Results 41 to 41 of 41
-
14-04-2014, 12:59 #41
https://github.com/Myrcon/Procon-2/issues/62
Tokens are now created and stored against user accounts. A token is an salted hash of the users password hash, the token and an identifier.
The identifier is an ip (this would be the IP of the UI).
Psuedocode:
Code:// 1. Client authenticates with Username/Password, generate a new token for them.. // Generating var tokenId = newGuid(); var token = randomLongText(); var identifer = "192.168.1.1" var accountsPasswordHash = "previouslySetBCryptPasswordHash" var tokenHash = BCrypt(ShaHash(token + accountsPasswordHash + identifier)); // ... Return "Success" authentication along with the generated Token and TokenId // ... later, on next request.. Client sends Token and TokenId (no username/password) if (TokenId == token.Id && token.Hash == BCrypt(ShaHash(Token + account.PasswrdHash + identifier)) { // all good. }
The token itself is never stored on Procon C#'s side.
If the identifier isn't the same, the token check will fail.
If the users password is modified (or just re-salted) then the token check will fail.
User has a maximum of 5 tokens by default. This would mean you can only have your account logged into 5 devices at the moment. I may increase this to 10. Given the 2 day limit, if you can login with 10 different devices then I envy that persons problems.
Anyway, all of this means that the UI only needs your password to authenticate initially with C#. If the session collection on the UI is ever dumped then the attackers will be able to access the C# Instance, but they won't have the users original password (or a derivative of)I started at DICE late Oct. 2014, so ignore every post before that.