-
Notifications
You must be signed in to change notification settings - Fork 2
SecurityLogin
One.Platform makes the login actions secure for the user, his password wll not be transferred in clear on the net,
this simple algorithm adds a security layer without requiring some SSL/TLS nor any certificate.
The concept is simple : it uses the SHA256 algorithm and a random salt to hide the password typed by the user :
The user types his password (named P0), the algorithm then creates a random salt, hashes the password (named H0) with the random salt (named S0)and then the form sends the hashed password and the random salt. The Platform stores these two informations in the user authentication table.
H0 = SHA256(P0 + S0)
The user types now his login and password to log in (named P1), the server has sent the salt S0 to the form. The algorithm now hashes P1 with S0 to create the hash H1, which – if the password is correct – should be the same as H0.
H1 = SHA256(P1 + S0)
To prevent network replay attacks, the hash H1 is once again hashed with a new random salt (named S1) generated
by the server to create H2 and then the form sends H2.
H2 = SHA256(H1 + S1)
Once the server recieves the hash H2, it hashes its hash H0 with the salt S1 to create H3 and compares the values. If the two hashes H2 and H3 are different, it means the password was not correct.
IF [ H2 = SHA256(H0 + S1) ] THEN ;
SUCCESS();
ELSE
FAILURE();
In this algorithm, the only known gap is the registration and the password change, the attacker can know H0 and therefore can substitute it to H1 in the logging in algorithm.