Establish session id while first login without https...

[pady...@gmail.com]

I am reading up on SRP protocol and it will work for authentication
through http. But it mentions that the server has "v" - host's
password verifier. This is generated on the client side. And the
server saves it. I am not sure how this "v" can be sent securely over
http ? I can use Diffie-Hellman, to verify the server ( i dont see why
Eve cant figure that out also because in the case of javascript/html,
the two secret variables of DH are also available because of access to
the html/javascript ) but still one time I have to send this password
verifier ( which is a sha256 hash of the password with some salt )
over http.

Can I use Window.open and send this user and password verifier through
a https call, and when it is saved close thw window. Or is there a way
to do this without popping up a window ?

Thx

-- pady

[pady...@gmail.com]

I am answering my own post - but I have an algo which i wanted some
verification from folks to solve the original problem...how to
establish session id during initial login ( or user setup ) in a
secure way without https...

1. Client - Get user/password
2. Client - Do RPC call and send User
3. Server - Get User and return captcha image url and a salt.
Save user/captcha string, salt on server ( in memory
cache )
4. Client - Show captcha to user ( dynamic load to same screen ) and
get the captcha string.
5. Client - Using Block TEA and sha-256 do encrypt( H(salt,
password) , H( U, captcha) )
Send this to server.
6. Server - Use H(U, captcha) as password to decrypt H(salt,
password ). This also serves as verification.
- Send back verification if decrypt succeeds.
- Save user, H(salt, password ) on server permanently.
7. Save H(salt, password) as session id on client and server.


For authentication in future, use "counter + H ( H(salt, password) +
counter )" on client and server to authenticate.

For password change, do the same as above.


Any suggestions ?

Thx

-- pady