CBCrypt is designed to create deterministic asymmetrical keys on the
fly. So, you don't store your private key on disk and you can login
from anywhere using your password.
This is like generating ssh keys. You never generate the keys on the
server you are connecting to.
CBCrypt must be implemented client side, as the private key must be
created on the client and never leave the client. That's what PKI
authentication is based on.
The server side will have to have a copy of the public key that is
trusts. (It received the key in some secured manner and stored
securely.) All the server needs to do is create a normal PKI challenge
based on the username entered (to lookup the public key.)
So, unless you are trying to get CBCrypt implemented in the web browser
itself, you really have no choice but to use JavaScript in a browser
security context. And it better be damn fast at key creation.
If you implement CBCrypt server side, then you are passing the user's
password into the server's memory in plain text. All other arguments
are now moot.
On 09/20/15 15:59, Robert Hajime Lanning wrote:
We are talking websites right? Shouldn't it be written in JavaScript?
Are people supposed to run a separate application and copy/paste the
responses into the browser?
--
Mr. Flibble
King of the Potato People
http://www.linkedin.com/in/RobertLanning
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
