[Cryptography] Encryption opinion
James A. Donald
jamesd at echeque.com
Sun Aug 31 23:39:05 EDT 2014
Here is how browsers and servers should work, in order to prevent MITM
This looks like a job for the IETF. Why is it out of scope?
When the browser attempts to connect to a password protected page, the
server demands the creation of a strong transient shared secret through
a Zero Knowledge Password Protocol, and a UI is popped up from the
browser chrome, not from a server web page, to establish that shared
secret. The UI shows the "username" of the server, and the username of
the client, since the Zero Knowledge protocol is almost symmetric, both
parties having to prove knowledge of a secret passphrase associated with
the username/servername pair, without revealing the secret passphrase.
The strong transient shared secret being established from proof of
possession of a weak durable shared secret, the server calls the code
that generates the web page with a database cursor pointing at the
database record that contains the username and hash of the password that
was used to establish the shared secret.
On all subsequent interactions on the channel created by this shared
secret, the web page is generated by code that has access to this
database cursor. The shared secret will be forgotten on a timeout that
is set and reset by this code.
Again: This looks like a job for the IETF. Why is it out of scope?
More information about the cryptography
mailing list