what is the advantage of your scheme over traditional public key auth?
(e.g. openssh public keys)
On 03/24/2014 07:10 PM, Edward Ned Harvey (lopser) wrote:
If you login to servers that utilize bcrypt, scrypt, pbkdf2, etc, to
salt & stretch your password for storage in a backend database, then you
are vulnerable to phishing attacks, and cross-site attacks if you repeat
passwords at different sites, and a few other vulnerabilities.
I think the internet can do better. So I created CBcrypt
https://github.com/rahvee/CBcrypt
The goal is to change the way we do authentication on the internet.
Never give your password to anyone, not even trusted sites, not even
when you're logging into them.
At present, it's too immature to be considered stable and safe for
production. It needs community review. If you know security people
and/or cryptography people, please ask them to take a look. I believe
it's all solid and sound, but hey. I just wrote it today.
Also, it's presently C# only, but the core is a wrapper around
BouncyCastle and AesManaged and SCrypt. So it should be easily portable
to java and other languages that support those standard libraries.
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
