WebApp Sec mailing list archives
Re: Forgotten Password
From: saghar estehghari <s.estehghari () gmail com>
Date: Wed, 21 Aug 2013 10:16:30 +0200
Hi list, Thanks for the all the replies :) @Clemens :The system is semi-trusted. This implies that we can't access to user's data while he is offline (the data is encrypted at rest). This is because the client is considered as a weakest link and it is complicated for him to handle the keys securely and to do the encryption/decryption. So having this in mind, we can't be involved in any encryption and decryption related to user's data that is saved on the server!! And that's why I proposed the solution like that (encrypting the pass with server's key but saving it on client side). In this case an internal attacker, who has access to DBMS and server keys, can't decrypt the user's data (while the user is offline). @Tudor: However, I know that my proposed solution has it's own deficiencies, as if the user looses the certificate, there is no other soluition for password retrival or as you said if an inside attacker who has access to server keys perfoms a targeted attack and steels the certificate then he can decrypt the data. So I have another idea in mind which might be less complicated and more secure than the previous one. At the registration stage we can provide the user with a 3 challenge response questions, putting all the responses together creates a string of length minimum 10 characters. The using PBKDF2 over the responses + salt can create a key with which we can encrypt the password (this key can be paired with our key. this means that the IT manager must be involved in this process). So at the password retrival stage the same question will be asked and the if correctly answered the old pass will be retrived and user will be asked to choose a new password. Any feedback will be appreciated :) Saghar On Wed, Aug 21, 2013 at 3:28 AM, Clemens Lode <clemens.lode () medisanaspace com> wrote:
Hi Saghar, That depends on your risk analysis and requirements. If e.g. nobody at your company may access the encrypted data, then obviously you need to save the key at some other place. The ideal place is in the user's head. With your solution, you allow anyone with access to the person's computer (a less secure system than your servers - hopefully) access to the encrypted files on your servers. I guess it's better to provide that security for the user on your own premises. For example with a computer mostly disconnected from any network as a backup system for keys and only offline read access. And secured by asking for additional details from the user (e.g. copy of identity card if you will). If the user doesn't trust you, then your business concept is wrong. Because even if you don't have any keys saved on your system (in the solution you are describing), you still have the keys for decryption temporarily. Then better do all the encryption on the user's side and use the password merely for authentication. Best regards, Clemens On Aug 21, 2013 2:33 AM, "saghar estehghari" <s.estehghari () gmail com> wrote:Hi, In the system that I'm currently working on, the users authenticate themselves using username and password. As this is kind of a secure file sharing system, each user has a key that is drived from his password and all of his data and files are encrypted using this key. Since the password is not kept clear on the database, I face a problem where the user forgets his password. So it means that if we reset the password we cannot decrypt his files anymore. My solution to this problem was generating a certifcate at the registration time that contains the encrypted password (using the server's key), and ask them to save it. So when he clicks on "forgot password " link, the server asks him to provide the certificate. After verify the certificate, an email with a link for reseting the password or an sms for a secret code will be sent to the user to verfy that s/he is the legitimate user or not! However, I'm not sure about the security of such solution! I was wondering whether you have any better ideas or any feedback over my solution. Thanks This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Forgotten Password saghar estehghari (Aug 20)
- Message not available
- Re: Forgotten Password saghar estehghari (Aug 21)
- Re: Forgotten Password Amol Arakh (Aug 21)
- Re: Forgotten Password saghar estehghari (Aug 21)
- Message not available