lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Fri, Jan 17, 2014 at 11:08 AM, Dirk Laurie <dirk.laurie@gmail.com> wrote:

It has also been suggested, in effect, that your code should be
saying

    if encrypted_password == encrypt(post.password) then

You could also have cryptography at both ends:

1. Client sends a request to authenticate.
2. Server sends a message together with the request: calculate
   encrypt(message,key) using your secret password as key,
   and send me the result. While waiting for the response, server
   does the same calculation.
3.Program does
   if encryption == post.encryption then

This will mean that unencrypted passwords never physically
travel along the communications line.

Of course, your 'encrypt' function should not afford a way of
recovering a key from a plaintext/cyphertext pair.

Yes, yes, tools like openssl offer this service transparently, but
some people are paranoid.

And in that case please use a vetted algorithm like SRP [1] instead of inventing your own...

I have done that for our products and it works nicely if you don't have to deal with old browsers whose JS engine takes ages to do the crypto calculations.

[1] http://srp.stanford.edu/


Dirk F.