basic auth sends passwords in cleartext. we had an earlier discussion
about this at http://groups.google.com/group/javarosa-developers/browse_thread/thread/d7972bcc4719d9fb
yaw
> As others have responded, the key problem with BasicAuth is that there are numerous points where wireless eavesdroppers could listen to your data transmissions (e.g., unsecured wireless hotspots, physically non-secure networks). Since many people lack the knowledge, skill or physical environments to secure their networks, if we support BasicAuth, we should then require all authenticated communications be sent via HTTPS. That is what we are attempting to avoid by requiring DigestAuth.
I totally agree! Maybe my wording should be; HTTPS is required.
Btw, how would you secure the transmissions of the collected data via
DigestAuth?
Jonny
> Using HTTPS is definitely recommend (and required depending on your legal
> environment).
Sounds great!
>However, encrypted the payload beyond what https does is arguably not making it any more secure if you are going to store that payload on disk or in a database in an unencrypted format.
I thought this API discussion was about authentication (and
transmission of data) and not about storage. Is this off-topic or is
it something we should consider?
> Sending the password in plain text over https is less secure because you typically do not store the plain text password anywhere in the system.
The above statement is also about storage. But I am curious to know
who stores passwords as plain text?
For example, in OpenXdata all user passwords are stored as SHA1 hash
including a random salt, we never store the password as clear text.
Jonny
Yaw,
Unfortunately digest *requires* that the raw user credentials in order
to build the hash. For projects that are only storing one way hashes,
this requires they subvert all that.
Jonny: You are correct that you can store the hash, but you'll have to generate and store it for every realm for every user. If you add a realm or change the name and wish to authenticate an existing user, you will require the username and password again to generate and store the new hashes. So, in general, you need the raw credentials on the server if you don't want to require strange work flows on users and administrators.
> Using HTTPS is definitely recommend (and required depending on your legalSounds great!
> environment).
I thought this API discussion was about authentication (and
>However, encrypted the payload beyond what https does is arguably not making it any more secure if you are going to store that payload on disk or in a database in an unencrypted format.
transmission of data) and not about storage. Is this off-topic or is
it something we should consider?
The above statement is also about storage. But I am curious to know
> Sending the password in plain text over https is less secure because you typically do not store the plain text password anywhere in the system.
who stores passwords as plain text?
For example, in OpenXdata all user passwords are stored as SHA1 hash
including a random salt, we never store the password as clear text.
realm A string to be displayed to users so they know which username and password to use. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be "register...@gotham.news.com".Section 4.x of the spec outline security concerns with the authentication mechanism, and don't imply any required implementation. The point of that section is that a file containing all data for a given realm would compromise access to that realm. That the A1 hash includes the realm as part of the hash, so it limits the compromise to just that realm.
Clayton: From http://tools.ietf.org/html/rfc2617#section-4.13 it seems that realm is intended for limiting the scope of vulnerability when password files are compromised.
I didn't raise this up to argue about digest vs. another scheme. I am more concerned that the implementation can be mapped onto common application architectures.
It is very common to want to manage user credentials per user (as opposed to the combination user and realm) and membership in a service orthogonally. If this scheme requires significant effort to implement on such systems and you require it for compliance, I'm skeptical it will be adopted.
> Digest authentication is readily available on ~all server environments, and
> JavaRosa contains an implementation for J2ME clients which took about a day
> to write (it is extraordinarily rare for a platform to not support digest
> auth with a simple library, j2me is very much the exception).
Supporting digest on the OpenXdata server would force us to make major changes.
I don't know what changes OpenMRS, DHIS and different LDAP servers
etc. are forced to do if they choose to adopt the current OpenRosa
Authentication API.
My main concern is that we will get less OpenRosa compliant servers
(and maybe clients) if we push this API though.
Jonny
> Digest authentication is readily available on ~all server environments, and
> JavaRosa contains an implementation for J2ME clients which took about a day
> to write (it is extraordinarily rare for a platform to not support digest
> auth with a simple library, j2me is very much the exception).
Supporting digest on the OpenXdata server would pose a big impact.
I don't know about what impact OpenMRS, DHIS and different LDAP
servers etc. would implement this on their servers.
My main concern is that we will get less OpenRosa compliant clients
and servers if we force them to make big changes in their system.
OpenRosa 1.0 more advanced than needed.
Jonny
Minor issues for OpenXdata server:
* Maintaining an extra authentication scheme.
Major "specification lock-in" problems:
Digest dictate how we store users passwords and that makes it harder
to share login with other 3rd party systems.
* What LDAP servers support or will support the OpenRosa Authentication API?
* What if OpenXdata users are stored in another appliaction (ex;
OpenMRS or DHIS)?
in contrast, OpenRosa with basic authentication would just be another
view/client on top of OpenXdata server.
Jonny
I'm not really affiliated with openROSA, as of now, and I've only briefly read through the discussions, but thought I'd share some thoughts from a DHIS perspective (or maybe more accurately from my own perspective, working on dhis and mobile :).
Johnny wrote:
> Major "specification lock-in" problems:
> Digest dictate how we store users passwords and that makes it harder
> to share login with other 3rd party systems.
> * What LDAP servers support or will support the OpenRosa Authentication API?
> * What if OpenXdata users are stored in another appliaction (ex;
> OpenMRS or DHIS)?
As http digest incorporates the *web* server realm, it is not practically possible to use any form of centralized user management (LDAP/AD) on the server side with this mechanism. You will quickly be forced to have a separate user db for the single app (if security policies allow you), giving better "technical" security than with basic, but at the cost of worse security at a higher level (and you'll find that in "enterprise" environments you might have to follow their security policies rather than a spec like this).
On the other hand, I'm not convinced that a little security over the wire really is that much better than not hashing the passwords on the server side (which digest effectively makes impossible - you can have a static realm and store the user:realm:pass hash, but then what you store is effectively the secret needed to log in to the server with digest, anyway).
The only way to really move further with security is to implement third-party authentication mechanisms (OAuth, SAML), and in time effort could probably be put into that also for mobile clients (and maybe by allowing some kind of way to additionally allow better auth mechanisms in the spec?).
But for now, I really don't see the point in ruling out basic auth. It is really easy for a client to support basic if it already supports digest, it is not necessarily possible for a server to support digest. I think a spec like this should maximize interoperability, not so much force security on implementations.
At least, I am pretty sure I won't be able to make existing implementations of DHIS reinitialize all their users, even if I could convince the developers of changing the auth mechanisms. And I certainly won't be able to make big organizations change their infrastructure and policies to follow this spec (read centralized user db). So I think from a dhis point of view, we would have to choose to be non-compliant, as it is now.
My 2 paisa (hope I don't step on anyones toes :)
Jo
> Thanks for the good feedback, its a helpful perspective. I think we may want to implement more standards in the future such as OAuth or SAML, and agree a registry based user id scheme is ideal, but I don't know that the mobile teams have the time to do so now. My argument against basic auth, which could be flawed, is that its difficult to make HIPAA compliant so likely a non-starter for any project seeking to work in the US. Many hardened server deployments log every web access, the web log would contain exposed user passwords. How do you get around this today on DHIS if you allow basic auth?
We don't really have that kind of deployment, so it would be kind of hypothetical. I don't know anything about HIPAA, either, but I guess the obvious answer is third party authentication :)
> Also, you can implement this transparently if you are allow users to valid in plain text today, because you can create the hash on the fly for users over some period of days (say 90). And, if they didn't sign on during that period, you would have to request they input the password twice in a row, one time (which they are going to have to do anyways since they almost definitely forgot the password if they haven't logged in for 3 months).
Yes, good point, that would be possible for existing implementations. It wouldn't change the problems with central user management (or that the stored key would be the secret needed for authentication).
> So, this is not saying OpenRosa won't support OAuth or SAML in the future, but that we are trying to make an incremental step in the right direction.
Fair enough, I just think that choosing digest can make migration/coexistence with these other solutions more difficult.
> All that said, I do think that some servers may not choose to not to implement OpenRosa compliant specs for a variety of reasons; if I may inquire further, are you saying that DHIS would try to become OpenRosa 1.0 if Basic was an available option (including implementing the 5 other APIs as well) but not if Digest is required?
I must admit that I haven't really thought about it much and don't know if other DHIS people have. I'm kinda new to the mobile side of things, so haven't looked too closely at the openROSA specs either. We will focus a lot more on mobile clients in the time ahead, though, and I would hope we can collaborate and avoid reinventing wheels as much as possible. But I think we still are at a stage where we need to move fast and have to focus on getting implementations deployed, first. We're also very much focussed on resource-constrained settings, so I'm not sure if the fit is all that great (?)
All in all, I wouldn't bet on us having capacity to implement something like this just yet :) Will try to bring it up for discussion, though.
Anyway, I just thought maybe letting the server decide between basic auth (over ssl), digest or both, wouldn't be a huge dent in the spec, and shouldn't add much complexity to clients (since basic after all is much simpler than digest). But I'll leave the decision to you guys :)
Jo
Hi,Please have a look at the Auth API doc and see if there are last minute issues you would like to discuss before the API gets put to a vote. In approx. 48 hours I'll be putting the API to a vote (procedure detailed here: http://groups.google.com/group/openrosa-workgroup/web/workgroup-procedures ) if there aren't any major issues.Cheers!Anton
Den 3. okt. 2010 kl. 12:02 skrev Mitch Sundt <msu...@cs.washington.edu>:
> As Clayton has already pointed out, with DigestAuth (RFC 2617), the plaintext password does not need to be stored or known on the server -- what is required is the ability for the server to determine the MD5 hash:
>
> MD5( username ":" realm ":" passwd )
>
> The availability of this hash (where the passwd salt is a prefix of "username:realm:") is equivalent to the availability of the hash from the "modern way of securing passwords." It just specifies a specific salt and hash function.
>
> This hash is the A1 value in RFC 2617.
Actually A1 *is* the secret needed to login to the server, and storing this *is* equivalent to storing the plaintext password when digest auth is offered.
Otherwise I agree :)
Jo
Hi Samson,
One concern with OpenID or SAML is that it has a number of redirects and is rather chatty. See the communications diagram in http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language If you're working over a low-data-rate connection, or if the identity provider is not co-located with the server you are accessing and there are network connectivity issues, this could be an issue. Keep in mind that smaller communities in Africa are a key region we want to support with the OpenRosa standards. Those communities may have lower-reliability networks and intermittent or non-existent non-local connectivity. For cellular phone communications, there is also the increased expense if you are paying for bandwidth to your phone.
To re-iterate -- the OpenRosa authentication standard *is* following an IETF standard -- RFC 2617 -- but where OpenRosa spells out additional minimal implementation requirements so that every *minimal implementation* will overlap in a well defined subset of that larger standard -- so that minimal implementations can be guaranteed to inter-operate.
- I do think there are valid issues with how Digest Auth integrates and plays with LDAP or other authentication infrastructures.
- I don't think security improves by sending plaintext passwords (Basic Auth) over a TLS/HTTPS pipe, through the server, and to the authentication infrastructure. These servers may not be physically secured, they likely won't have security-aware people running them, and there is always the risk of logging functions within the server inadvertently recording credentials.
- I don't think every communication to and from the phone should be required to be sent through a TLS/HTTPS pipe -- something that using Basic Auth over TLS/HTTPS would require.
RFC 2617 doesn't provide a way to authenticate the server short of verifying the digest value of the entire response. The OpenRosa authentication standard doesn't preclude the server sending this response digest and it doesn't preclude the device verifying this if it is present. It isn't in the minimal implementation because that would require it be sent on every response and that the device verify its value when processing each response. The minimal implementation must support a qop of "auth", which would utilize a cnonce on the device. The cnonce itself is not intrinsic to server authentication, just like a response digest value isn't, but they both are a prerequisite for server authentication only because of the way RFC 2617 was structured.
-----------
As Clayton has already pointed out, with DigestAuth (RFC 2617), the plaintext password does not need to be stored or known on the server -- what is required is the ability for the server to determine the MD5 hash:
MD5( username ":" realm ":" passwd )
The availability of this hash (where the passwd salt is a prefix of "username:realm:") is equivalent to the availability of the hash from the "modern way of securing passwords." It just specifies a specific salt and hash function.
This hash is the A1 value in RFC 2617. Everything else in that specification is there to provide changing salts on the wire from the server and client side so that eavesdroppers cannot guess this fixed hash by looking at the values flowing over the airwaves/wire.
Hope that helps.
Mitch
mitch and clayton will start spelling out the technical details, but
now is the time to start offering your feedback!
1) what is the impact of this on a smart phone cpu, low bandwidth connection -- the setup of the pipe would incur a 6k - 10k overhead for session establishment.
2) are there impacts w.r.t. any regulatory (HIPAA) or other privacy regulations?