Corrected documentation

[CGIscriptor.git] / Private / manual.html

<html>
<head>
<title>
        Private data
</title>
<script type="text/javascript">
<SCRIPT TYPE="text/ssperl" SRC="./JavaScript/PlainPage.js"></SCRIPT>
</script>
</head>
<body>
<p>
<table width='100%'><tr>
        <td style='text-align: left'><a href="/index.html">Home</a></td> 
        <td style='text-align: right'><a href="?LOGOUT">Logout</a></td>
</tr></table>
</p>
<p ALIGN=RIGHT><a href="ChangePassword.html">Change Password</a><br />
<a href="CreateUser.html">Create New User Account</a>
</p>
<h1 align=CENTER>Manual</h1>
<p align=CENTER>Logged in from <script type="text/ssperl" CGI='$LOGINIPADDRESS="" $LOGINPATH=""'>"$LOGINIPADDRESS $LOGINPATH"</script></p>
<p align=CENTER><form method=GET action="index.html">
        <p align=CENTER><input type="submit" value="Go back to Private home page" /></p>
        </form>
        </p>


<A NAME="SESSIONTICKETS"><H2 ALIGN="CENTER">SERVER SIDE SESSIONS AND ACCESS CONTROL (LOGIN)</H2></A>
<p>
An infrastructure for user acount authorization and file access control
is available. Each request is matched against a list of URL path patterns.
If the request matches, a Session Ticket is required to access the URL.
This Session Ticket should be present as a CGI parameter or Cookie, eg:
</p>
<p>
CGI: SESSIONTICKET=&lt;value&gt;<br />
Cookie: CGIscriptorSESSION=&lt;value&gt;</p>
<p>
The example implementation stores Session Tickets as files in a local
directory. To create Session Tickets, a Login request must be given 
with a LOGIN=&lt;value&gt; CGI parameter, a user name and a (doubly hashed)
password. The user name and (singly hashed) password are stored in a
PASSWORD ticket with the same name as the user account (name cleaned up 
for security). There is a <a href="/PrivateTutorial.html">Tutorial of the authorization
application</a>.
</p>
<p>
The example session model implements 3 functions:
<ol>
<li>Login<br />
The password is hashed with the user name and server side salt, and then 
hashed with a random salt. Client and Server both perform these actions 
and the Server only grants access if results are the same. The server 
side only stores the password hashed with the user name and
server side salt. Neither the plain password, nor the hashed password is
ever exchanged. Only values hashed with the one-time salt are exchanged.
</li>
<li>Session<br />
For every access to a restricted URL, the Session Ticket is checked before
access is granted. There are three session modes. The first uses a fixed
Session Ticket that is stored as a cookie value in the browser (actually, 
as a sessionStorage value). The second uses only the IP address at login
to authenticate requests. The third
is a Challenge mode, where the client has to calculate the value of the
next one-time Session Ticket from a value derived from the password and 
a random string.
</li>
<li>Password Change<br />
A new password is hashed with the user name and server side salt, and 
then encrypted (XORed)
with the old password hashed with the user name and salt. That value is 
exchanged and XORed with the stored old hashed(salt+password+username). 
Again, the stored password value is never exchanged unencrypted.
</li>
</ol>
</p>
<H3 ALIGN="CENTER">Implementation</H3>
<p>
The session authentication mechanism is based on the exchange of ticket
identifiers. A ticket identifier is just a string of characters, a name 
or a random 64 character hexadecimal string. Authentication is based 
on a (password derived) shared secret and the ability to calculate ticket
identifiers from this shared secret. Ticket identifiers should be
"safe" filenames (except user names). At the server side, there are four 
types of tickets:
<ul>
<li>PASSWORD: User account descriptors, including a user name and password</li>
<li>LOGIN: Temporary anonymous tickets used during login</li>
<li>IPADDRESS: Authentication tokens that allow access based on the IP address of the request</li>
<li>SESSION: Reusable authentication tokens</li>
<li>CHALLENGE: One-time authentication tokens</li>
</ul>
All tickets can have an expiration date in the form of a time duration 
from creation, in seconds, minutes, hours, or days (<em>+duration</em>[smhd]).
An absolute time can be given in seconds since the epoch of the server host.
Accounts can include a maximal lifetime for session tickets (MaxLifetime).
</p>
<p>
A Login page should create a LOGIN ticket file locally and send a
server specific salt, a Random salt, and a LOGIN ticket 
identifier. The server side compares the username and hashed password, 
actually hashed(hashed(password+username+serversalt)+ REMOTE_ADDR + Random salt) 
from the client with the values it calculates from the stored Random salt from 
the LOGIN ticket and the hashed(password+username+serversalt) from the 
PASSWORD ticket. If successful, a new SESSION ticket is generated as a (double) 
hash sum of the LOGIN ticket and the stored password, i.e. 
LoginTicket = hashed(hashed(password+username+serversalt)+Random salt) and
SessionTicket = hashed(hashed(LoginTicket).LoginTicket).
This SESSION ticket should also be generated by the client and stored as 
sessionStorage and cookie values as needed. The Username, IP address and 
Path are available as $LoginUsername, $LoginIPaddress, and $LoginPath, 
respectively.
</p>
<p>
The CHALLENGE protocol stores the single hashed version of the SESSION tickets. 
However, this value is not exchanged, but kept secret in the JavaScript
<em>sessionStorage</em> object. Instead, every page returned from the 
server will contain a one-time Challenge value ($CHALLENGETICKET) which 
has to be hashed with the stored value to return the current ticket
id string.
</p>
<p>
In the current example implementation, all random values are created as
full, 256 bit SHA256 hash values (Hex strings) of 64 bytes read from 
/dev/urandom.
</p>

<H3 ALIGN="CENTER">Authorization</H3>
<p>
A limited level of authorization tuning is build into the login system. 
Each account file (PASSWORD ticket file) can contain a number of 
<em>Capabilities</em> lines. These control special priveliges. The
Capabilities can be checked inside the HTML pages as part of the
ticket information. Two privileges are handled internally: 
<em>CreateUser</em> and <em>VariableREMOTE_ADDR</em>. 
<em>CreateUser</em> allows the logged in user to create a new user account. 
With <em>VariableREMOTE_ADDR</em>, the session of the logged in user is 
not limited to the Remote IP address from which the inital log-in took 
place. Sessions can hop from one apparant (proxy) IP address to another, 
e.g., when using <a href="https://www.torproject.org/">Tor</a>. Any 
IPaddress patterns given in the PASSWORD ticket file remain in effect 
during the session. For security reasons, the <em>VariableREMOTE_ADDR</em> 
capability is only effective if the session type is <em>CHALLENGE</em>.
</p>

<H3 ALIGN="CENTER">Security considerations with Session tickets</H3>
<p>
For strong security, please use end-to-end encryption. This can be 
achieved using a VPN (Virtual Private Network), SSH tunnel, or a HTTPS 
capable server with OpenSSL. The session ticket system of CGIscriptor.pl 
is intended to be used as a simple authentication mechanism WITHOUT
END-TO-END ENCRYPTION. The authenticating mechanism tries to use some
simple means to protect the authentication process from eavesdropping.
For this it uses a secure hash function, SHA256. For all practial purposes,
it is impossible to "decrypt" a SHA256 sum. But this login scheme is
only as secure as your browser. Which, in general, is not very secure.
</p>
<p>
Humans tend to reuse passwords. A compromise of a site running 
CGIscriptor.pl could therefore lead to a compromise of user accounts at 
other sites. Therefore, plain text passwords are never stored, used, or 
exchanged. Instead, a server site salt value is "encrypted" with 
the plain password and user name. Actually, all are concatenated and hashed 
with a one-way secure hash function (SHA256) into a single string. 
Whenever the word "password" is used, this hash sum is meant. Note that
the salts are generated from /dev/urandom. You should check whether the
implementation of /dev/urandom on your platform is secure before 
relying on it. This might be a problem when running CGIscriptor under 
Cygwin on MS Windows.<br />
<em>Note: no attempt is made to slow down the password hash, so bad
passwords can be cracked by brute force</em>
</p>
<p>
As the (hashed) passwords are all that is needed to identify at the site,
these should not be stored in this form. A site specific passphrase
can be entered as an environment variable ($ENV{'CGIMasterKey'}). This
phrase is hashed with the server site salt and the result is hashed with
the user name and then XORed with the password when it is stored. Also, to
detect changes to the account (PASSWORD) and session tickets, a 
(HMAC) hash of some of the contents of the ticket with the server salt and 
CGIMasterKey is stored in each ticket.
</p>
<p>
Creating a valid (hashed) password, encrypt it with the CGIMasterKey and
construct a signature of the ticket are non-trivial. This has to be redone
with every change of the ticket file or CGIMasterKey change. CGIscriptor 
can do this from the command line with the command:
<pre>
perl CGIscriptor.pl --managelogin salt=Private/.Passwords/SALT \
  masterkey='Sherlock investigates oleander curry in Bath' \
  password='There is no password like more password' \
  admin
</pre>
CGIscriptor will exit after this command with the first option being 
<em>--managelogin</em>. Options have the form:
<ul>
<li>salt=[file or string]<br />Server salt value to use io the value 
    stored in the ticket file. Will replace the stored value if a new
    password is given. If you change the server salt, you have to
    reset all the passwords. There is <em>absolutely no</em> procedure known
    to recover plaintext passwords, except asking the account holders.
    You are strongly adviced to make a backup before you apply such a change</li>
<li>masterkey=[file or string]<br />CGIMasterKey used to read and decrypt 
    the ticket</li>
<li>newmasterkey=[file or string]<br />CGIMasterKey used to encrypt, sign, 
    and write the ticket. Defaults to the masterkey. If you change
    the masterkey, you will have to reset all the accounts. You are strongly 
    adviced to make a backup before you apply such a change</li>
<li>password=[file or string]<br />New plaintext password</li>
</ul>
When the value of an option is a existing file path, the first line of 
that file is used. Options are followed by one or more paths plus names 
of existing ticket files. Each password option is only used for a single 
ticket file. It is most definitely a bad idea to use a password that is 
identical to an existing filepath, as the file will be read instead. Be
aware that the name of the file should be a cleaned up version of the
Username.This will not be checked.
</p>
<p>
For the authentication and a change of password, the (old) password 
is used to "encrypt" a random one-time token or the new password, 
respectively. For authentication, decryption is not needed, so a secure 
hash function (SHA256) is used to create a one-way hash sum "encryption". 
A new password must be decrypted. New passwords are encryped by XORing 
them with the old password.
</p>
<p>
There are four default accounts present: <em>testip, test, testchallenge</em>, and
<em>admin</em>. The former three have password <em>testing</em>, the latter has password
<em>There is no password like more password</em>. The <em>admin</em>
account is disabled by default. You can enable it with a new password
using the <tt>--managelogin</tt> option. All four accounts are limited to local 
(<em>localhost</em>) requests. When present, <em>testip, test</em>, and
<em>testchallenge</em> are reactivated with the default password <em>testing</em>
whenever a new SALT is automatically generated. It is adviced that the <em>test</em>
accounts are removed when setting up a site.
</p>

<h3 align=CENTER>Strong Passwords: It is so easy</h3>
<p align=CENTER><em>If you only could see what you are typing</em></p>
<p >
Your password might be vulnerable to 
<a href="https://en.wikipedia.org/wiki/Brute_force_attack">
<em>brute force</em></a> guessing. Protections against such attacks are 
costly in terms of code complexity, bugs, and execution time.
However, there is a very simple and secure counter measure. See the 
<a href="http://xkcd.com/936/" target="_blank">XKCD comic</a>. The phrase, 
<em>There is no password like more password</em> would 
be both much easier to remember, and still stronger than 
<em>h4]D%@m:49</em>, at least before this phrase was pasted as an example 
on the Internet.<br />
For the procedures used at this site, a basic computer setup can check 
in the order of a billion passwords per second. You need a password (or 
phrase) strength in the order of 56 bits to be a little secure (one year 
on a single computer). One of the largest network in the world, Bitcoin 
mining, can check some 12 terahashes per second (June 2012). This 
corresponds to checking 6 times 10<sup>12</sup> passwords per second. 
It would take a passwords strength of ~68 bits to keep the equivalent of 
the Bitcoin computer network occupied for around a year before it found 
a match.<br />
Please be so kind and add the name of your favorite flower, dish, 
fictional character, or small town to your password. Say, 
<em>Oleander</em>, <em>Curry</em>, <em>Sherlock</em>, or <em>Bath</em>, UK 
(each adds ~12 bits) or even the phrase <em>Sherlock investigates 
oleander curry in Bath</em> (adds &gt; 56 bits, note that oleander is 
<em>poisonous</em>, so do not try this curry at home). That would be more 
effective than adding a thousand rounds of encryption. <br />
Typing long passwords without seeing what you are typing is problematic. 
So a button should be included to make password visible. 
</p>
<h3 align=CENTER>Man in the Middle attack</h3>
<p>
The example Login page is vulnerable to a Man-in-the-Middle (MITM) attack.
One fundamental weakness of the implemented procedure is that the Client obtains
the code to encrypt the passwords from the server. It is the JavaScript 
code in the HTML pages. An attacker who could place herself between Server 
and Client, a man in the middle attack (MITM), could change the code to 
reveal the plaintext password and other information. There is no real 
protection against this attack without end-to-end encryption and 
authentication.
<p>
A simple, but rather cumbersome, way to check for such 
attacks would be to store known good copies of the pages (downloaded 
with a browser or automatically with <em>curl</em> or <em>wget</em>) and 
then use other tools to download new pages at random intervals and compare
them to the old pages. For instance, the following line would remove the 
variable ticket codes and give a fixed SHA256 sum for the original 
<em>Login.html</em> page+code:
<pre>
curl http://localhost:8080/Private/index.html | sed 's/=\"[a-z0-9]\{64\}\"/=""/g' | shasum -a 256
</pre>
A simple <em>diff</em> command between old and new files should give 
only differences in half a dozen lines, where only hexadecimal salt 
values will actually differ.
</p>
<p>
A sort of solution for the MITM attack problem that <em>might</em> protect at
least the plaintext password would be to run a trusted web
page from local storage to handle password input. The solution would be
to add a hidden iFrame tag loading the untrusted page from the URL and
extract the needed ticket and salt values. Then run the stored, trusted,
code with these values. It is not (yet) possible to set the
required session storage inside the browser, so this method only works
for IPADDRESS sessions and plain SESSION tickets. There are many security 
problems with this "solution".
</p>
<p>
If you are able to ascertain the integrity of the login page using any
of the above methods, you can check whether the IP address seen by the
login server is indeed the IP address of your computer. The IP address
of the REMOTE_HOST (your visible IP address) is part of the login 
"password". It is stored in the login page as a CLIENTIPADDRESS. It can 
can be inspected by clicking the "Check IP address" box. Provided the
MitM attacker cannot spoof your IP address, you can ensure that the login
server sees your IP address and not that of an attacker.
</p> 
</body>
</html>