, October 25, 2001 7:26 AM
> To: webappsecsecurityfocus.com
> Subject: Tom Wu's Secure Remote Password in IE6.0 XP?
>
>
> Hi folks,
>
> I am planning on implementing Tom Wu's Secure Remote Password
> protocol for
> logging in to a new web application that is being developed.
> The nice thing
> about SRP is that it can be used to protect the password from
> the web site
> operators as well - the password is never passed in a
> recoverable format, so
> there is no temptation for the admins etc.
>
> Tom has already assisted me in getting a JavaScript
> implementation of it
> working under both Netscape (using direct JavaScript calls to
> the underlying
> Java BigInteger classes) and Internet Explorer (using a tiny
> Java wrapper
> around the BigInteger classes). (See
http://srp.stanford.edu/demo.html)

However, I understand that IE6.0 as shipped with Windows XP does not have a
Java Virtual Machine, and so this method will not work on the new XP clients
out there. That is, without requiring the client to download a 5MB JRE
first!

I am now trying to find alternative mechanisms of implementing the
BigInteger functionality in these browsers.

My thoughts are along the lines of an OCX, or other native Microsoft applet
(.NET?) that does not depend on Java. This would still be scripted by
JavaScript if necessary, as this would allow for updates without having to
recompile the OCX.

Does this sound like a reasonable approach? If so, does anyone have any
pointers to existing solutions in this space?

I am in charge of specifying the security, not coding the application, and
as such, am not really a web developer at all.

Thanks for any sugestions.

Rogan

--
In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythealum.mit.edu>
--
Deloitte & Touche Information Security Services
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
--
NOTE:  This e-mail message and its attachments is subject to the
       disclaimers as published at:
       http://www.deloitte.co.za/disc.htm#emaildisc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]