> Den 09/01/2015 kl. 12.28 skrev Alon Muroch <alonmur...@gmail.com>: > > Hey everyone, i've been thinking of implementing the following custom > authentication scheme: > • User generates a public and private key pair > • when creating a new user, the user name is as usual but the password > is the public key (in clear hex) > • For login: > • the user asks the server to generate a challenge string > • the user signs the challenge string and passes it to the > server > • the user is considered logged in if the returned signed > challenge can be verified by the server. > How i propose to do that: The user sends a GET request for the server which > returns a randomly generated challenge and saves it in relation to the > requesting user. The user then sends a login request, with the difference > that the password param is the signed challenge. > Problems with what i propose: How do i verify that who ever requests to > generate the challenge is the actual user ?
This looks an awful lot like TLS Client Authentication (http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake). If you're serious about authenticating your clients, I'd suggest looking at that instead of rolling your own. Most browsers can handle the client certificate securely and automatically, the support is well-tested and there are tools for key management, certificate revocation etc. Erik -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/36DCC049-E0C6-43BD-8166-CA398A8D1BC1%40cederstrand.dk. For more options, visit https://groups.google.com/d/optout.
