Metadata-Version: 2.0
Name: django-secure-js-login
Version: 0.2.0
Summary: JavaScript Challenge-handshake authentication django app
Home-page: https://github.com/jedie/django-secure-js-login
Author: Jens Diemer
Author-email: UNKNOWN
License: UNKNOWN
Platform: UNKNOWN
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU General Public License (GPL)
Classifier: Programming Language :: Python
Classifier: Programming Language :: JavaScript
Classifier: Framework :: Django
Classifier: Topic :: Database :: Front-Ends
Classifier: Topic :: Documentation
Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
Classifier: Topic :: Internet :: WWW/HTTP :: Site Management
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
Classifier: Operating System :: OS Independent
Requires-Dist: Django (>=1.7,<1.9)

======================
django-secure-js-login
======================

JavaScript Challenge-handshake authentication django app.

+-----------------------------------+------------------------------------------------+
| |Build Status on travis-ci.org|   | `travis-ci.org/jedie/django-secure-js-login`_  |
+-----------------------------------+------------------------------------------------+
| |Coverage Status on coveralls.io| | `coveralls.io/r/jedie/django-secure-js-login`_ |
+-----------------------------------+------------------------------------------------+

.. |Build Status on travis-ci.org| image:: https://travis-ci.org/jedie/django-secure-js-login.svg
.. _travis-ci.org/jedie/django-secure-js-login: https://travis-ci.org/jedie/django-secure-js-login/
.. |Coverage Status on coveralls.io| image:: https://coveralls.io/repos/jedie/django-secure-js-login/badge.svg
.. _coveralls.io/r/jedie/django-secure-js-login: https://coveralls.io/r/jedie/django-secure-js-login

First:
The Secure-JS-Login is not a simple *"send username + PBKDF2-SHA(password)"*
It is more a `Challenge-handshake authentication protocol <http://en.wikipedia.org/wiki/Challenge-handshake_authentication_protocol>`_!

TODO:

* fix "next_url" and all links in example project

--------------
The procedure:
--------------

Save a new user password:
-------------------------

client browser / JavaScript part::

#. user input a password

#. ``init_pbkdf2_salt = SHA1(random data)``

#. ``pbkdf2_hash = pbkdf2("Plain Password", salt=init_pbkdf2_salt)``

#. Client send **init_pbkdf2_salt** and **pbkdf2_hash** to the server

Server part:

#. Server split **pbkdf2_hash** into: **first_pbkdf2_part** and **second_pbkdf2_part**

#. ``encrypted_part = xor_encrypt(first_pbkdf2_part, key=second_pbkdf2_part)``

#. Save only **encrypted_part** and given **init_pbkdf2_salt** from client

Login - client browser / JavaScript part:
-----------------------------------------

#. Use request login

#. server send html login form with a random **server_challenge** value

#. User enters his **username** and **password**

#. Ajax Request the **init_pbkdf2_salt** from server with the given **username**

#. generate the auth data:

    #. ``pbkdf2_temp_hash = pbkdf2("Plain Password", init_pbkdf2_salt)``

    #. split **pbkdf2_temp_hash** into **first_pbkdf2_part** and **second_pbkdf2_part**

    #. ``cnonce = SHA1(random data)``

    #. ``pbkdf2_hash = pbkdf2(first_pbkdf2_part, salt=cnonce + server_challenge)``

#. send **pbkdf2_hash**, **second_pbkdf2_part** and **cnonce** to the server

validation on the server
------------------------

#. client POST data: **pbkdf2_hash**, **second_pbkdf2_part** and **cnonce**

#. get transmitted **server_challenge** value from session

#. get **encrypted_part** and **salt** from database via given **username**

#. ``first_pbkdf2_part = xor_decrypt(encrypted_part, key=second_pbkdf2_part)``

#. ``test_hash = pbkdf2(first_pbkdf2_part, key=cnonce + server_challenge)``

#. compare **test_hash** with transmitted **pbkdf2_hash**

secure?
=======

Secure-JS-Login is not really secure in comparison to https! e.g. the client can't validate if he really communicate with the server or with a `Man-in-the-middle attack <https://en.wikipedia.org/wiki/Man-in-the-middle_attack>`_.

However the used procedure is safer than plain-text authentication. In addition, on the server no plain-text passwords are stored. With the data that are stored on the server, can not be used alone.

If you have `https <http://en.wikipedia.org/wiki/HTTPS>`_, you can combine it with Secure-JS-Login, similar to combine a digest auth with https.

More information: `Warum Secure-JS-Login Sinn macht... <http://www.pylucid.org/permalink/35/warum-js-sha-login-sinn-macht>`_ (german only, sorry)

why?
====

Many, if not even all CMS/wiki/forum, used unsecure Login. User name and password send in **plaintext** over the Internet. A reliable solution offers only `https`_.

The Problem: No Provider offers secured HTTP connection for little money :(

alternative solutions
=====================

* `Digest access authentication <http://en.wikipedia.org/wiki/Digest_access_authentication>`_ (implementation in django exist: `django-digest <http://bitbucket.org/akoha/django-digest/wiki/Home>`_):

    * pro

        * Browser implemented it, so no additional JavaScript needed

    * cons

        * Password hash must be saved on the server, without any salt! The hash can be used for login, because: ``hash = MD5(username:realm:password)``

        * used old MD5 hash

------
tryout
------

e.g.:

::

    ~ $ virtualenv secure-js-login-env
    ~ $ cd secure-js-login-env
    ~/secure-js-login-env $ source bin/activate

    # install secure-js-login as "editable" to have access to example project server and unittests:

    (secure-js-login-env)~/secure-js-login-env $ pip install -e git+git://github.com/jedie/django-secure-js-login.git#egg=django-secure-js-login

    run example project server:
    {{{
    (secure-js-login-env)~/secure-js-login-env $ cd src/django-secure-js-login/
    (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./run_example_server.sh

run inittests:

::

    (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py

to run the Live-Server-Tests, install `selenium <https://pypi.python.org/pypi/selenium>`_ e.g.:

::

    (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ pip install selenium
    (secure-js-login-env)~/secure-js-login-env/src/django-secure-js-login $ ./runtests.py

---------------------
Version compatibility
---------------------

+-----------------+------------+------------+
| secure-js-login | Django     | Python     |
+=================+============+============+
| >=v0.1.0        | v1.7, v1.8 | v2.7, v3.4 |
+-----------------+------------+------------+

(These are the unittests variants. Maybe other versions are compatible, too.)

---------
changelog
---------

* v0.2.0 - 10.05.2015:

    * increase default PBKDF2 iteration after test on a Raspberry Pi 1

    * more unitests

    * Honypot login raise "normal" form errors

    * code cleanup

    * Docu update

* v0.1.0 - 06.05.2015:

    * initial release as reuseable app

    * Use PBKDF2

* 03.05.2015:

    * Split from `PyLucid CMS 'auth' plugin <https://github.com/jedie/PyLucid/tree/7ee6f8312e7ade65ff3604eb9eab810c26c43ccb/pylucid_project/pylucid_plugins/auth>`_

* 03.2010:

    * `Use ajax request via jQuery <http://www.python-forum.de/viewtopic.php?p=163746#p163746>`_ (de)

* 11.07.2007:

    * `New SHA challenge response procedure <http://www.python-forum.de/viewtopic.php?p=72926#p72926>`_ (de)

* 01.06.2005:

    * `first implementation of a MD5 login in PyLucid <http://www.python-forum.de/viewtopic.php?f=5&t=3345>`_ (de)

----------
info links
----------

* Python-Forum Threads (de):

    * `Digest auth als Alternative? <http://www.python-forum.de/viewtopic.php?f=7&t=22163>`_ (03.2010)

    * `Sinn oder Unsinn des PyLucids Secure-JS-Login... <http://www.python-forum.de/viewtopic.php?f=3&t=8180>`_ (12.2006)

    * `Wie Session-Hijacking verhindern? <http://www.python-forum.de/topic-8182.html>`_ (12.2006)

* `Diskussion auf de.comp.lang.python <https://groups.google.com/forum/#!topic/de.comp.lang.python/jAbfc26Bg_k>`_ (08.2006)

-------------
project links
-------------

+-----------------+--------------------------------------------------------+
| Github          | `http://github.com/jedie/django-secure-js-login`_      |
+-----------------+--------------------------------------------------------+
| Python Packages | `http://pypi.python.org/pypi/django-secure-js-login/`_ |
+-----------------+--------------------------------------------------------+
| Travis CI       | `https://travis-ci.org/jedie/django-secure-js-login/`_ |
+-----------------+--------------------------------------------------------+

.. _http://github.com/jedie/django-secure-js-login: http://github.com/jedie/django-secure-js-login
.. _http://pypi.python.org/pypi/django-secure-js-login/: http://pypi.python.org/pypi/django-secure-js-login/
.. _https://travis-ci.org/jedie/django-secure-js-login/: https://travis-ci.org/jedie/django-secure-js-login/

-------------------------------
Used JavaScript Implementations
-------------------------------

* SHA1 - JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1

    * `http://pajhome.org.uk/crypt/md5/sha1.html <http://pajhome.org.uk/crypt/md5/sha1.html>`_

    * Implemented by Paul Johnston

    * Distributed under the BSD License

    * Stored under: `secure_js_login/static/secure_js_login/sha.js <https://github.com/jedie/django-secure-js-login/blob/master/secure_js_login/static/secure_js_login/sha.js>`_

* PBKDF2 - JavaScript implementation of Password-Based Key Derivation Function 2 as defined in RFC 2898

    * `http://anandam.name/pbkdf2/ <http://anandam.name/pbkdf2/>`_

    * Implemented by Parvez Anandam

    * Distributed under the BSD license

    * Stored under: `secure_js_login/static/secure_js_login/pbkdf2.js <https://github.com/jedie/django-secure-js-login/blob/master/secure_js_login/static/secure_js_login/pbkdf2.js>`_

-------
contact
-------

Come into the conversation, besides the github communication features:

+---------+--------------------------------------------------------+
| IRC     | #pylucid on freenode.net (Yes, the PyLucid channel...) |
+---------+--------------------------------------------------------+
| webchat | `https://webchat.freenode.net/?channels=pylucid`_      |
+---------+--------------------------------------------------------+

.. _https://webchat.freenode.net/?channels=pylucid: https://webchat.freenode.net/?channels=pylucid

