Arieh.co.il

Intoduction to UserAtuh

The problem

In many of our sites, we require the user to pass login information on unsecure networks, without supplying HTTPS encryption. This makes the user vulnerable to several attacks involving the theft of his credentials.

UserAtuh supplies a mechanism with which the user never sends his full credentials over the network. Instead, the library creates a unique one-time hash on the client side, and verifies it with the server side data. This way, when JS is enabled, the user never actually sends his password over the network.

How does it work?

  1. When a login form is created, it is assigned a unique one-time key.
  2. When the user sumbits the form, the key is used to hash the password, which is then removed.
  3. The form is then sent to the server side.
  4. The login credentials – the user name and the hashed password – are compared to the data on the server side. This is done by hashing the database password with the last key created, and comparing it to the one sent by the user.
  5. Since the key is one-time, even if a listener get to fetch the key and the hashed password, he doesn't have anything useful to do with it (other than obviously a brute-force attack).

Usage

The usage is quite simple – it involves some configuration settings –

  1. The user-atuh.ini file contains simple database settings – the users table name, and the name and password fields. It also allows you to set a function to use to escape user input (this config file is only necessary if you plan on using the built in DAOs). You can also choose not to use the ini file and pass an associative array with the same configuration keys instead.
  2. The UserAtuh.js file starts with a simple configuration file that lets you specify the login form's structure and an escaping function for the password. The last should be used if you only store hashed passwords in your database. By default, the library assumes all passwords on the database are stored as sha1 hashes.

Creating a login form

1st we need to create a database access object. The library comes with 2 different classes for that purpose, but you can create any other type you like, as long as it implements the UserAtuhDbaI interface.

In this example we're going to use the UserAtuhDbaSession object, which uses the session variable to store the temporary keys. This method is the recommended one.

$link = mysql_connect("localhost","root","1234");
mysql_select_db("some_db",$link);
$db = new UserAtuhDbaSession($link,'../configs/user-atuh.ini');

Next, we need to pass the DAO to the KeyHandler. This is the library's main object. It excepts 2 parameters – the first is a DAO, and the second optional one can be used if you supplied a hashing function on the client side that wasn't used for storing the passwords. This can be used if for some reason you did not hash your database passwords. This should usualy be left out.

$gen = new KeyHandler($db);

Next we need to create our form. Nothing fancy. A simple login form. The only special thing to note is the hidden temp-key field.

<form id='loginForm'
		action='login-session.php'
		method="post" >
<fieldset>
<ul id='menu'>
    <li>
    	<label for="userName">user name
            <input type='text' id="user-name" name="user-name" _cke_saved_name="user-name" />

        </label>
    </li>
    <li>
    	<label for="pass">password
            <input type="password" id="pwd" name="pwd" />

        </label>
    </li>
    <li>
        <input type='submit' name="submit" id="submit" value="enter" />

        <input type="hidden"
        		value="<?php echo $gen->getKey(); ?>"
        		id='tempKey' name='temp-key' />

    </li>
</ul>
</fieldset>
</form>
<script type='text/javascript' src='../js/UserAtuh.min.js'></script>
<noscript>Notice - Javascript is unavailable. This will cancel some of the security features the site provides to encrypt your credentials</noscript>

I've also included the script file and also included a noscript tag. This is to warn the user that his data will be sent unencrypted.

The library comes with a 3rd lib sha1 function, which must be included for the library to work. For your convenience, the minified version contains all you need in one file.

The last thing we need to do is to set the JS configuration and add the form event.

<script type="text/javascript">

UserAtuh.form_id = 'loginForm';
UserAtuh.pass_id = 'pwd';
UserAtuh.name_id = 'user-name';
UserAtuh.key_id = 'temp-key';

document.getElementById('loginForm').onsubmit = function(){setEncryption();};
</script>

Now on to the login page.

Login Page

1st we initialize our classes, the same way we did before:

$link = mysql_connect("localhost","root","1234");
$db = new UserAtuhDbaSession($link,'../configs/user-atuh.ini');
$gen = new KeyHandler($db);

We than take the post values and check them we the KeyHandler's authenticate method.

$name = (isset($_POST['user-name']))? $_POST['user-name'] : '';
$enc  = (isset($_POST['encrypt'])) ? $_POST['enc']  : '';

if ($gen->authenticate($name,$enc,true)) {
	echo "logged in";
}else{
	echo "logged out";
}

That’s it. Clean and simple.

Drawbacks

There are a few weaknesses to these method –

  1. It will not work when JS is disabled. This is a very important thing to notice. But at the end of the day, we can do a few things to compensate – the first is that we can warn the user about this – which we did in our example. If it's important for us to allow non-JS users to login, the library adds a special parameter for us to know the JS worked. We can use this to provide a second login method.
  2. It in no way provide a full proof protection. If, for example, the user has a key logger on his computer, there is nothing we can do about it. This is simply another way with which you can effectively enhance your security with.

Links

  1. UserAtuh Page on github.
JavaScript Reference, JavaScript Guide, JavaScript API, JS API, JS Guide, JS Reference, Learn JS, JS Documentation